Your IP address is used to identify you, track you, and map your online life. The first step to reclaiming your online privacy is to mask your information with a reliable VPN. However, this measure alone is not enough. Here, you can learn how a VPN works, how it combats mass surveillance, how it helps bypass censorship, and what types of data collection methods it cannot protect you against

Does the VPN service log your traffic? Here you have to look closely at the details, and not just rely on the headlines

Now we come to a burning question. According to law, your internet supplier must register and save your traffic. Your VPN supplier doesn’t have to. This is the basic premise behind VPN services. Therefore many VPN companies state clearly that they are a “no logging” service, but the problem is that many VPN services have been caught lying about this. So what can you do? Well, for example, you can look at whether they are specific when they state what it is they don’t log. Are they evasive with their answer? Are they unable to be specific? This can be a warning sign. And a really big red flag is if they start to talk about collecting “anonymous data”. It is, as you can read here, impossible to keep big data anonymous.
Question from the Center For Democracy & Technology: Does the service store any data or metadata generated during a VPN session (from connection to disconnection) after the session is terminated?
Mullvad’s answer: No. For details, see our privacy policy.
Under Mullvad’s privacy policy you can discover, for instance, that:
We log nothing whatsoever that can be connected to a numbered account’s activity:
No logging of traffic
No logging of DNS requests
No logging of connections, including when one is made, when it disconnects, for how long, or any kind of timestamp
No logging of IP addresses
No logging of user bandwidth
No logging of account activity except total simultaneous connections (see more under privacy policy)

How we handle government requests for user data (Policies) 

A privacy-protecting communication service is a juicy target for many actors, including governments. The usual way for these entities to lay hands on user data is through legal means backed by force.
The problem with this, however, is that even if a request for data were morally justifiable, that judgement would be the government's to make, not ours. Spying on our users would therefore be left to government discretion alone. Thus, for us it's an all-or-nothing situation.
If we allowed ourselves to be persuaded into handing over user data, we would become a government surveillance tool, the very opposite of a privacy-protecting service. Therefore, we must – and do – make it impossible for us to fulfill any data request.
To achieve this goal, we use a multi-layered defense.
Our strategy
We collect no data
As detailed in our no logging data policy, we go to great length in order to not collect and store data about our users' activities and identities. As a result, there is simply no data to request, nor confiscate in the case of physical seizure of a server.
When governments do request data, we refer them to our policy and explain that we have no information to hand over.
We are based in a good jurisdiction
Our legal entity is in Sweden, where the law does not allow for any government to force us to spy on our users.
We are prepared to shut down the service
Should a government somehow succeed in legally forcing us to spy on our users, we will cease operation of our service in the affected jurisdiction and only resume it if the legal situation* has been remedied. Just as where no data can be revealed if it does not first exist, the service can't be used as a surveillance tool if it's not in operation.
*We retain lawyers to help us monitor the legal landscape in Sweden and keep us abreast of any developments. We also stay up to date on how to move critical parts of our business to other jurisdictions around the world, should we need to.

How does your VPN make sure no unauthorized person can read your traffic?

When you choose a VPN service, it isn’t only about trust, but also competence. We’re getting into technical stuff here, but it’s important to check this out too. The question is what your VPN service does to keep your traffic and your data secure and private.
Question from the Center For Democracy & Technology: What do you do to protect against unauthorized access to customer data flows over the VPN?
Mullvad’s answer: Secure systems are required for privacy, and since Mullvad’s beginning, security has always been deeply ingrained in our culture.
We only utilize the two best VPN protocols, OpenVPN and WireGuard (we were an early adopter of the former and we pioneered the latter).
In our app we offer such security features as a kill switch, DNS leak protection, and IPv6 support, all of which we were either first or among the first to introduce.
Because reliability is paramount, our app is built in Rust, a programming language made for building secure programs.
We use code signing for app and server code.
The code is reviewed by several people in our team before it goes into production.
We enforce those that have access to production servers or customer correspondence to run the Qubes operating system.
We work with segmentation of access (to the servers, for example).
We also protect our workstations against tampering.

Does your VPN supplier do their utmost to keep your data private?

If you choose your VPN provider from a privacy perspective it all comes down to this: do they do their utmost to keep your data private? Is their primary purpose to reduce data collection? For example, when we removed the subscription option for our customers, it was with privacy in mind. It wasn’t the most comfortable decision to take, but it was the right one. And our process for new customers works as it does for the same reason. We don’t ask for any personal information. No username, no password, no email address. Nothing. The only thing you do is to generate an account number – that’s all you need to start your Mullvad account.
Question from the Center For Democracy & Technology: What other controls does the service use to protect user data?
Mullvad’s answer:
We offer a number of features to protect our users’ privacy, including these industry firsts:
We accept payment with cash in the mail and cryptocurrencies (Bitcoin, Bitcoin Cash and Monero).
In our account sign-up process, we ask for no personal information whatsoever, not even an email address.
Our VPN app is open source (find an independent audit report of it on our website).

