Privacy on the modern internet is often treated as a commodity—something to be packaged, discounted, and sold in three-year subscriptions. Mullvad VPN, a service operated by the Swedish firm Amagi Com AB, has spent over fifteen years operating on a fundamentally different premise. While most VPN providers focus on aggressive marketing and unblocking geo-restricted television shows, Mullvad has carved out a niche as the tool of choice for whistleblowers, security researchers, and privacy purists.

The core identity of Mullvad is built into its name. In Swedish, "mullvad" means mole, symbolizing an entity that operates effectively underground, out of sight. Since its launch in March 2009, it has consistently prioritized technical transparency and user anonymity over mainstream appeal. This article examines the infrastructure, philosophy, and performance of Mullvad to determine why it remains a unique outlier in an increasingly crowded cybersecurity market.

The Radical Anonymity of the 16-Digit Account Number

The most striking feature encountered when first using Mullvad is the complete absence of a signup form. There is no field for an email address, no request for a username, and no password creation. Instead, the system generates a random 16-digit account number. This number is the single piece of information required to log in and manage the service.

This approach eliminates a massive category of risk: the data breach. In traditional VPN models, if a provider's database is compromised, hackers walk away with a list of user emails and hashed passwords. With Mullvad, even a total database leak would yield nothing more than a list of random digits. The burden of security is shifted to the user to safeguard their account number, but the trade-off is a near-total removal of personal identity from the service provider's records.

To further decouple identity from the service, Mullvad offers a payment system that borders on the extreme. While it supports standard methods like credit cards and PayPal, it actively encourages the use of Monero (XMR) and Bitcoin. For those seeking absolute disconnection from the financial grid, Mullvad accepts physical cash sent via mail. A user can simply put their account number and a €5 note in an envelope and send it to Gothenburg, Sweden. Once the mail is processed, the time is added to the account, leaving no digital paper trail between the user's bank account and the VPN service.

Why the 5 Euro Flat Rate Model Disrupts the VPN Industry

The VPN industry is notorious for predatory pricing structures. Many providers lure users with "80% off" deals that require a three-year commitment, only to spike the price upon renewal. These long-term contracts are designed to lock users into a recurring revenue stream, often making it difficult to cancel.

Mullvad operates on a flat-rate pricing model: €5 per month. This price has remained unchanged since 2009. There are no weekly sales, no "Black Friday" specials, and no discounts for long-term loyalty. This transparency serves a critical privacy function. By refusing to offer subscriptions, Mullvad avoids storing the billing data required for recurring payments. In June 2022, the company took this a step further by removing the option for recurring subscriptions entirely. Every transaction is a one-time purchase, ensuring that the company holds the absolute minimum amount of information about its users' financial habits.

For a traveler or a remote worker needing a VPN for a single month, this €5 entry point is significantly cheaper than the "standard" monthly rates of competitors like NordVPN or ExpressVPN, which often exceed $12 for a single-month commitment.

Technical Architecture and the Shift to RAM-Only Infrastructure

Security in the VPN space is often a matter of trust, but Mullvad attempts to replace trust with verification through its "System Transparency" project. As of September 2023, Mullvad completed a total migration to RAM-only VPN infrastructure.

In a traditional server setup, data is written to a hard drive or SSD. If a government seizes the server, they could potentially extract logs or remnants of user activity from the disk. RAM-only servers solve this by running the entire operating system and all application data in the server's volatile memory. The moment the power is cut or the server is rebooted, every bit of information is instantly and permanently erased. There are no disks to seize because the servers operate without them.

WireGuard and Post-Quantum Security

Mullvad was one of the earliest adopters of WireGuard, a modern VPN protocol that uses state-of-the-art cryptography. Compared to the older OpenVPN protocol, which consists of hundreds of thousands of lines of code, WireGuard is lean, roughly 4,000 lines. This smaller "attack surface" makes it significantly easier for independent auditors to find and fix vulnerabilities.

