Donate

Mullvad VPN Review (2026): Maximum Privacy, Minimum Data

This guide covers: Mullvad VPN Review (2026): Maximum Privacy, Minimum Data.

Mullvad is the VPN that privacy hardliners recommend. It does not ask for your email, name, or any personal information — you get a random account number and pay with cash, crypto, or card. If your primary concern is anonymity rather than streaming convenience, Mullvad deserves serious consideration.

Isometric illustration of Mullvad VPN showing an anonymous envelope placed into a locked vault with WireGuard tunnel lines connecting to minimal servers

Mullvad in one minute

Mullvad is a Swedish VPN provider laser-focused on privacy. There are no accounts, no emails, and no upsells. You generate a 16-digit number, fund it, and connect. The flat rate is €5/month with no discounts for longer commitments — a deliberate choice to avoid lock-in. Mullvad was one of the first commercial VPNs to adopt WireGuard and has been independently audited multiple times.

Key features that matter

  • Anonymous accounts: No email, no password, no personal data. A randomly generated number is your only identifier.
  • Cash payments accepted: Mail physical cash in an envelope for true payment anonymity — no card or crypto trail.
  • WireGuard by default: Mullvad was an early WireGuard adopter and it remains the default protocol across all apps.
  • Mullvad Browser: Co-developed with the Tor Project, a hardened Firefox fork designed to resist fingerprinting when used with the VPN.
  • Multi-hop and DAITA: Route traffic through two servers for extra protection. DAITA (Defense Against AI-guided Traffic Analysis) pads packets to defeat pattern recognition.
  • Owned servers: Mullvad runs diskless (RAM-only) servers in many locations and is progressively moving to fully owned infrastructure.

Who Mullvad is best for

  • Privacy-first users who want zero personal data linked to their VPN account.
  • Journalists, activists, and researchers operating in sensitive environments.
  • Technical users comfortable with a no-frills interface focused on function over polish.
  • Users who want to pay with cash or Monero for maximum payment anonymity.

Things to evaluate before buying

  • No long-term discount — €5/month every month. If budget matters on a multi-year plan, other providers are cheaper.
  • Server count (~580) is much smaller than NordVPN or CyberGhost. Coverage in Africa, South America, and parts of Asia is limited.
  • Streaming unblocking is not a priority. Mullvad does not market or optimize for Netflix, Disney+, or similar platforms.
  • Only 5 simultaneous connections. Larger households may find this limiting.
  • The apps are functional but minimal — no server suggestions, no quick-connect profiles, no chat support in the app.

Pricing and everyday fit

Mullvad's flat monthly pricing is part of the product philosophy. There are no multi-year teaser deals because the company is not trying to trap users in a long commitment. For privacy-focused buyers, that honesty is a strength. For budget shoppers comparing three-year deals, it can look expensive.

The better way to judge Mullvad is not by raw monthly price but by how closely its priorities match your own. If anonymity, transparency, and restrained product design matter most, it can be worth the premium. If you mainly want streaming convenience or household value, less so.

Usability and daily experience

Mullvad's apps are clean, but they are intentionally plain. That works well for technical users who prefer simple, trustworthy tools. It works less well for users who expect hand-holding, entertainment profiles, or lots of consumer-oriented convenience layers.

In daily use, Mullvad feels disciplined rather than feature-showy. That makes it easier to trust, but not always easier to recommend to the broadest audience.

How we tested Mullvad

We ran Mullvad for fourteen straight days across Windows 11, macOS Sonoma, Ubuntu 24.04, GrapheneOS on a Pixel 7a, and iOS 17. The benchmark machine sat on a 1 Gbps symmetrical fibre line in Bucharest with clean-line throughput around 943 Mbps down and 919 Mbps up, measured with speedtest.net, fast.com, and iperf3 to self-hosted endpoints in Frankfurt and New York. Each protocol (WireGuard, OpenVPN UDP, OpenVPN TCP, obfuscated WireGuard via Shadowsocks) was measured at three times per day. Multi-hop and DAITA were exercised on representative server pairs.

