Updated to include Mullvad onion site. This review was originally published April 5, 2018.
Many internet connections still aren't secure, but a VPN service will make them so, encrypting all data traffic between your computer or mobile device and a far-off server. That way, your ISP, the government, the hotel you're staying in or your nosy neighbor can't snoop on your internet activity. A VPN also comes in handy when trying to watch foreign video streams blocked in your location.
Mullvad is a VPN service with decent geographic reach, and is very easy to set up and use. However, it was slow to connect and download data in our tests. Based in Sweden (where "mullvad" means "mole"), the service theoretically isn't subject to U.S. security snooping, and the company says it doesn't maintain logs of user activity.
You don't ever need to give Mullvad any name or email address.
Mullvad stresses user privacy. Unlike most paid VPN services, you don't need to enter a password to use Mullvad. Instead, you log in with a randomly generated account number. More to the point, you don't ever need to give Mullvad any name or email address, and you can pay for the service anonymously, including with cash. There's even an onion address — http://xcln5hkbriyklr6n.onion/ — so that Tor users can get a Mullvad account and download the software without any third party noticing.
With VPN servers in nearly 30 countries, Mullvad is close to our top choice for VPN services, Private Internet Access (PIA), in geographic reach. (Neither comes close to the 140-odd countries that PureVPN claims to serve.) But with about 170 servers available, Mullvad has only a fraction of the thousands of servers that PIA or NordVPN offer.
Mullvad lets you connect to servers ranging from Oceania to Europe, with lots of places in between. Unfortunately, the service's awkward PC interface, slow network response and lack of settings options get in the way.
Costs and What's Covered
A Mullvad subscription costs 5 euros (about $6) per month. You can pay for up to a year at once, but there's no discount for doing so, nor is there a lifetime subscription option. That makes Mullvad nearly twice as expensive as PIA, if you pay yearly.
You can mail the company cold, hard cash in any currency.
You can pay for a Mullvad subscription with a traditional credit card, with PayPal, via a bank wire transfer or by using the Swedish mobile-phone payment system Swish. For more privacy, you can pay in bitcoin, bitcoin cash or real cash.
That's right: You can mail the company cold, hard cash in "any currency," along with the account number you generated on the Mullvad website. Bitcoin customers get a 10 percent discount "due to lower fees and less administration."
Unlike some competitors, Mullvad doesn't offer a free trial or have a free service tier, but you get 3 hours of free service after generating an account number on the website. (You need the account number to pay.) There is a 30-day money-back guarantee, although it doesn't apply to cash customers.
Each Mullvad account supports up to five VPN sessions at once, which is pretty standard among VPN services. One service, Windscribe, lets you run an unlimited number of simultaneous sessions.
Mullvad offers its own client software for Windows (Windows 7 or newer), Mac (OS X 10.7 Lion or newer) and Debian-based Linux (including Ubuntu 16.04 or newer).
The company also provides a source-code tarball for other flavors of Linux, with command-line installation instructions for Mint, Elementary and Fedora 25 through 27. Alternatively, you can run a generic OpenVPN client (compatibility with OpenVPN version 2.4 or later is recommended) on any desktop OS.
The bad news: If you want to use the Mullvad service for securing your smartphone or tablet's data traffic, you've got no choice but to use generic OpenVPN mobile apps. Mullvad doesn't provide its own apps and recommends OpenVPN for Android and OpenVPN Connect for iOS. (Many other OpenVPN clients are available for both platforms.)
To connect mobile apps to Mullvad's servers, you'll have to run a Mullvad-supplied script. More on that later.
It takes some extra effort to use Mullvad.
Like other technically complex VPN services, Mullvad provides detailed instructions on setting up its VPN service on home Wi-Fi routers flashed with the DD-WRT, OpenWRT, pfSense, Tomato or Asus MerlinWRT open-source firmware. That will let you encrypt internet traffic for all devices on your home network, including smart TVs and other Internet of Things gadgets.
There are no Mullvad browser extensions, which may rob users of some convenience but also doesn't lull them into a false sense of enhanced privacy. The truth is that VPN browser extensions encrypt only a single browser's traffic and not that of other internet-facing applications, including other web browsers. Mullvad does not offer ad blocking.
