I really respect how Mullvad is willing to sacrifice business to give extra security and reliability to the (remaining) customers. I first saw it when they disabled auto-renewal with PayPal, because it'd force them to store PII along with your account.
Unfortunately for me, they made one too many sacrifices, and disabled port forwarding[1]. They don't store any contact information that could be used to warn customers, so my connection mysteriously failed one day and I was left with several months of prepaid service.
I'm a bit bitter for that, but honestly their technical writing and security decisions have earned enough good will from me that I want them to keep the money. As the only VPN that doesn't feel shady, I wish them all the best.
I sincerely apologize for the inconvenience we have caused you.
Announcing the removal of a feature such as this a mere 30 days ahead is not how we like to conduct our business in the general case. I expect those of our customers who relied on this feature to be disappointed by its removal as well as the manner in which it was done.
Nevertheless it was the right thing to do. The manner and extent in which it came to be abused in recent months made it unacceptable for us to continue providing it. This feature should have been removed a long time ago, with a longer grace period. It wasn't - a mistake on our part - and some of our users suffered for it, including you. For this I am sorry.
Affected customers can get their money back for any prepaid service they can not use, of course.
If you used port forwarding to (I) make a service reachable (II) from the open Internet there are plenty of good hosting providers which will happily take your business.
If you used port forwarding to (III) stay anonymous while (I) making a service reachable we can highly recommend Tor's "onion service" feature. It was built with that use case in mind.
If you used port forwarding to (III) stay anonymous while (I) making a service reachable (II) from the open Internet, there are no good options that we can recommend.
Port forwarding needed to be removed on moral grounds. It needed to be removed because it was causing too much of a disturbance to our core mission of making mass surveillance and censorship ineffective.
I hope my explanation has - if not allayed your disappointment - at least provided some clarity.
Best regards,
Fredrik Stromberg (cofounder of Mullvad VPN)
Thanks for the reply. I'm sorry my negative comment got to first spot on what should have been a positive post. I understand why the decision was made, and I think I'd have done the same.
I really hope you guys stick around, Mullvad has exactly the posture that we need from security services.
Port forwarding doesn't seem to be a problem for long-established independent VPNs like AirVPN (based in Italy but very ingeniously without exit servers in Italy) or AzireVPN (Swedish; added port forwarding -- all mappings in memory, no static records -- just recently [1]). What makes Mullvad's situation different? Is it a question of margins for high traffic port forwarding users (Mullvad is branching out in browsers and search while these two are not) or something else? I used to be a long time user and a huge fan and proponent of Mullvad's but the communication here has been very much opaque. This is especially so as port forwarding removal was announced straight after a raid where police, after Mullvad's explanations, didn't take anything [2].
What sort of abuses you have encountered when dealing with port forwarding? Was it DMCA'd content hosting or were there other major issues with it? Also how does other VPNs that offer port forwarding (like Proton) function against those sort of abuses?
I had no idea this even happened. It would have been useful to show a notice within the app itself (like you do for patch notes?). Maybe you did, and I didn't see it, but I just got done paying for another 6mo on your service being none the wiser.
> They don't store any contact information that could be used to warn customers, so my connection mysteriously failed one day
This situation seems avoidable: what if the payment/signup flow had a big loud warning that you need to configure your own polling of an RSS endpoint using a client capable of pinging you?
That's honestly a great idea for an alternative to newsletters... it would be nice if there was better first-party RSS support (what about in the email client?) since I don't think any OSs have it, because right now that would probably confuse most customers
I’m a network newbie so I have no idea about the importance of this. I have done port forwarding in my router before, mainly so I can access my Plex system outside of my house. I used to setup port forwarding when torrenting but I have realized that I can still get my Linux ISOs without it. I never cared even though I’m a heavy user of their product. When will it start to affect me, or in other words, what use cases am I locked out of when port forwarding is disabled?
After they disabled port forwarding, I moved to ProtonVPN. They seem like the next best thing, and they continue to state that they have no intention of removing port forwarding (for now, I assume).
I'm glad to read this. We considered switching to them earlier this year (couldn't find the budget) and it was still on the table, but this is a deal breaker. If we'd switched I'd have been in the same situation, with a lot of prepaid service I couldn't use as intended.
To be fair, the announcement came with the option of asking for refunds, and I have no reason to doubt them. My few interactions with their support were pretty good.