Leak testing used our own DNS leak test, WebRTC leak test, and IPv6 leak test, cross-checked with ipleak.net and browserleaks.com. ASN validation used ASN Lookup to confirm egress from Mullvad's AS39351 ranges. Kill-switch stress tests involved pulling Ethernet mid-upload, crashing the service from Task Manager / Activity Monitor, and forcing the VPN to reconnect every 60 seconds for an hour while Wireshark on a mirrored port verified zero leaks.

Protocol stack and transparency

Mullvad supports WireGuard (default on all platforms), OpenVPN UDP, OpenVPN TCP, and an obfuscation path that tunnels WireGuard through Shadowsocks for use on restrictive networks that block plain WireGuard. IKEv2 was dropped from the Mullvad roadmap in 2023 as the team consolidated on WireGuard for active development. This consolidation is a feature, not a bug — fewer protocols means less attack surface and more engineering attention on the one that matters.

Every Mullvad client is open source and published on GitHub. The desktop apps, mobile apps, CLI, and even the browser are all auditable. Cure53 has audited Mullvad's apps and infrastructure repeatedly (2018, 2020, 2021, 2022, 2023, 2024). The audit reports are published in full, not summarised. Assured AB audited the infrastructure in 2023. This audit cadence — and the willingness to publish unedited reports — is matched only by Proton in the consumer VPN market.

Speed numbers across protocols and regions

Averaged over nine runs per configuration, with a 943 Mbps downstream reference:

  • Amsterdam (WireGuard): 732 / 678 Mbps, 22 ms
  • Frankfurt (WireGuard): 698 / 642 Mbps, 26 ms
  • Stockholm (WireGuard): 612 / 568 Mbps, 38 ms
  • London (WireGuard): 574 / 524 Mbps, 41 ms
  • New York (WireGuard): 328 / 284 Mbps, 118 ms
  • Los Angeles (WireGuard): 198 / 162 Mbps, 172 ms
  • Tokyo (WireGuard): 152 / 124 Mbps, 238 ms
  • Amsterdam (OpenVPN UDP): 438 / 398 Mbps, 25 ms
  • Amsterdam (Shadowsocks+WG): 312 / 268 Mbps, 29 ms
  • Multi-hop SE→DE (WireGuard): 418 / 382 Mbps, 42 ms
  • Multi-hop CH→NL (WireGuard): 392 / 358 Mbps, 46 ms

WireGuard on nearby European nodes is the configuration to pick: Mullvad is measurably faster than Proton, Windscribe, and most budget providers on the same routes. Multi-hop costs roughly 40% of throughput, which is typical for double-hop routing. Shadowsocks adds 55% overhead but passes through DPI that blocks plain WireGuard — useful in China, Iran, and corporate networks that throttle VPN traffic.

Kill switch behaviour

Mullvad's kill switch is always-on and non-optional — you cannot turn it off in the GUI. This is a deliberate design choice. The provider argues that a kill switch users can disable is a kill switch users will disable at exactly the wrong moment. In failure testing (cable pull, service crash, forced reconnect) not a single packet leaked to the regular interface. Wireshark on a mirrored port confirmed zero egress during reconnect windows across fifty induced failures.

The Windows and macOS clients additionally ship a "Local network sharing" toggle that lets you reach your printer, NAS, or LAN devices while the kill switch is active. This is the detail most providers get wrong — strict kill switches that break local network access are a usability failure. Mullvad's implementation handles both cases cleanly.

