In my search for iOS-friendly VPNs, I ran across of Mullvad VPN a review by ThatOnePrivacyGuy. If you follow TOPG you know he doesn’t suffer shoddy VPNs and is extremely exacting in his review methodology. He’s also beholden to no one, and if it ain’t right, he’ll say so. I don’t agree with everything he says, but if he says something is “easily has one of the best VPNs [he’s] ever seen or used,” it’s worth taking a look at. My review of this VPN probably isn’t going to tell you much that you can’t learn from his, but there are a couple of features that I wanted to shine a bit more of a light on.
Affiliate Disclosure: Because the VPN market is so rife with unethical affiliates, I feel it necessary to clarify my affiliate status on any article relating to VPNs. Since Mullvad does not have an affiliate program, I am not affiliated with them in any way (Mullvad’s Review/Advertising/Affiliate Policy). I paid full price for all services used and received no incentives for this review.
Mullvad VPN Features
Servers & Protocols: One thing that sets Mullvad apart from many VPN providers is their server array. Instead of using virtual servers, every single Mullvad VPN server is bare metal. This is in pretty radical contrast to many VPN providers out there. Mullvad doesn’t have the biggest number of servers on the market; privacytools.io reports 52; I count 155. Servers are dispersed into 26 countries with the heaviest concentrations in Sweden and the United States. Mullvad’s encryption defaults to the strongest available protocols: AES-256 encryption with RSA-4096 used for the handshake protocol. Mullvad is also looking toward the future. They have already implemented some Wireguard servers (more on Wireguard here), and are thinking ahead to the post-Quantum world.
Apps: The Mullvad VPN application for Mac and Windows has a built-in kill switch. It also handles first-party DNS requests and IPV6 leakage.
Logs: This blog post explains exactly what information Mullvad retains and does not retain.
Mullvad VPN Accounts & Payments
Accounts & Payments: This is possibly the coolest feature of Mullvad VPN: no setup information at all is required. When I say no setup information, I mean absolutely nothing. You go to the site and click “Get Account.” After solving a CAPTCHA you are issued a 16-digit account number. That is it – not even an email address is required. This is your account login credential. Once you have created your account you are granted a 3-hour trial period, after which you must fund your account or cease using it.
The other cool (also possibly coolest) feature is that you can pay for your subscription in cash. To fund the account you can pay with Bitcoin, credit card, bank wire, Paypal, Swish (Swedish residents only), Bankgiro (I’ve never heard of this one) or cash. To pay in cash, simply throw some cash in an envelope. As long as it’s cash – Canadian dollars, Filippino pesos, Japanese yen, Swiss francs – it’s accepted and prorated against a rate of 5€/month. Write your account number down and put that in the envelope, too.
Mullvad VPN Website, Cookies, & Privacy
Website & Cookies: The Mullvad VPN website is also pretty impressive. The only scripts running on the site are organic Mullvad scripts. Compare this to some other VPNs, as shown in the screenshot below. Only three cookies are deposited on your computer by the Mullvad site. One is a session ID that keeps you logged into your account and is valid for one hour. One is a language token that keeps track of your preferred language and expires when your browser closes. The third is a CSRF (cross-site forgery request) token that prevents malicious POST requests.
My Experience with Mullvad VPN
Based largely on TOPG’s review of Mullvad (very nearly a perfect score on his chart), I decided to give it a shot. I also just really wanted to experience paying for a VPN in cash. I placed my cash in the envelope, wrapped in a piece of printer paper with my account token printed on it. Instead of using my address as a return address, I used the donation address of my favorite charity. This way if the envelope were mislaid along the way there was a chance it would make it to a good place, and not tie back to me.
Because I gave Mullvad no information about me whatsoever, they could not let me know when the account was activated. At the four-day mark I began going to their site and testing the account number. On Day 10 it said I the account was active and that I had XX days remaining. I was in business. I immediately installed the Mullvad client and logged in.
Unfortunately, I had some issues with the Mullvad VPN client for MacOS. I could install the client, but when got errors when attempting to connect. I contacted Mullvad VPN support (who responded within 24 hours) and was told if the problem persisted to use their beta MacOS app or Tunnelblick. This wasn’t the answer I was looking for, but I gave it a shot. I’m not a fan of Tunnelblick, so that is a deal-breaker for me on MacOS. Unfortunately the beta app for MacOS was immediately leaking my IP address and DNS requests, so I went back to Tunnelblick.
I also threw the OVPN config files onto my iPhone through OpenVPN connect. Of course I had the standard connectivity issues that OVPN is infamous for on iOS devices, but when connected the service worked very well.
Mullvad VPN is an excellent VPN if you are looking to use OpenVPN. I will migrate fully to Mullvad when I migrate fully to Linux. It is also the most privacy-respecting VPN I have yet run across. If you’re in the market for a new VPN you could do a lot worse than Mullvad.