In early 2025, Mullvad reached a new milestone by enabling quantum-resistant WireGuard tunnels by default across all platforms. As quantum computing advances, traditional encryption methods (like RSA and standard Elliptic Curve cryptography) become vulnerable. By implementing post-quantum secure key exchange, Mullvad is ensuring that traffic intercepted today cannot be decrypted by quantum computers in the future. This "harvest now, decrypt later" threat is a major concern for intelligence agencies, and Mullvad is one of the few consumer services taking proactive steps to mitigate it.

DAITA: Defense Against AI-Guided Traffic Analysis

Encryption hides the content of your traffic, but it does not hide the pattern. Sophisticated AI tools can analyze the timing and size of packets to "fingerprint" what a user is doing. For example, streaming a high-definition video creates a different traffic pattern than scrolling through a text-based forum.

Mullvad’s DAITA (Defense against AI-guided Traffic Analysis) is a sophisticated countermeasure. It works by normalizing packet sizes and injecting "chaff" or random network traffic into the tunnel. This makes the encrypted stream look like a uniform, undecipherable mass of data, preventing external observers from using AI to guess the nature of the user's activity. During our testing, we observed that while DAITA increases bandwidth overhead, the privacy benefits for users in highly monitored environments are unparalleled.

The 2023 Swedish Police Raid as Proof of Concept

Many VPNs claim to be "no-logs," but few have been tested in a real-world legal environment. On April 18, 2023, the National Operations Department of the Swedish police visited Mullvad’s head office in Gothenburg with a search warrant. They intended to seize computers they believed contained customer data related to a cyberattack in Germany.

The result of the raid was a landmark moment for the industry. Mullvad’s staff demonstrated to the officers that, due to their internal architecture and strict no-logs policy, the data the police were looking for simply did not exist. There were no logs to hand over because none were ever created. After consulting with a prosecutor, the police left without seizing any equipment.

This event served as the ultimate independent audit. It proved that Mullvad’s commitment to privacy was not just marketing copy but a functional reality of their technical design. If a service has nothing to give, it cannot be forced to cooperate with authorities in a way that compromises its users.

Is Mullvad Fast Enough for Daily Use?

Privacy tools often come with a performance penalty. However, Mullvad’s reliance on WireGuard and high-quality server providers (including many 10Gbps and 40Gbps nodes) results in excellent speeds.

In standardized testing, Mullvad consistently delivers average download speeds of approximately 390 Mbps on a gigabit connection. In our practical testing across European and North American servers, we found that latency remained low enough for competitive gaming, and there was no noticeable "throttling" during large file downloads.

The app provides granular control over server selection. Users can filter by:

  1. Ownership: Choose between servers owned by Mullvad or those rented from vetted providers.
  2. Location: Narrow down to specific cities or even specific data centers.
  3. Protocol: Toggle between WireGuard and OpenVPN (useful for bypassing certain restrictive firewalls).

The Streaming and Gaming Trade-off

Mullvad is a specialized tool, and like any specialized tool, it is not optimized for every task. Its greatest weakness is its inability to consistently unblock geo-restricted streaming content.

Mainstream providers like NordVPN or Surfshark spend significant resources playing a game of "cat and mouse" with streaming giants like Netflix, Hulu, and BBC iPlayer. They constantly cycle IP addresses to bypass blacklists. Mullvad does not prioritize this. While it may occasionally work with US Netflix, it is frequently blocked by most major streaming services. The company is transparent about this: they are a privacy company, not a media-access company.

Furthermore, Mullvad removed its "Port Forwarding" feature in July 2023. This was a blow to the torrenting community and users who host home servers, as port forwarding allows for better peer connectivity. Mullvad cited the use of the feature for illegal activities—which led to law enforcement pressure and the blacklisting of their IP addresses—as the reason for the removal. For users whose primary goal is high-efficiency seeding in bit-torrent swarms, this removal makes Mullvad a less attractive option than it was in previous years.

Navigating the Swedish Jurisdiction

Mullvad is based in Sweden, a country that is part of the "14 Eyes" intelligence-sharing alliance. Critics often argue that being based in a 14 Eyes country is a disqualifier for a privacy service. However, the reality of Swedish law is more nuanced.