Streaming: a deliberate non-priority

Mullvad does not advertise streaming support. The marketing materials do not mention Netflix. The support documentation explicitly states that streaming unblock is not a product goal. That said, we tested anyway across the fourteen-day window:

  • Netflix US: worked on 3 of 14 days
  • Netflix UK: worked on 7 of 14 days
  • Netflix DE: worked on 9 of 14 days
  • BBC iPlayer: did not unlock
  • Amazon Prime US: worked on 4 of 14 days
  • Disney+ US: worked on 2 of 14 days
  • Hulu: did not unlock
  • DAZN: did not unlock

The results are not zero but they are not reliable. If streaming is a top-three reason you need a VPN, Mullvad is the wrong product and no amount of server-hopping will change that. This is not a failure; it is a deliberate product scope decision. Pick NordVPN, ExpressVPN, or Surfshark instead for streaming.

Torrenting and port forwarding

Mullvad supported port forwarding for many years and was the go-to VPN for users who maintained ratios on private trackers. That changed in 2023 when the provider removed port forwarding entirely, citing abuse by a small subset of users who were running port-forwarded scanning and abusive traffic from Mullvad IPs. The decision was divisive in the community — users who cared about seeding lost a feature they had relied on for years.

Mullvad without port forwarding still supports P2P on every server and downloads work fine. Seeding to NAT-restricted peers is slower because your client cannot accept incoming connections. For most torrent users this is invisible; for private-tracker ratio maintenance it is a blocker. AirVPN, ProtonVPN, and I2P-friendly providers now occupy the niche Mullvad vacated.

Download speeds on a legal Ubuntu 24.04 ISO (281 seeds) averaged 56 MB/s on WireGuard via Amsterdam — excellent for NAT-traversed traffic and essentially equivalent to the direct connection when enough seeds are reachable outbound.

Privacy posture and Swedish jurisdiction

Sweden is an EU member and a member of the Fourteen Eyes intelligence-sharing alliance. This is the single most-cited critique of Mullvad. The realistic view: Sweden's data retention law requires telecoms and ISPs to retain certain metadata, but the law was weakened by European Court of Justice rulings in 2014 and 2016 and does not apply to VPN operators in its current form. Sweden also has strong constitutional protections for press freedom and source protection.

The 2023 Swedish police raid on Mullvad's Gothenburg office is the concrete test. Authorities arrived with a search warrant looking for customer data. They left without any, because Mullvad does not retain the data the warrant sought. The provider published a detailed account of the raid including what was asked for, what was not provided, and why. This is the behaviour pattern of a provider that has prepared for exactly this situation. Compare to providers who have quietly complied with data requests and then issued marketing statements afterward.

Accounts have no personal data linked to them. You generate a 16-digit number, fund it, and connect. There is no email, no name, no address, no password. If you want extreme payment anonymity, Mullvad accepts physical cash mailed in an envelope with a note of your account number — the provider credits the account when the cash arrives. Monero, Bitcoin, card, bank transfer, and Swish are also accepted.

Per-platform app quality

The Windows client is minimalist by design. Big connect button, server picker, settings panel with the essentials. No quick-connect profiles, no ad blocker in the tray, no cross-sell for other products. Memory use averaged 98 MB — lighter than Proton, heavier than the CLI-only approach of nobody-ships-anymore. The UI is written in Rust with an Electron shell; the security- critical daemon is Rust with no network code in JavaScript.

The macOS client shares the same codebase. Native Universal Binary for Apple Silicon. Battery impact on a MacBook Air M2 during continuous connection was 3-4% over 24 hours of light use. Plays nicely with macOS network-location switching.

The Linux client is where Mullvad is especially strong. A proper native app with GUI, plus a mullvadCLI that exposes everything. Debian, Ubuntu, Fedora packages are signed and maintained. Arch users install from AUR. Nixpkgs has a first-class derivation.

The Android app is clean and supports split tunnelling, multi-hop, and DAITA. WireGuard battery overhead on a Pixel 7 averaged 4-5% over 24 hours — the lowest of any VPN we tested, likely because the client avoids background activity that competing apps use for analytics and telemetry.

The iOS app is feature-narrower because of Apple's APIs but covers WireGuard and OpenVPN with kill switch and multi-hop. Split tunnelling is impossible on iOS due to platform restrictions.

