Linux under WSL2 can be leaking

We have found that you could be leaking your Internet traffic when running Linux under WSL2 (Windows Subsystem for Linux 2).

Our investigation has shown that these leaks also occur on other VPN software, and even though we do not have a solution to present for now, we feel the need to address the problem. As you read this we are working on a solution to this problem.

Recently, we got a report that said there were leaks from Linux under WSL2. Our investigations concluded that traffic from the Linux guest bypasses all normal layers of WFP (the firewall on the Windows host) and goes directly out onto the network. As such, all the blocking the app does in the firewall is ignored.

Network traffic from the Linux guest always goes out the default route of the host machine without being inspected by the normal layers of WFP. This means that if there is a VPN tunnel up and running, the Linux guest’s traffic will be sent via the VPN  with no leaks! However, if there is no active VPN tunnel, as is the case when the app is disconnected, connecting, reconnecting, or blocking (after an error occurred) then the Linux guest’s traffic will leak out on the regular network, even if “Always require VPN” is enabled.

How it leaks

WSL2 uses Hyper-V virtual networking and therein lies the problem. The Hyper-V Virtual Ethernet Adapter passes traffic to and from guests without letting the host’s firewall inspect the packets in the same way normal packets are inspected. The forwarded (NATed) packets are seen in the lower layers of WFP (OSI layer 2) as Ethernet frames only. This type of leak can happen to any guest running under Windows Sandbox or Docker as well if they are configured to use Hyper-V for networking.

Other VPN software

We have tested a few other VPN clients from competitors and found that all of them leak in the same way. Therefore, this is not a problem with Mullvad VPN specifically, but rather an industry-wide issue that no-one, or very few, have addressed yet. The way Microsoft has implemented virtual networking for Linux guests makes it very difficult to properly secure them.

Full article

FAQ: New national security law – Hong Kong

Mullvad

We frequently get questions about HK and its new security law.
The most common question is “Why haven’t you already pulled out of HK altogether?”, but some customers emphasize the need of servers in HK and voice their concern that we might withdraw.

Our VPN service, as well as our relays and bridges, can be used for many reasons and in many different ways. However, if you have privacy concerns, it might be good to choose a server location in a jurisdiction YOU prefer. Also consider using Multihop. Deciding on a location could be based on jurisdiction, network quality, blocking and throttling, and many other factors.

For instance, you can use our bridge service with Singapore as an entry location and the U.S. as an exit location if that’s a combination that fits your needs. Alternatively, you can use the Multihop function in WireGuard. The traffic will be encrypted from your computer to the exit server, and the bridge or WG server in the middle will just route traffic to the exit node without being able to decrypt it. Depending on your threat model, using two locations with different jurisdictions might be beneficial.

Results available from audit of Mullvad app

Mullvad

We invite you to read the final report of the independent security audit performed on the Mullvad VPN app.

As stated in the report, “The results of this May-June 2020 project targeting the Mullvad [app] are quite positive.” The audit was performed on the five supported platform versions of the app: desktop version 2020.4, Android version 2020.5-beta1, and the iOS test flight version of 2020.3.

The auditors “could only spot seven security-relevant items. Moreover, penetration tests and audits against application branches of Mullvad exclusively pointed to issues with limited severities, as demonstrated by the most impactful flaw scoring as Medium only.”

Six testers from Cure53 performed the audit over the course of 20 days.

Read the report

The final audit report is available on Cure53’s website.

For full transparency, the initial report is also public. This is the version that was initially presented to us. After a discussion with the auditors about the use of certain terminology and requesting that they specify which app versions had been audited, they adjusted the report and produced the final version.

An independent audit helps us to discover potential security vulnerabilities and fix them, all resulting in an even better service for our users. It also gives you the opportunity to judge whether or not we are technically competent enough to provide a service in which security is paramount.