None as solid, no. My needs are fairly specific (exit node in a specific country, torrent-friendly, good speed, not too expensive, not too shady, first-party support for my OS'es, doesn't have to be government-proof), so you'll need to do your own research.
For what's worth, I eventually went with Proton VPN, but it's more expensive and gives a used-car-salesman feeling.
Not that person but I've spinned a 1984 instance paid with bitcoin without KYC. Then setup nat+rdr rules that foward to my service through a wireguard tunnel.
Becoming well known for always trying to put customers first is a good strategy and probably makes business sense in the long run. I have used mullvad for years. I have no intention of shifting provider. Mainly because the evidence is starting to stack up that they are one of the few good actors in a cess pit of shitty/shady competition. (Though it's a shane mullvad gets blocked by netflix, well the last time I tried it wasn't working).
The only other service I have any brand loyalty to gog.com. For some reason I feel the same about them.
I use IVPN and they also deprecated port forwarding. I believe they didn't cut people off directly but if you stop using it you can restart using it. I wonder if they removed it for the same reason.
What are legitimate use case to use port-forwarding behind a VPN IP? Genuinely curious, I'm not implying anything.
The main use-case is hosting something for which you don't want to reveal your IP or circumvent some ISP that block hosting web servers on their residential IPs. I'm sure I'm missing many more use cases.
Basically you have a thin proxy on some not so cheap but ‘anonymous’ Bitcoin payed VM, that then (http) links to your vpn endpoint.
You need the dual setup as using the btc vm for storage of terabytes of data as well as for TB of traffic is too expensive for a volunteer run project.
I have been out of the loop for a while on this, but doesn't BitTorrent require you to set up a port forward? Otherwise you can only connect to peers that do, but not other peers that don't.
My biggest professional regret is not joining Mullvad when their founder emailed me.
A seriously large chunk of their values aligns with my own, and it's woefully few technical enthusiasts that continue to place liberty over convenience -- meaning most of us tend to use hyperscaler cloud providers under the purview of the US Government. -- and before anyone mentions it; yes that has been an issue for me in my professional career as the cloud providers must adhere to US sanctions, meaning if you are from Cuba, Iran or Crimea you can't play the games I made. -- which is annoying because you could buy our game legally in Russia and Ukraine, but if you happened to be in occupied territory then no play time for you.
Sidetracked a bit, but it's really refreshing from the outside to see a company that isn't scummy that values liberty.
Yup. As a Cuban, sometimes it is annoying and sometimes go beyond that. Some cloud providers are totally off limits for us, some are fine with us (the minority and less known), some let us use some services but no others, some even have valid OFAC licenses but still deny access (because ACL complexities, I suppose)... it's all over the place. That's why I'm 95% of the time on crappy VPNs both to escape/evade US sanctions and my own country censoring mechanisms.
The thing is, I somewhat understand why the sanctions were placed decades ago, but... is that rationale still valid? Anyway, and sadly, the sanctions affect "regular" people like me the most. The ruling elite? Not at all.
Funny how everyone talks about the Chinese "great firewall" that blocks access towards some western platforms from China, and no one talks about "USA great firewall" that blocks Cuban citizen from acceding to a lot of services
> Anyway, and sadly, the sanctions affect "regular" people like me the most. The ruling elite? Not at all.
This confirms my secondhand knowledge of financial sanctions. It seems to universally be this way and makes me wonder why we still tout them as if they were effective. They sure don’t seem to be.
I also got upset when I had to implement geoip tracking to block specific countries and thought about the people that wouldn't have access to the free service we were providing, which I thought could help someone bootstrapping their small business and potentially improve their lives.
That being said, many people consider sanctions as an act of war[0] and if you think of them like that, well obviously it sucks, it's war and war-like consequences always suck for the people on the ground.
Just make sure when your boss asks you to implement geoblock bans for sanctions, do what you need to do and not more like trying to block VPN users or other shenanigans. Don't break the law but don't make it harder for people on the ground to use their right to internet access.
Sidenote: I know a bunch of people from Crimea and many things we take for granted are surprisingly complex for them. People from Cuba or Iran at least have the certainty of which country they are in.
Up front, I believe Mullvad is the best commercial VPN solution and is doing a great job at making good privacy more accessible.
However, a lot of the comments here seem to be hailing VPNs in general as the solution to privacy on the internet.
I would like to remind people that VPNs only really protect you against two things: your ISP and the endpoint. And that's assuming that your ISP isn't doing some shady analytics.
