Mullvad VPN

Mullvad VPN is the most privacy-respecting commercial VPN service available. Founded in 2009 in Gothenburg, Sweden, Mullvad has built its entire business model around the principle that they should know nothing about their users. There is no account creation process — you generate a random 16-digit account number, and that number is your identity. No email, no name, no password. You can pay with cash mailed in an envelope, Monero, or Bitcoin. Mullvad charges a flat €5 per month with no discounts for longer commitments, because they don't want the billing relationship that annual plans create.

For someone preparing to exit or already in motion, a VPN is one of the first layers of protection to establish. Your internet service provider, the Wi-Fi network at your hotel, and any network between you and your destination can see your traffic without one. Mullvad encrypts your internet connection and routes it through their servers, hiding your real IP address and preventing network-level surveillance. But most VPNs compromise on anonymity through account creation, payment processing, and logging — Mullvad is the rare exception that doesn't.

Mullvad should be the first network privacy tool you set up after obtaining anonymous payment (cash or crypto). It protects your IP address while you create other anonymous accounts, download Tor Browser, and set up the rest of your privacy stack. Every other tool works better when your IP address isn't exposed.

Mullvad supports two VPN protocols: WireGuard and OpenVPN. WireGuard is the default and recommended option, using ChaCha20 for symmetric encryption, Poly1305 for authentication, Curve25519 for key exchange, BLAKE2s for hashing, and SipHash24 for hashtable keys. The entire WireGuard codebase is approximately 4,000 lines of code, which is small enough for meaningful security review (compared to OpenVPN's roughly 100,000 lines). OpenVPN connections use AES-256-GCM with RSA-4096 for the control channel and SHA512 for authentication.

All Mullvad servers operate in RAM-only mode (what they call "diskless infrastructure"), meaning the servers have no persistent storage. If a server is seized or powered off, all data — including any ephemeral connection state — is lost. This was demonstrated in practice when Swedish police raided a Mullvad data center in April 2023 and seized equipment, only to find that the RAM-only architecture meant there was nothing to extract. Mullvad also implements DAITA (Defense Against AI-guided Traffic Analysis), which pads and shapes traffic to resist machine-learning-based traffic analysis that can identify websites visited even through VPN encryption.

Mullvad's anonymity model is the strongest in the VPN industry. Account creation consists of clicking "Generate account number" on their website — you receive a random 16-digit number with no associated identity. There is no email field, no name field, no password. Your account number is simultaneously your login credential and your only identifier. Mullvad does not log connection timestamps, traffic data, IP addresses, DNS requests, or bandwidth usage. They cannot connect an account number to a person because they never collected that information.

Mullvad publishes an annual infrastructure audit confirming their no-logs claims. In the 2023 Swedish police raid, Mullvad confirmed that the authorities found no customer data because none exists on their systems. The company has repeatedly stated that even under legal compulsion, they cannot provide what they don't have. Mullvad's apps do not contain any telemetry, analytics, or crash reporting that could identify users. The app connects to Mullvad's servers using the WireGuard protocol with the account number as the only authentication — there are no cookies, sessions, or tokens.

Mullvad's VPN client applications for all platforms are fully open source, available on GitHub. The WireGuard protocol itself is open source and has been audited extensively by the security community, with formal verification of its cryptographic properties. Mullvad has commissioned multiple independent security audits: Cure53 audited the client applications in 2020 and the infrastructure in 2022, Assured AB conducted an infrastructure audit in 2023, and additional audits have examined the DAITA traffic analysis resistance feature. All audit reports are published on Mullvad's website.

Mullvad also publishes the source code for their server infrastructure and management tools, which is unusual in the VPN industry. Reproducible builds are supported for the desktop client, allowing users to verify that the distributed binary matches the source code. The Android app is available on F-Droid. This level of transparency is unmatched by any other commercial VPN provider — you can verify every component of the system from client to server.

Mullvad VPN AB is incorporated in Sweden, which is a member of the Fourteen Eyes intelligence-sharing alliance. This jurisdiction raises theoretical concerns about government surveillance cooperation. In practice, Swedish privacy law (based on GDPR) provides strong data protection rights, and the absence of any stored data means there is nothing for authorities to compel. The April 2023 police raid was the definitive test — Swedish police physically entered Mullvad's office with a search warrant and left without any user data.

Sweden does not have mandatory data retention laws for VPN providers. Mullvad publishes a transparency report documenting legal requests and their responses. The company has a warrant canary and has stated publicly that they would rather shut down than compromise user privacy. Their flat organizational structure and clear mission make regulatory capture unlikely — there is no venture capital firm pushing for growth at the expense of privacy.

