Mullvad VPN: We tasked the Netherlands based security firm Radically Open Security (RoS) with performing the third audit towards our VPN infrastructure.

We asked them to focus solely on VPN servers that run from RAM, one OpenVPN and one WireGuard server.

We invite you to read the final report of our third security audit, concluded in mid-June 2023, with many fixes deployed late June 2023. Further re-tests and a verification pass was performed during July.

RoS discovered a number of new findings, and we would like to thank them for their thorough and detailed report. They stated , amongst other things that: that whilst they found some issues, that: “The Mullvad VPN relays which were the subject of this test showed a mature architecture…” and “During the test we found no logging of user activity data…”

We gave RoS full SSH access to two (2) VPN servers that were running from RAM, using our latest slimmed down Linux kernel (6.3.2) and customised Ubuntu 22.04 LTS based OS. These servers were deployed as though they were to be production customer-facing servers, however these servers have never been utilised as such.

  • skankhunt42
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    Yeah, It’s just worded weird to me. They set up some ram only VMs for the RoS to ssh into so they’re not in prod. Plus “asked them to focus solely on VPN servers that run from RAM”

    To me, the way this is worded, suggest that they have VPN servers that do not run from ram. I know I can ask support but I’m not going to bother. Just curious what other people here thought.