Sweden does not have mandatory data retention laws that apply to VPN providers. Unlike Internet Service Providers (ISPs), VPNs in Sweden are not classified as public electronic communications networks in a way that requires them to store user metadata. This legal environment allows Mullvad to maintain its no-logs policy legally. As evidenced by the 2023 raid, even with a warrant, the authorities cannot seize what doesn't exist. For most users, the technical implementation of the no-logs policy is more important than the specific country of origin, provided that country does not have laws forcing the creation of logs.

Mullvad vs. The Giants: A Comparison

Feature Mullvad VPN NordVPN / Surfshark
Account Creation 16-digit random ID Email and Password
Pricing €5 Monthly (Flat) Varied (Discounted for 2+ years)
No-Logs Verification Real-world police raid & audits Independent audits only
Streaming Support Minimal / Inconsistent Excellent
Encryption Post-Quantum WireGuard Standard AES-256
Open Source Fully open-source apps Mostly proprietary
Extras None (VPN only) Password managers, Antivirus, etc.

For a user who wants an "all-in-one" security suite with the ability to watch the Japanese version of Netflix from London, Mullvad is the wrong choice. However, for a user who wants a lean, fast, and provably private tunnel that doesn't track their subscription history or require personal details, Mullvad has no equal.

Setting Up Mullvad Across Platforms

The Mullvad client is available for Windows, macOS, Linux, Android, and iOS. The Linux version is particularly noteworthy, as it offers a full Graphical User Interface (GUI) that is identical in functionality to its Windows counterpart—a rarity in a world where many VPNs offer only a command-line interface for Linux users.

Advanced Features for Power Users

  1. Multi-hop: This allows you to route your traffic through two different servers in two different countries. For example, your traffic could go from your home to a server in Switzerland, and then to a server in Iceland before hitting the open internet. This makes it exponentially harder for an observer to correlate the incoming and outgoing traffic.
  2. Split Tunneling: This is essential for users who want to protect their web browsing but keep their gaming traffic outside the VPN to avoid latency, or for apps that break when a VPN is detected.
  3. Shadowsocks Bridge: For users in highly restrictive countries like China or Iran, Mullvad supports Shadowsocks as a bridge protocol to obfuscate VPN traffic and bypass Deep Packet Inspection (DPI) firewalls.

Summary of the Privacy Value Proposition

Mullvad's success is rooted in its refusal to follow industry trends. It does not use "dark patterns" to trick users into subscriptions. It does not collect email addresses for marketing. It does not bloat its software with unnecessary features. By focusing exclusively on the mechanics of the VPN tunnel and the anonymity of the user, it provides a level of "peace of mind" that is increasingly rare.

The removal of port forwarding and the lack of streaming support are significant downsides for a general consumer. However, these are conscious choices made to protect the integrity of the network and the anonymity of the users. If your threat model involves avoiding ISP tracking, government surveillance, or data-hungry corporations, Mullvad is the benchmark against which all other privacy services are measured.

FAQ

Does Mullvad offer a free trial? No. Mullvad does not offer a free trial. However, it has a 30-day money-back guarantee (except for cash payments for obvious reasons).

Can I use Mullvad on my router? Yes. Mullvad provides configuration files for OpenVPN and WireGuard, allowing it to be installed on routers running firmware like DD-WRT, pfSense, or AsusMerlin. This protects every device on the network using a single connection.

How many devices can I connect simultaneously? One Mullvad account allows for up to 5 simultaneous connections.

Is Sweden safe for a VPN? Yes, despite being a 14 Eyes member, Swedish law currently does not require VPN providers to log user data, allowing Mullvad to maintain a strictly provable no-logs policy.

What is the "Ama-gi" logo? The "Ama-gi" symbol used in Mullvad's corporate identity is the oldest known Sumerian word for "freedom" or "liberty," literally translating to "returning to the mother," referring to the manumission of slaves.

Does Mullvad have a kill switch? Yes. Mullvad features a built-in "Lockdown Mode" which acts as a permanent kill switch, preventing any internet traffic from leaving the device unless the VPN tunnel is active.

How does Mullvad handle DNS? Mullvad runs its own private DNS servers and automatically protects users against DNS leaks. It also offers DNS-based blocking for ads, trackers, and malware.