Mullvad has been operational since 2009, making it one of the longest-running privacy-focused VPN services. In 15+ years, there has been no known data breach, no log exposure, and no evidence of cooperation with surveillance programs. The 2023 police raid served as an involuntary audit that validated their claims — the strongest possible evidence that their no-logs policy is genuine. Mullvad's co-founders, Fredrik Strömberg and Daniel Berntsson, are publicly known and have been consistent advocates for privacy rights.

The security community widely regards Mullvad as the most trustworthy VPN provider. It is recommended by Privacy Guides, the EFF, and numerous independent security researchers. Mullvad does not have affiliate marketing programs, which means the recommendations it receives are not financially incentivized — a stark contrast to the VPN review industry where most "best VPN" articles are paid placements. The company has also contributed financially to the development of WireGuard and other open-source privacy tools.

Mullvad's apps are functional and straightforward, though less polished than consumer-focused VPNs like ExpressVPN or NordVPN. The desktop app shows a map with server locations, a connect/disconnect button, and a settings panel for protocol selection, kill switch configuration, and DNS settings. Server selection is simple — choose a country, and Mullvad routes you to the best available server. The kill switch prevents any traffic from leaving your device if the VPN connection drops, which is critical for crisis use.

The mobile apps follow the same design pattern: simple, clear, and focused on the essentials. There are no upsells, no popups, no dark patterns. The account system (just a number) means you can be connected within seconds of downloading the app. Documentation on Mullvad's website is thorough and covers setup on every platform including routers and Linux command line. For non-technical users, the experience is: generate a number, download the app, enter the number, click connect.

Mullvad provides native apps for Windows, macOS, Linux, Android, and iOS. The Linux app is a first-class citizen with a GUI (not just command-line), which is unusual for VPN providers and relevant for users running Tails or other Linux-based privacy operating systems. WireGuard configuration files can be generated from the Mullvad website for use with any WireGuard-compatible client or router firmware (OpenWrt, pfSense, etc.), which allows you to protect an entire network at the router level.

Browser extensions are available for Firefox and Chrome to handle SOCKS5 proxy configuration and DNS leak prevention. All platforms support both WireGuard and OpenVPN protocols. Feature parity across platforms is strong — kill switch, DNS configuration, server selection, and split tunneling are available on all major platforms. The Android app is available on Google Play and F-Droid.

Mullvad's payment options are the most anonymous in the VPN industry. Cash payment is accepted — you mail euros, US dollars, British pounds, Swedish kronor, Danish kroner, Norwegian kroner, Swiss francs, Canadian dollars, or Australian dollars in an envelope to their Gothenburg office with your account number written on a slip of paper. Mullvad also accepts Bitcoin (on-chain and Lightning), Monero, and bank wire. No credit card processing is offered, which eliminates the most common source of identity leakage in VPN subscriptions.

The flat €5/month pricing with no long-term commitments means you never need to make a large payment that could attract attention. You can mail €5 in an envelope each month, pay a few months ahead with Bitcoin or Monero, or purchase Mullvad voucher codes from third-party resellers with cash or crypto. There is no free tier — Mullvad believes that free VPN users inevitably become the product. The €5/month cost is minimal and can be paid with complete anonymity.

Generate an account number by visiting mullvad.net and clicking "Generate account." You'll receive a 16-digit number — save this number in your password manager immediately. This number is your only login credential and cannot be recovered if lost. There is no email-based password reset, no account recovery process, and no way to contact Mullvad to retrieve a lost number. Treat it like a cryptographic key.

Add time to your account using your preferred anonymous payment method. For maximum anonymity, mail cash to: Mullvad VPN AB, Box 53049, 40014 Gothenburg, Sweden, with your account number on a slip of paper inside the envelope. For faster activation, send Monero or Bitcoin from the payment page on Mullvad's website. Payment typically processes within minutes for crypto and 1-2 weeks for mailed cash.

Download the Mullvad app from mullvad.net/download for your platform. Open the app, enter your 16-digit account number, and click connect. The app will automatically select the fastest nearby server using WireGuard. Open Settings and enable the kill switch ("Always require VPN" on mobile, "Block when disconnected" on desktop) — this prevents your real IP from leaking if the VPN connection drops. Set DNS to use Mullvad's DNS servers to prevent DNS leaks. If you're in a country that blocks VPN protocols, enable "Bridge mode" or switch to the obfuscation-enabled servers to disguise your VPN traffic as regular HTTPS. Your internet traffic is now encrypted and your IP address is hidden — use this protection while setting up the rest of your privacy tools.