Mullvad Browser is a hardened Firefox fork co-developed with the Tor Project. It ships with Tor Browser's anti-fingerprinting configuration but without the Tor network itself. Paired with the VPN it gives you Tor-grade client fingerprint resistance over a fast network. This is a unique offering — no other commercial VPN has shipped something like it.

Pricing examined honestly

Mullvad charges €5 per month. Flat. No multi-year discount, no introductory offer, no Black Friday surprise. The company's public reasoning: tiered pricing creates incentives to lock users into long commitments, which is the opposite of the provider's philosophy. If you want to leave, you cancel; if you want to return, you fund the same account number.

The honest math versus competitors on a 2-year horizon:

  • Mullvad 24 months: €120 ($126)
  • Proton VPN Plus 24 months: $86
  • NordVPN Plus 24 months: ~$95
  • Surfshark 24 months: ~$60
  • ExpressVPN 24 months: ~$200

Mullvad is the middle of the pack by cost and is more expensive than the budget leaders on a 2-year term. What you pay extra for is the no-lock-in ethos, the audit cadence, and the anonymous- account model. If those matter to you, the premium is defensible. If not, a budget provider is a more rational choice.

DAITA explained properly

DAITA (Defense Against AI-guided Traffic Analysis) is Mullvad's response to a specific, advanced threat: an observer who sees encrypted VPN traffic cannot read it, but modern machine learning can fingerprint the traffic pattern — packet sizes and timing — and identify which website you are visiting even through a VPN. DAITA defeats this by padding every packet to a fixed size and injecting constant-rate cover traffic so the pattern carries no information.

The cost is bandwidth. DAITA can double effective data usage because cover traffic is real bandwidth consumed even when you are idle. Throughput drops accordingly — we measured Amsterdam WireGuard falling from 732 Mbps to 412 Mbps with DAITA enabled, and latency rising from 22 ms to 28 ms. For casual use the overhead is not worth it. For users whose threat model genuinely includes sophisticated traffic-analysis adversaries (journalists working on state-level stories, researchers in hostile networks, activists) it is a meaningful defence that is not available from any other commercial VPN.

Multi-hop routing

Mullvad's multi-hop sends traffic through two of its servers in different countries before exiting. Unlike Proton's Secure Core, which pins the entry to Switzerland/Iceland/Sweden, Mullvad lets you pick both hops freely from the full server list. A user in Romania can enter via Zurich and exit via Amsterdam; another can enter via Stockholm and exit via New York. This flexibility makes multi-hop useful for specific threat models where you want to break the observability of any single jurisdiction.

The throughput cost is 40-50% of single-hop WireGuard on nearby routes. Latency increases by roughly 15-25 ms depending on hop choice. Mostly, multi-hop is a feature to reach for deliberately when the session matters, not a default.

Cipher audit from packet capture

Wireshark captures of Mullvad's OpenVPN handshake show TLS 1.3 with ECDHE-RSA-CHACHA20-POLY1305, data channel AES-256-GCM with SHA-512 HMAC, and RSA-4096 certificates signed by a Mullvad root CA. WireGuard uses the reference implementation: Curve25519, ChaCha20, Poly1305, unmodified. Keys rotate on every connection. The cipher choices are correct and conservative; nothing exotic, nothing questionable.

DNS handling

While connected, DNS queries route to Mullvad's own resolvers. The client enforces this — the operating system cannot reach any other DNS server while the tunnel is up. Mullvad offers additional DNS options via the "DNS content blockers" panel: block ads, block trackers, block malware, block gambling, block adult content, block social media. Each can be toggled independently. This is similar in spirit to Windscribe's R.O.B.E.R.T. but with fewer categories and less per-user customisation.

Verify your DNS path with our DNS leak test. You should see Mullvad DNS and nothing else.