Below the surface, Mullvad uses the OpenVPN protocol and lacks support for the (weaker) L2TP/IPSec and PPTP protocols. It does offer a SOCKS5 proxy service for customers (such as connoisseurs of foreign TV) who want to simply disguise their geographic locations, not encrypt their internet traffic.
However, if you're using a Linux machine or an open-source router, Mullvad suggests that you help it test the new open-source WireGuard VPN protocol, which is still being developed. As of this writing in early March 2018, Mullvad has 15 WireGuard servers running in 11 countries.
Currently, Mullvad operates 182 servers in 58 cities and 29 (mostly highly developed) countries across the globe. That's far less than PIA's nearly 3,200 servers worldwide, but Mullvad says it owns its servers rather than renting them. Like most VPN services, Mullvad lacks servers in Russia and China.
Features and Interface
Because Mullvad's desktop software has an old-school PC interface, and you'll need third-party apps for iPhones, iPads and Android devices, it takes some extra effort to use Mullvad.
The Windows Mullvad client software uses a traditional two-tabbed interface in gray and white. It's functional, but it can be confusing, and is slow to accept settings changes. The Status screen shows whether and where you're connected. You can also see details such as the actual IP address, port or protocol used.
To change anything, tap on the Settings tab. You can change your account number, pick your port and eliminate DNS leakage. There's a pull-down menu of Mullvad's connection points, as well as an option to automatically connect upon system startup and enable the kill switch.
Compared with the likes of PIA, however, Mullvad's customization options are paltry. There's no place to check on or customize the encryption protocols.
Clicking on Mullvad's mole mascot/icon lets you access all of the company's apps. Unlike TunnelBear's rather intrusive grizzly-bear mascot, Mullvad's mole keeps quiet.
There is a more visual user interface on the way, which gives an indication of what Mullvad may improve in the future. It's still under development and will arrive on Macs first, but a working beta could be available by the spring of 2018.
Using your iPhone, iPad or Android device with Mullvad can be difficult, but Mullvad supplies good instructions on how to set up a secure VPN connection on a phone or tablet. (More on that in the Setup and Customer Support section below.)
A padlock icon in the Android or iOS notification row indicates whether the Mullvad VPN is inactive (red and open) or active and secure (green with a closed shackle). You can pull down a nicely designed map for the full list of global connection points.
Privacy and Security
Mullvad connections are protected by AES-256 encryption, while clients are authenticated using RSA-4096 encryption and use a SHA-384 handshake. OpenVPN connections are rekeyed every hour and the company operates its own key exchange infrastructure. None of these details is customizable, as they would be with PIA, but overall, Mullvad's security is very good.
The Mullvad VPN service takes anonymity a step further than PIA's randomized user name and password. All you get is a random 16-digit number that serves as your online identity for connecting with Mullvad's VPN servers. There's no password needed — you only need to pay your VPN bills.
Like most VPN services, Mullvad is adamant that it doesn't log user activity. Not all services are honest about that, but given the lengths to which Mullvad will go to help you maintain your identity, you might be inclined to believe it.
Mullvad is owned and operated by a company named Amagicom AB, which has its headquarters in Gothenburg, Sweden. In theory, that puts it out of the reach of U.S. government warrants. Mullvad also skirts EU logging requirements because it isn't an ISP. But although Sweden is not part of NATO, its security agencies have historically been happy to cooperate with their counterparts in other Western countries.
Many VPN services obscure their ownership structure, and some hide behind shell companies based in tax havens. That may sound thrillingly clandestine, but it also means that for all you know, the NSA might be operating your VPN service.
Mullvad isn't one of those. Amagicom's corporate officers aren't listed on the Mullvad website, but the company's street address is. A little Googling reveals that Amagicom's CEO is named Jan Jonsson, and he and other company officers are on LinkedIn.
A well-known resource for VPN privacy freaks is That One Privacy Site. Its pseudonymous author (That One Privacy Guy, of course) loves Mullvad. Mullvad doesn't do affiliate marketing, so even if you buy a Mullvad subscription though Tom's Guide, we won't get a dime.
During my testing of Mullvad, both at home and on the road, I found it to be an unexceptional performer compared with the six other VPN services I tested at the same time: CyberGhost, Hotspot Shield, Private Internet Access, TunnelBear, VPN Unlimited and Windscribe.