That being said, knocking those two things off the board is a huge benefit to privacy and absolutely should be done.
It is my understanding that many ISPs and backbone providers sell or otherwise disclose full detailed packet metadata, including precision timestamps, and that there are companies that aggregate this data across the entire Internet.
At which point your VPN becomes just another hop in the trace.
VPNs, no matter how secure they themselves are, are effective for accessing lightly geo-locked content and defeating unsophisticated analytics and tracking. They are really not a serious privacy solution in any sense, unfortunately.
the reason the uk wants an encryption backdoor is because it's expensive to do statistical analysis of encrypted traffic. there's ways to make it more difficult, but if you own the certificate that a tls endpoint uses you can just open it and reencrypt it for the destination. this is called break and inspect. if a vpn uses different certificates and is built well, there would have to be a flaw (spyware, vulnerability, etc) on one of the endpoints for anyone other than you and the vpn to read the encrypted data.
Why would they even do so ?
Large ISPs are public, so this activity would appear as extra revenue (if they sell traffic data) in their financial reports and annual reports.
The most likely is that ISPs are just respecting the local laws, and doing the minimum retention as required by the law (because more data storage = more costs),
and that their actual fear is that someone leaks this data and causes reputation damage, so they'd avoid storing anything if they can.
One of the projects I worked on a couple of years ago was audited by Radically Open Security - I was extremely impressed with the quality of their specialists.
They didn't find anything of course (in the the system I was responsible for) beyond a couple of remarks (which I believe we had already explicitly marked with comments as they were marked for improvement by our static analysis tools; think "you can use a better variable name here" and "this can be simplified by using guard clauses" level). Not bad for something built under extreme circumstances and very little sleep (6-month-old-baby + COVID + crunch + 2 other busy young kids = hell).
Mullvad is THE ONLY mainstream VPN that doesn't have seriously questionable credibility.
Not even Proton VPN is OK - sleuths have figured out that it's just a white-labeled version of NordVPN.
I am thankful that Mullvad is doubling down on their commitment to integrity, because there isn't an alternative.
Note in the link above [1] doesnt work anymore since Nord actually removed the product page for their white label product, but it does exist and you can see it in the Products dropdown as NordWL.
And since the link to [2] in what I linked above is broken, here is the archived version: https://archive.is/iZ2l2
It appears in this audit. They only reviewed test production servers.
Playing devils advocate, what would be stopping Mullvad from providing the Open Security team with a version of Mullvad stripped of logging features? I hate to be this skeptical, but shouldn’t an actual audit review customer facing servers (within bounds to prevent the auditors from logging info).
Maybe I’m wrong someone pls lmk. But I’m not convinced a test of this calibre demonstrates Mullvads claims of no logging.
It wouldn’t make that much of a difference, I think, since they could just do the same with the real servers but only for the period of the audit. There has to be some faith that the subject isn’t actively deceptive and malicious, or the audit has to be random and at any time.
They don't state it clearly but this was a "we are capable not to mess up" audit rather than a "we are keeping your promises" audit.
I believe it is relevant to the threat model of an attacker gaining (partial) access to a production server (eg no accidental logging), not to the threat model of mullvad deploying malicious code.
I feel like this is a meaningful audit but would have liked if they had stated this more explicitly
At some point of paranoia people should really look into selfhosting a VPN service. Sure, your VPS provider can see one side of the traffic so its not bullet proof, but that can be mitigated.
Mullvad is a nice middle ground for those who don't see that as worth their time or don't know how. Its good to see they're at the very least trying to keep up appearances.
I doubt that's the better way. How is self-hosting helping with the paranoia vs. using Mullvad?
I don't really see how it's more secure to run some software that you haven't audited on a VPS somewhere at a provider you haven't audited. I'd trust a company with resources to run their own hardware, investing into a more secure setup [1] and contributing to more open infrastructure [2] much more than I trust myself to run something securely which isn't my sole occupation.
I work in a bank and wish it worked like that too. "Sorry ECB, sorry SEC, we don't allow auditors access to our customers money". :-) My work would be so much easier! Too bad we can't do it because we'd go to prison.
I would have liked it if the audit had also provided a number of logins to be used on that server to act like typical users. Just so it was operating as a normal server would.
This could have led onto auditing a live server.
Auditing an in use customer facing server would definitely require a good amount of controls to ensure the auditors didn’t log any possible customer data.