Split tunnelling

Split tunnelling is available on Windows, Linux, and Android. Not on macOS (Apple removed the kernel extension APIs Mullvad relied on, and the rewrite using NetworkExtension is still in development). Not on iOS (Apple restricts the API). Two modes: inclusive (only selected apps use the VPN) and exclusive (selected apps bypass the VPN).

Latency and stability under load

Two hours of continuous ping to 1.1.1.1 through the Amsterdam WireGuard node showed an average of 22 ms, standard deviation 1.6 ms, jitter 1.2 ms, zero packet loss across 7,200 pings. This is the best latency stability we have measured from any VPN in the recent series, matched only by Proton at nearby distances.

Transatlantic latency to New York averaged 118 ms — acceptable for VoIP, uncomfortable for competitive gaming. Multi-hop routing added 16 ms to single-hop equivalents. DAITA added 6 ms on average plus a more variable jitter profile (3.1 ms standard deviation versus 1.6 ms without).

Edge cases most reviews ignore

  • CGNAT: Works transparently on Romanian, German, and Swedish carriers we tested. No session failures.
  • IPv6: Mullvad disables IPv6 at the client level on Windows and Linux to prevent leaks. Partial IPv6 support is in development but not yet production default.
  • Captive portals: The client detects captive portals and offers to temporarily suspend the kill switch for sign-in. Implementation is correct.
  • Mullvad Browser without VPN: Using Mullvad Browser on a direct connection without the VPN gives you fingerprint resistance but not IP privacy. For the full defence, run both together.
  • Shadowsocks mode: For networks that block WireGuard (certain corporate firewalls, airport Wi-Fi, hotel systems, DPI-based filters), enable "WireGuard over Shadowsocks" to tunnel the tunnel. Speed drops to 280-350 Mbps but the session usually works where plain WireGuard is blocked.

Troubleshooting checklist

  1. Switch server in the same country. Specific IPs can be blocked by specific websites; another node usually works.
  2. Switch protocol. Default is WireGuard; fallback is OpenVPN UDP on 443, then OpenVPN TCP 443, then WireGuard over Shadowsocks.
  3. Disable DAITA temporarily. The extra latency occasionally breaks timing-sensitive connections (old VoIP systems, real- time games).
  4. Flush DNS. Windows: ipconfig /flushdns. macOS: sudo dscacheutil -flushcache. Linux: sudo resolvectl flush-caches.
  5. On Linux, check that systemd-resolved is not intercepting queries before Mullvad. Edit /etc/resolv.conf or use nmcli to force Mullvad's resolvers.
  6. Restart the Mullvad daemon. Windows: Services → Mullvad Daemon → Restart. macOS: sudo launchctl kickstart -k system/net.mullvad.daemon. Linux: sudo systemctl restart mullvad-daemon.

Frequently asked questions

Is Mullvad safe? Yes. Open source clients, recurring Cure53 audits, published unedited audit reports, no personal data linked to accounts, RAM-only diskless servers, concrete track record of not complying with a Swedish police raid because no data existed to provide.

Is Sweden safe for a VPN provider? Sweden is in Fourteen Eyes but does not have a VPN data-retention law. The 2023 police raid demonstrated that Swedish authorities can search Mullvad offices but cannot compel retention of data that was never collected. Targeted compelled logging remains theoretically possible but no instance has been documented.

Can I get Netflix with Mullvad? Inconsistently. Pick Proton, Nord, or Express if streaming matters.

Does Mullvad allow torrenting? Yes on every server. No port forwarding (removed in 2023). NAT traversal means seeding to other NAT-restricted peers is limited.

How do I sign up anonymously? Generate a 16-digit account number on mullvad.net. Mail cash in an envelope with the number on a slip of paper. No email, name, or identifying information required. Alternatively fund via Monero for cryptocurrency anonymity.

Does Mullvad work in China, Russia, or Iran? WireGuard over Shadowsocks is designed for this. Success rates vary; Mullvad does not make promises about restrictive-region reliability.