Upgrade your app

Based on the auditors’ findings, we’ve prioritized our improvements accordingly and released new versions for all platforms:

  • Windows, macOS, and Linux: 2020.5
  • Android: 2020.5-beta2
  • iOS: 2020.3.

Download Mullvad VPN to get the latest version.

Overview of findings

Of the seven issues found, two were classified by the auditors as “Medium”, two as “Low”, and the remaining three as “Info”. The auditors did not find anything that they would classify as dangerous or critical, and according to the report, “Mullvad does a great job protecting the end-user from common PII [personally identifiable information] leaks and privacy related risks.”

We fixed five of the seven issues and merged them before the final report was finished and sent to us. The remaining two are items that we do not deem as serious problems nor are they a threat to us or our users. Furthermore, we have no way of patching those two as they are out of our control.

Full article

Mullvad VPN Android app available on F-Droid!

Mullvad

Our Android app is now available through yet another distribution channel: F-Droid.

It was the plan all along to offer the Android app via three different distribution channels. It was first made available on our website as a standalone installer APK in version
2019.8-beta1 on 2019-09-19. It was then made available on Google Play in version
2020.4-beta1 on 2020-03-31. And now, finally! Catering more to the Open Source community, we are available via F-Droid with the recent 2020.5-beta2 release.

The app is still classified as a beta due to stability issues on some devices and versions of Android. But it gets better with every release, and we are pretty close to making a stable release now.

Full article

Mullvad VPN assessed in external security audit new beta version (2020.5-beta2) available

Mullvad

An independent security audit of the Mullvad VPN app was recently completed. Based on the auditors’ findings, we’ve prioritized our improvements accordingly and released a new beta version for desktop and Android.

Here are the new beta versions:

  • Windows, macOS, Linux: 2020.5-beta2 which you can download on our website or wait until we release the next stable version, which we always recommend that you have.
  • Android: 2020.5-beta2, to be released shortly.

During the assessment, auditors from Cure53 found nothing that they define as critical and were “unable to compromise the [app].”

Why you should care about VPN audits

An independent audit helps us to discover potential security vulnerabilities and fix them, all resulting in an even better service for our users. It also gives you the opportunity to judge whether or not we are technically competent enough to provide a service in which security is paramount.

Final audit report coming soon

We will publish a link to the audit report and an overview of the findings when it becomes available on Cure53’s website.

Full article

iOS app release improves VPN connection (2020.2)

Mullvad

A new iOS version of the Mullvad VPN app should mean fewer disconnections.

What’s new in this version

To provide a more stable connection, the app now automatically enables the device’s on-demand VPN setting whenever a connection is made. Users should experience fewer sudden disconnections.

Other updates:

  • Format account number in groups of 4 digits separated by whitespace on login screen.
  • Fix “invalid account” error that was mistakenly reported as “network error” during log in.

Full blog post

Launched: Mullvad VPN for iOS is here

Mullvad

The official Mullvad VPN app is now available for iOS users! Pull out your iPhone and get it in the App Store.

What to expect

The iOS version of the Mullvad VPN app exclusively uses the WireGuard VPN protocol. In the app, you can both regenerate and verify WireGuard keys.

Running out of time on your account? You can top it up using the in-app payment feature, but the option to add time via the Mullvad website is still available.

The Mullvad VPN app on iOS contains the same essential functions as its desktop counterpart: login with only your account number, secure your connection with the tap of a button, and easily change your location.

Got feedback for us? Send it our way! Knowing what you experience helps us more quickly identify issues and prioritize features for future releases.

Full article

Auto-connect feature in new Android release (2020.4-beta1)

Mullvad

What’s new in this version

An Auto-connect option is now available under the Preferences menu. Enable this and the app will automatically connect to a server when it launches. If your Android device has the “Always-on VPN” feature, you can combine these two functionalities to automatically secure your connection from the moment you power on your phone.

You can now add an app shortcut tile to Android’s Quick Settings menu. A single tap on the tile will connect or disconnect you while tapping and holding opens the app.

Full blog post