Mullvad has been chopping away at system transparency for a little while: https://mullvad.net/en/blog/2019/6/3/system-transparency-fut... -- Effectively, a mechanism by which their servers can perform attestation to their server really being what is says it is.
I think they might have even spun this out into a separate project. With this, you can "trust" Mullvad that what's audited is really what you're using.
Sadly I can easily imagine a future where mullvad suffers because big tech simply rangebans all their datacenters (already happens to some degree between cloudflare and individual admins - people are seemingly even banned from using chatgpt if they connect over it, or at least it's involved) and you need the shady residential proxies to actually be able to connect/scrape anything.
A self hosted VPS may also work if the company is small enough to avoid the coming BlanketBans, but only time will tell.
Readit News
Unfortunately for me, they made one too many sacrifices, and disabled port forwarding[1]. They don't store any contact information that could be used to warn customers, so my connection mysteriously failed one day and I was left with several months of prepaid service.
I'm a bit bitter for that, but honestly their technical writing and security decisions have earned enough good will from me that I want them to keep the money. As the only VPN that doesn't feel shady, I wish them all the best.
[1] https://mullvad.net/en/blog/2023/5/29/removing-the-support-f...
Announcing the removal of a feature such as this a mere 30 days ahead is not how we like to conduct our business in the general case. I expect those of our customers who relied on this feature to be disappointed by its removal as well as the manner in which it was done.
Nevertheless it was the right thing to do. The manner and extent in which it came to be abused in recent months made it unacceptable for us to continue providing it. This feature should have been removed a long time ago, with a longer grace period. It wasn't - a mistake on our part - and some of our users suffered for it, including you. For this I am sorry.
Affected customers can get their money back for any prepaid service they can not use, of course.
If you used port forwarding to (I) make a service reachable (II) from the open Internet there are plenty of good hosting providers which will happily take your business.
If you used port forwarding to (III) stay anonymous while (I) making a service reachable we can highly recommend Tor's "onion service" feature. It was built with that use case in mind.
If you used port forwarding to (III) stay anonymous while (I) making a service reachable (II) from the open Internet, there are no good options that we can recommend.
Port forwarding needed to be removed on moral grounds. It needed to be removed because it was causing too much of a disturbance to our core mission of making mass surveillance and censorship ineffective.
I hope my explanation has - if not allayed your disappointment - at least provided some clarity.
Best regards, Fredrik Stromberg (cofounder of Mullvad VPN)
I really hope you guys stick around, Mullvad has exactly the posture that we need from security services.
[1] https://blog.azirevpn.com/port-forwarding/ [2] https://mullvad.net/en/blog/2023/4/20/mullvad-vpn-was-subjec...
This situation seems avoidable: what if the payment/signup flow had a big loud warning that you need to configure your own polling of an RSS endpoint using a client capable of pinging you?
Deleted Comment
For what's worth, I eventually went with Proton VPN, but it's more expensive and gives a used-car-salesman feeling.
The only other service I have any brand loyalty to gog.com. For some reason I feel the same about them.
Basically you have a thin proxy on some not so cheap but ‘anonymous’ Bitcoin payed VM, that then (http) links to your vpn endpoint.
You need the dual setup as using the btc vm for storage of terabytes of data as well as for TB of traffic is too expensive for a volunteer run project.
A seriously large chunk of their values aligns with my own, and it's woefully few technical enthusiasts that continue to place liberty over convenience -- meaning most of us tend to use hyperscaler cloud providers under the purview of the US Government. -- and before anyone mentions it; yes that has been an issue for me in my professional career as the cloud providers must adhere to US sanctions, meaning if you are from Cuba, Iran or Crimea you can't play the games I made. -- which is annoying because you could buy our game legally in Russia and Ukraine, but if you happened to be in occupied territory then no play time for you.
Sidetracked a bit, but it's really refreshing from the outside to see a company that isn't scummy that values liberty.
The thing is, I somewhat understand why the sanctions were placed decades ago, but... is that rationale still valid? Anyway, and sadly, the sanctions affect "regular" people like me the most. The ruling elite? Not at all.
Thank you for your position, BTW!
This confirms my secondhand knowledge of financial sanctions. It seems to universally be this way and makes me wonder why we still tout them as if they were effective. They sure don’t seem to be.
That being said, many people consider sanctions as an act of war[0] and if you think of them like that, well obviously it sucks, it's war and war-like consequences always suck for the people on the ground.