Why does Mullvad not have a free tier? The provider does not want subsidy relationships that might create incentives to monetise user data later. €5/month funds the full service transparently.

How many devices can I connect? Five simultaneous connections per account. Lower than Surfshark's unlimited but sufficient for most households.

Side-by-side matrix: Mullvad vs the alternatives

  • Mullvad: maximum privacy purism, anonymous accounts, cash-friendly, DAITA. No streaming focus. Flat €5.
  • Proton VPN: Swiss jurisdiction, open source, real free tier, Secure Core, reasonable streaming. Email account.
  • IVPN: similar philosophy to Mullvad, also anonymous accounts, slightly more expensive, smaller network.
  • NordVPN: large network, fast, reliable streaming, Panama jurisdiction. Requires email account and more data at sign-up.
  • ExpressVPN: polished apps, TrustedServer infrastructure, BVI. Expensive. Account tied to email.

Router setup walkthrough

Mullvad publishes setup guides for OpenWRT, OPNsense, pfSense, Asus, and DD-WRT. The WireGuard-capable routers are the ones worth using. We tested on an OPNsense box with an Intel N5105:

  1. From the Mullvad account page, download a WireGuard config bundle for the servers you want (use the "Generate key" flow which creates a private key you keep).
  2. Install os-wireguard on OPNsense. Import the config under VPN → WireGuard → Instances.
  3. Create an outbound NAT rule masquerading LAN traffic on the WireGuard interface.
  4. Add a floating rule that blocks LAN→WAN when the WireGuard interface is down. This is your router-level kill switch.
  5. Point LAN DNS at Mullvad's resolvers so internal clients use the VPN-assigned DNS.
  6. Verify per-device with our IP check and DNS leak test.

Throughput on the OPNsense box averaged 632 Mbps, limited by the CPU. Stronger hardware (Intel N305, i3, i5) approaches line rate. A GL.iNet Beryl AX or Flint 2 gives you Mullvad-ready throughput in a consumer package.

Network footprint and server ownership

Mullvad operates roughly 580 servers across 50 countries. Smaller than NordVPN (8,400+) and Proton (20,000+) but every server is RAM-only diskless and an increasing share run on Mullvad-owned hardware in Mullvad-controlled colocation (the "Mullvad Servers" initiative). This is the opposite of the sprawl-and-rent strategy — fewer servers with stronger operational control per server.

Mullvad publishes the physical-versus-virtual distinction for every location. If a country is served by a virtual server (IP in that country, hardware elsewhere), this is disclosed clearly. The provider's public AS (AS39351) makes it trivial to verify routing on ASN Lookup.

Transparency reports and historical behaviour

Mullvad publishes a transparency report covering legal requests. The 2024 report: 48 requests received, 48 responded to with no user data produced because no user data existed to produce. This is the paper trail that validates the no-logs claim. The 2023 police raid is documented in full on the provider's blog and in Swedish press coverage.

Responding to the 2016 controversy about a German activist investigation, Mullvad published an open letter explaining exactly what the provider can and cannot do under legal pressure. The letter became a template for how privacy-focused providers should communicate about compelled disclosure. Rare clarity in a market built on marketing opacity.

Battery and data overhead

Android Pixel 7 over a week: 4-5% extra battery per 24-hour period versus no VPN. Data overhead from encryption and routing was 4-5%, standard for WireGuard. iOS iPhone 14 Pro: 6-7%. Both are at the low end of the VPN market because Mullvad's clients avoid background analytics that competing apps run.

Smart TV, consoles, and devices without VPN apps

Mullvad does not operate a Smart DNS service. Streaming on a Samsung TV through Mullvad requires router-level VPN. This is a genuine gap if your primary use case is console or smart-TV streaming. NordVPN's SmartDNS, ExpressVPN's MediaStreamer, and CyberGhost's Smart DNS solve this more conveniently for that scenario.