Why it's important where your VPN provider is based

Where your VPN provider is based in the world is crucial to your privacy, since the laws in different countries make it more or less possible to keep your traffic private.
In a large amount of countries, internet service providers are obliged by law to register and save their customers’ internet traffic. Does that apply to VPN services too? That’s exactly the question you should ask yourself, because the very foundation of a VPN provider being able to run an operation that makes sure your traffic stays private is this: Are they based in a country where the laws require them to log traffic?
Mullvad VPN is based in Sweden, and here the relevant law is called the Electronic Communications Act (Lagen om elektronisk kommunication, LEK). It’s LEK that regulates how internet service providers must log traffic, and it’s very clear: this law doesn’t apply to VPN services. So the basic conditions for running a privacy-focused VPN service are good, Swedish law doesn’t require VPN services to log either their customers or their traffic.

This is how AI can be used to analyze your traffic – even if it’s encrypted

When you visit a website, there is an exchange of packets: your device will send network packets to the site you’re visiting and the site will send packets back to you. This is a part of the very backbone of the internet.
When you use encrypted services like a VPN the content of these packets (which website you want to visit for example) is hidden from your internet service provider (ISP), but the fact that these packets are being sent, the size of the packets, and how often they are sent will still be visible for your ISP.
Since every website generates a pattern of network packets being sent back and forth based on the composition of its elements (like images, videos, text blocks etcetera), it’s possible to use AI to connect traffic patterns to specific websites. This means your ISP or any observer (like authorities or data brokers) having access to your ISP can monitor all the data packets going in and out of your device and make this kind of analysis to attempt to track the sites you visit, but also identify whom you communicate with using correlation attacks (you sending messages with certain patterns at certain times, to another device receiving messages with a certain pattern at same times).

How we combat traffic analysis: this is how DAITA works

DAITA has been developed together with Computer Science at Karlstad University and uses three types of cover traffic to resist traffic analysis.
1. Random background traffic
By unpredictably interspersing dummy packets into the traffic, DAITA masks the routine signals to and from your device. This makes it harder for observers to distinguish between meaningful activity and background noise, making it hard to know if you are active or not.
2. Data pattern distortion
When visiting websites (or doing any other activity that causes significant traffic), DAITA modifies the traffic pattern by unpredictably sending cover traffic in both directions between client and VPN server. These “fake packets” distorts the recognizable pattern of a website visit, resisting accurate identification of the site.
3. Constant packet sizes
The size of network packets can be particularly revealing, especially small packets, so DAITA makes all packets sent over the VPN the same constant size.

Quantum-Resistant Tunnels Now Available on iOS!

Quantum-resistant tunnels are now supported across all our operating systems: Linux, Windows, macOS, Android, and now on iOS.
How to Enable (or Verify it's On)
1. Open the app on your iOS device.
2. Navigate to Settings → VPN settings → Quantum-resistant tunnel.
3. Ensure the setting is switched to On.
Once the VPN connection is established, you’ll notice a “QUANTUM SECURE CONNECTION” status in green text on the main view of the app, confirming your connection.
The Future of Quantum Secure Connections
If it turns out to work as well as we hope it will, we will enable this by default on all platform in the future.
The Challenge
The encryption used by WireGuard has no known vulnerabilities. However, the current establishment of a shared secret to use for the encryption is known to be crackable with a strong enough quantum computer.
Although strong enough quantum computers have yet to be demonstrated, having post-quantum secure tunnels today protects against attackers that record encrypted traffic with the hope of decrypting it with a future quantum computer.
Our Solution
A WireGuard tunnel is established, and is used to share a secret in such a way that a quantum computer can’t figure out the secret even if it had access to the network traffic. We then disconnect and start a new WireGuard tunnel specifying the new shared secret with WireGuard’s pre-shared key option.
The post-quantum secure algorithms used here are Classic McEliece and Kyber. 

BASIC FEATURES

Mullvad VPN provides strong privacy with a strict no‑logs policy, user anonymity via randomly generated account numbers (no email required), supports WireGuard (with OpenVPN being phased out), offers built‑in DNS content filtering, kill switch, split tunneling, port forwarding, multihop routing (including dual‑provider Obscura VPN integration), supports quantum‑resistant WireGuard tunnels by default, and provides open‑source clients and reproducible builds for full transparency.

WHAT’S NEW

The 2025 updates include the introduction of the Mullvad VPN Loader for fast and secure installation on Windows and macOS, reproducible Android builds from version 2025.2, multihop support on Android since 2025.1, split tunneling on macOS stable in 2025.2, quantum‑resistant tunnels enabled by default, availability on Windows ARM, and an updated refund policy reduced to 14 days—all reinforcing privacy, platform support, and user control. 

SYSTEM REQUIREMENTS

Mullvad functions as a cloud-based service requiring only a modern device and browser (or the desktop/mobile app). Clients are available for Windows (x86 and ARM), macOS, Linux (various distros via GUI/CLI), Android, and iOS; no specialized hardware is needed beyond typical device specs. 

USER INTERFACES LANGUAGES

English, Swedish (and language-specific websites and help), with UI translations for major languages based on platform (e.g. macOS menu languages vary); primary interface language is English.

BRAND

Mullvad VPN 2025

TYPE

Privacy‑focused virtual private network service

FOR OPERATING SYSTEM

Native desktop apps for Windows (x86 and ARM), macOS, Linux; mobile apps for Android and iOS; also supports routers (OpenWRT, pfSense, DD‑WRT) and browser integration via Mullvad Browser and DNS services 

LICENSE CATEGORY

Subscription‑based software 

FORMAT

Digital Download

MODEL

Mullvad VPN 2025

COUNTRY OF USE

Global

MANUFACTURER COUNTRY

Sweden