Just make sure when your boss asks you to implement geoblock bans for sanctions, do what you need to do and not more like trying to block VPN users or other shenanigans. Don't break the law but don't make it harder for people on the ground to use their right to internet access.
[0] https://moderndiplomacy.eu/2022/06/29/economic-sanctions-as-...
If you want to work for them, reach out to them. Maybe they need more people like us still :)
I was firmly planted in Malmö (3hrs train away) and had just signed to buy an apartment.
Dead Comment
Dead Comment
However, a lot of the comments here seem to be hailing VPNs in general as the solution to privacy on the internet.
I would like to remind people that VPNs only really protect you against two things: your ISP and the endpoint. And that's assuming that your ISP isn't doing some shady analytics.
That being said, knocking those two things off the board is a huge benefit to privacy and absolutely should be done.
..where?
Which realize, is 100% of what most people think about VPN's, a nasty side effect of dishonest marketing.
Can you elaborate on this? So ISPs often engage in tactics that thwart VPN usage? Which ISPs? What tactics?
At which point your VPN becomes just another hop in the trace.
VPNs, no matter how secure they themselves are, are effective for accessing lightly geo-locked content and defeating unsophisticated analytics and tracking. They are really not a serious privacy solution in any sense, unfortunately.
The most likely is that ISPs are just respecting the local laws, and doing the minimum retention as required by the law (because more data storage = more costs),
and that their actual fear is that someone leaks this data and causes reputation damage, so they'd avoid storing anything if they can.
Edit: u/progbits is 1 minute faster than me https://news.ycombinator.com/item?id=37060828
They didn't find anything of course (in the the system I was responsible for) beyond a couple of remarks (which I believe we had already explicitly marked with comments as they were marked for improvement by our static analysis tools; think "you can use a better variable name here" and "this can be simplified by using guard clauses" level). Not bad for something built under extreme circumstances and very little sleep (6-month-old-baby + COVID + crunch + 2 other busy young kids = hell).
I am thankful that Mullvad is doubling down on their commitment to integrity, because there isn't an alternative.
Edit: I just had a look through your post history and you seem to have been claiming this for months, without providing any evidence. Shady.
The trail is a rabbithole, and you might not be personally satisfied with the standard of evidence. Here is a start for you: https://news.ycombinator.com/item?id=23571653
Note in the link above [1] doesnt work anymore since Nord actually removed the product page for their white label product, but it does exist and you can see it in the Products dropdown as NordWL.
And since the link to [2] in what I linked above is broken, here is the archived version: https://archive.is/iZ2l2
There was definitely overlap between the companies (and tech), but, to my knowledge, that hasn’t been the case for several years now.
HN title stripping strikes again, OP can you please fix the title to correct the company name?
Playing devils advocate, what would be stopping Mullvad from providing the Open Security team with a version of Mullvad stripped of logging features? I hate to be this skeptical, but shouldn’t an actual audit review customer facing servers (within bounds to prevent the auditors from logging info).
Maybe I’m wrong someone pls lmk. But I’m not convinced a test of this calibre demonstrates Mullvads claims of no logging.
I believe it is relevant to the threat model of an attacker gaining (partial) access to a production server (eg no accidental logging), not to the threat model of mullvad deploying malicious code.
I feel like this is a meaningful audit but would have liked if they had stated this more explicitly
Mullvad is a nice middle ground for those who don't see that as worth their time or don't know how. Its good to see they're at the very least trying to keep up appearances.
I don't really see how it's more secure to run some software that you haven't audited on a VPS somewhere at a provider you haven't audited. I'd trust a company with resources to run their own hardware, investing into a more secure setup [1] and contributing to more open infrastructure [2] much more than I trust myself to run something securely which isn't my sole occupation.
[1] https://mullvad.net/en/blog/2022/1/12/diskless-infrastructur...
[2] https://mullvad.net/en/blog/2019/8/7/open-source-firmware-fu...
This could have led onto auditing a live server.
Auditing an in use customer facing server would definitely require a good amount of controls to ensure the auditors didn’t log any possible customer data.
I think they might have even spun this out into a separate project. With this, you can "trust" Mullvad that what's audited is really what you're using.
1. ensure that the company isn't misconfiguring things and accidentally breaking their own policies
2. provide a paper trail that would directly implicate people in the event of fraud, removing plausible deniability for the folks involved.
A self hosted VPS may also work if the company is small enough to avoid the coming BlanketBans, but only time will tell.
Deleted Comment