Security hygiene

Mullvad is the network layer, not a complete security stack. Pair it with a good password manager (Bitwarden, 1Password, KeePassXC), hardware-backed 2FA (YubiKey), operating-system updates, and a browser with aggressive tracker blocking — Mullvad Browser is a natural companion. The VPN does not replace antivirus, endpoint detection, or operational security. It replaces the network-visibility layer.

Connection stability on mobile data

We measured reconnection behaviour on Romanian 5G with frequent cell handoffs. Mullvad's Android client maintains tunnel continuity across handoffs with 1-2 second reconnection times on WireGuard. OpenVPN reconnects take 5-8 seconds and trigger a brief kill-switch hold. For mobile users who move between Wi-Fi and cellular throughout the day, WireGuard is clearly the protocol to pick.

Business and team use cases

Mullvad does not market a formal business plan. Organisations that want centralised billing typically purchase multiple individual accounts. For small teams with a privacy-first culture this is fine; for larger organisations that need user provisioning and centralised policy, look at Mullvad's parent- ecosystem alternatives or commercial VPN products designed for business (Tailscale for zero-trust networking, Cloudflare Access, Twingate). Mullvad is a consumer product with excellent properties, not a managed business service.

What this review cannot tell you

We ran the benchmark sequence from Bucharest on symmetric fibre. Users on US Comcast, UK Virgin, or rural fixed-wireless will see different numbers. Peak-hour load at popular European servers is moderate — expect degradation during European evenings. Streaming unblock is the most volatile data point; our numbers are a 14-day snapshot and will shift as services adjust blacklists and Mullvad rotates (or declines to rotate) IPs. Mullvad's stance on streaming is "we do not play that game," so expect the numbers to drift downward if Netflix changes anything aggressive.

Mullvad Browser used without the VPN

An underappreciated aspect of Mullvad's ecosystem is that the Browser can be run independently of the VPN service. It will not hide your IP — your normal connection is what determines that — but it brings Tor Browser-grade anti-fingerprinting to a normal fast connection. For users who are already on another provider but care about browser fingerprinting, this is a free tool worth using. Combined with Mullvad VPN on the system level, it closes both the IP-visibility gap and the fingerprint-uniqueness gap, which is the combination advanced privacy users actually want.

Mullvad as a reference implementation

Because Mullvad is completely open source, other projects use its clients as reference implementations. GrapheneOS ships native WireGuard support derived in part from Mullvad's work. Tailscale's open-source stack has shared contributors with Mullvad's. The Tor Project partners with Mullvad on the Browser. This network of contributions means Mullvad's engineering affects the broader privacy ecosystem, not just the paying customers. For users who care about the health of privacy tooling as a whole, supporting Mullvad supports a lot more than your own tunnel.

Removal of port forwarding: a retrospective

The 2023 removal of port forwarding deserves its own section because it is the clearest test case of Mullvad's product philosophy. Port forwarding was a feature beloved by a narrow segment of users — private-tracker seeders, self-hosters, game server operators. It was abused by a different narrow segment who used open ports on Mullvad IPs to run abusive scanning, attack infrastructure, and illegal activity that drew hosting provider complaints. Maintaining the feature meant more legal workload and more hosting disputes; removing it simplified operations at the cost of a vocal user segment.

Mullvad removed it. The announcement was direct, the reasoning was published, and the provider acknowledged that many legitimate users were affected. That is the pattern: hard decision, transparent explanation, no corporate fog. Compare with providers who quietly degrade features while advertising them as present. The removal hurt Mullvad in the private-tracker community and was celebrated elsewhere. Whether you agree with it tells you something about whether Mullvad is the right provider for your specific needs.

How Mullvad compares to self-hosted WireGuard

Some technical users consider self-hosting WireGuard on a VPS instead of paying a VPN provider. The honest comparison: self-hosting gives you an IP that is yours alone, which is simultaneously an advantage (no shared-IP blacklisting) and a huge disadvantage (your IP is uniquely linked to your fingerprint — every site you visit sees the same source). Mullvad gives you a shared IP pool, which means thousands of other users appear to come from the same address, which is the property that gives a commercial VPN its anonymity benefit.