Mullvad lagged behind other services in important performance measures.
Over the course of more than a month using Mullvad in the New York City area, the Netherlands, the Frankfurt airport and Baku, Azerbaijan, it lagged behind other services in important performance measures. However, it always did a good job of playing music and video files on a phone and an iPad, regardless of where I was.
Like most VPN services, Mullvad had no local connection server in Azerbaijan. I failed to connect with either of Mullvad's servers in Romania, but managed to get a strong VPN link to one of its dozens of Swedish servers 2,500 miles away.
Unfortunately, whenever I switched cities and wanted to use my smartphone or iPad, I needed to download and run a new OpenVPN connection script. This really became a chore as I started heading home.
Although some Mullvad connections were lightning-fast, Mullvad's VPN infrastructure had one of the slower average connection times at 17.6 seconds. It couldn't compare with PIA's average of 3.3 seconds. Only Windscribe, at 21.3 seconds, and VPN Unlimited, at 36.5 seconds, did worse.
Mullvad's average network latency, or the time it took for a single data packet to get from one endpoint to the other, was one of the worst at 111.7 milliseconds. That's an increase of 801 percent from the pretest baseline, and means a lot of waiting between online requests. Again, only VPN Unlimited was slower, jumping 815 percent from its baseline.
When it came to delivering data, Mullvad fell far behind the best, with average download and upload speeds of 13.2 megabits per second (Mbps) and 13.4 Mbps, respectively. These are declines of 80 and 35 percent, respectively, from the baseline measurements, putting Mullvad in last place out of seven for download speeds, and in fifth place for upload speeds. By contrast, PIA declined only 7 percent in each measure.
Mullvad was also the slowest in completing the download of a 780MB video file, with an average speed of only 1.04Mbps, a drop of 67 percent from the baseline.
I was able to maintain a Mullvad connection for three devices simultaneously over the course of 12 hours. In all my testing, Mullvad needed to be reconnected three times, which is not unusual for a VPN service.
Setup and Customer Support
Among the seven VPNs I recently reviewed, Mullvad was the easiest to get started with, at least on a desktop. After getting the 16-digit account number from the website, all I had to do was download and install the 12.5MB client application, and pay for the service. The hardest part was typing in the long account number. Within a minute, I was online, with a secured connection.
As you might expect, the setup process wasn't so easy on mobile devices. After installing the third party-apps (OpenVPN for Android and Open VPN Connect for iOS), I first had to make a few technical configuration changes to my iPad. (Most Android devices won't need such changes.)
Then I had to download and run a connection script from Mullvad's website. It's easy to get the script, but the key to making it work on iOS was to use the letter "M" as the password for the otherwise password-free service. The script works for both platforms.
On the downside, I had use a different script for each location. I traveled to four cities over nine days, and can attest that rerunning the setup process can be time-consuming, frustrating and confusing.
Should something go wrong, Mullvad has lots of resources for support, including setup guides for all platforms and extensive FAQs. You can email the company with a question at any time.
It may not be the fastest, cheapest or most reliable VPN service available, but Mullvad is quick and easy to get started with — and it may be one of the most private VPN services as well. You don't need to use a name or email address at all, the service offers a wide variety of payment options and Sweden is (in theory) far from the long arm of the American authorities.
However, Mullvad is among the most expensive of VPN services. Furthermore, while its network is far-reaching, it's very slow, and it can't offer the number of servers that other services can. Mullvad's antediluvian interface can also slow you down, and there isn't much you can adjust in the way of encryption settings.
Still, it offers the peace of mind that only a highly private VPN service can. Yet Private Internet Access offers almost as much privacy with lower costs and faster speeds.
Client software platforms: Windows, Mac, Linux
Supported protocols: OpenVPN, WireGuard
Number of servers: 168
Number of countries: 27
Country of registration: Sweden
Payment options: Credit card, PayPal, bitcoin, Swish, wire transfers, cash
Real name necessary? No
Encryption protocol: AES-256
Data usage: Unlimited
Bandwidth usage: Unlimited
Maximum number of simultaneously connected devices: Five
Customer support: Email
Credit: Tom's Guide