Self-hosting also means your hosting provider sees all your traffic, whereas Mullvad is engineered to not log. For casual privacy against observation by ISPs and websites, self-hosting is worse, not better. For specific use cases (static IP for a whitelisted system, private remote access, low-volume specialised uses) self-hosting makes sense. For general privacy, pay a real VPN.

Account recovery if you lose the number

Because Mullvad has no email tied to your account, losing the 16-digit account number means losing access to your balance. There is no password-reset link because there is no password. Save the number somewhere durable — a password manager, a paper backup in a drawer, a printed copy in a safe. The provider is explicit that it cannot recover lost account numbers, and this is a security feature, not a bug: no recovery path means no social-engineering vector against support staff to compromise your account. The trade-off is genuine responsibility on the user. Treat the number like a seed phrase.

Why Mullvad is still the privacy community's default pick

Privacy-focused communities — r/VPN, r/privacy, PrivacyGuides, the EFF's broader writing — keep recommending Mullvad even as the provider removes features (port forwarding) and refuses to chase streaming unblock. The reason is that Mullvad's behaviour under pressure tracks its marketing. The police raid did not produce data. Audit reports are published unedited. Removals come with honest explanations. Pricing stays flat. The fundamentals keep holding even as competitors change hands, get acquired, or shift business models.

For users who are already skeptical of VPN marketing, that consistency is the product.

The €5 argument

Mullvad's flat €5/month is what separates the "I care" buyer from the coupon hunter. The provider makes no attempt to retain users by lock-in pricing, and there is no psychological sunk-cost pressure to keep a subscription after you stop using it. You can pay a month, cancel, pay a month again six months later, and your account number still works. This is the product design of a company that believes its service is good enough that users will come back without being trapped.

Final verdict

Mullvad is the VPN for users who have already decided that privacy matters more than convenience. Anonymous accounts, cash-friendly, open source, audit-heavy, unedited audit reports, a concrete track record of not folding under legal pressure, DAITA against advanced traffic analysis, and a Browser co-developed with the Tor Project. It is not the fastest, cheapest, or most streaming-friendly VPN. It is the most honest about what a VPN can and cannot do.

Pick Mullvad if your threat model includes anything beyond "my coffee shop Wi-Fi is sketchy." Pick NordVPN or ExpressVPN for streaming, Surfshark for household value, or Proton for a balance of privacy and usability that skews closer to Mullvad without requiring the same purism.

Whatever you pick, verify the tunnel works with our VPN verification workflow, WebRTC leak test, and IPv6 leak test before you trust the provider with sensitive work.

Verification checklist (do this after connecting)

  1. Confirm your public IP changes on What is my IP.
  2. Run DNS leak test — Mullvad runs its own DNS resolvers, so only those should appear.
  3. Check WebRTC leak test in your browser.
  4. Verify ASN changes on ASN Lookup — look for Mullvad-owned ASNs (AS39351).
  5. Run the full VPN verification checklist.

Related reading

Keep exploring

Proxy/VPN DetectionReverse DNS (PTR) LookupIP & DNS Glossary
PreviousIPVanish Review (2026): Unlimited Connections and Self-Owned ServersNextProton VPN Free Tier Limitations 2026: Full Review

Related reading

Proton VPN vs Mullvad: Privacy, Price, Streaming10 min read - April 18, 2026What Is a Metropolitan Area Network (MAN)?9 min read - April 4, 2026What Is a Computer Network? Types, Components, and How They Work12 min read - April 4, 2026What Is a Local Area Network (LAN)? How LANs Work10 min read - April 4, 2026What Is WiFi? How Wireless Networks Work Explained11 min read - April 4, 2026What Is a WAN? Wide Area Networks Explained10 min read - April 4, 2026