Mullvad: Reminder that OpenVPN is being removed January 15th 2026
(mullvad.net)
from user224@lemmy.sdf.org to privacy@lemmy.ml on 19 Aug 00:00
https://lemmy.sdf.org/post/40693098
from user224@lemmy.sdf.org to privacy@lemmy.ml on 19 Aug 00:00
https://lemmy.sdf.org/post/40693098
Not particularly pleased about the decision when OpenVPN is the most supported protocol.
Meanwhile their competitor IVPN even does IPsec.
threaded - newest
Well that’s annoying. When using it with Gluetun, I’m not sure I can even use Wireguard there.
I used Mullvad wire gluetun for about a year without issues. I’m pretty sure it’s just a simple config difference
Maybe, but I’m using Gluetun’s API too (which is very badly documented), and it seems to me some of the endpoints only work for OpenVPN. But I’ll have to look into it properly.
Ah, no idea about that then
github.com/qdm12/gluetun-wiki/blob/…/mullvad.md#w…
Why this change?
Mullvad has stated years ago that "WireGuard is the future" because it supports different cryptographic primitives that they prefer to what OpenVPN supports, it uses less lines of code which makes implementations less prone to errors, and it has a different architecture that reduces the risk from certain kinds of cryptographic attacks.
At least, that's what they claimed back in 2017. It seems they still believe that WireGuard is better than OpenVPN now, but I don't know if they have any more reasoning beyond what they wrote about in 2017 as to why.
Thank you for the reply!
Can you run multiple wire guard connections simultaneously? The reason I stick with OpenVPN is because my work uses wire guard and I can run two connections at the same time.
It would depend on whatever the client-side software you use to manage it supports.
You could theoretically have an implementation that sends packets across 1 VPN connection, 5 connections, or 1,000,000, just like how you can make a program that just sends a ping request to one web server, or make one that sends ping requests to 1,000. But if the VPN software your work uses doesn't support it, then you'd be out of luck.
It's probably more likely that any legacy software would support multiple connections with OpenVPN, but not necessarily WireGuard, since OpenVPN's just been around longer, but since WireGuard's codebase is much simpler, it could be something they've put a little time into implementing.
Though since I have no clue what your work uses, there's no way for me to know if it'd support multiple or not without you testing it yourself.
My work uses tailscale to get to work things. and I just want a VPN to get into my network at home. Maybe every once in a while connect to something like Mulvad. All 3 distinct programs that have virtually no idea about each other.
With OpenVPN just add as many taps as you need. With wire guard it doesnt way to play nicely with any other Wireguard VPNs running.
Yes.
did you read the article?
I assume this is because, in addition to the missing ciphers as referenced in the linked article, OpenVPN, even though it uses TLS, it initially uses a very identifiable handshake before initiating TLS, which is not hard to block. I have personally had problems specifically with OpenVPN being targeted/blocked in this way.
And I specifically had luck with OpenVPN TCP on port 443 on network which DPI-blocked Wireguard.
Yeah OpenVPN is often used for business reasons (e.g. by remote workers), so it’s usually not blocked wholesale, only throttled (and known public VPNs providers and blocked via blacklisting their endpoints’ ip addresses). Wireguard meanwhile is used much more rarely so there is less fallout from blocking it completely.
Wireguard is not Sensorship and DPI resilient at all, it relies solely on UDP. They state it on their official website that it’s not their priority at all
Yea every network may do things differently… in my case tcp/443 openvpn is blocked at several places that I frequent.
But why disable it for the people who can use it? Unless there’s a security implication to the handshake?
Wireguard is not difficult to block either, it’s not designed to be hidden. China, Russia, etc have learned long ago how to detect and block it. The only semi-reliable way to bypass sophisticated VPN blocking techniques is to use protocols that mask as regular https traffic (and self-host it since well know public VPNs will of course be dealt with by simply blocking packets to their ip addresses).
I find when using Mullvad a lot of sites are blocked vs other VPNs. Are all their IPs on a blacklist somewhere?
I find frequently switching works well. It’s a bit of effort, but I have a small list of countries that work best with certain websites.
Yes, that was the technique used by interpol to get mullvad to comply with a csam investigation. The terms were ”give us user information or drop port forwarding unless you wanna remain on a global blacklist” and mullvad chose to drop port forwarding.
And remained on a blacklist anyway.
Not in the slightest. Web accessibility using mullvad before and since has tracked the ongoing trend of websites blocking vpn services and almost all their endpoint ips have rolled over since then.
In my own experience, sites that weren’t blocking mullvad before and were blocking during the csam investigation aren’t blocking now. That’s because the blocking was mostly happening at the cdn level.
They didn’t remain on the blocklist but the web is becoming hostile to vpn ips. One way around this is by using a web proxy defined in your browsers settings.
First port-forward and now this I mean I get it but being versatile is more important in a VPN for me so no more Mullvad for me. I’ll be moving to either windscribe or AirVPN
Hide.me is decent. Last i read Azire is solid too.
windscribe goes on sale a few time in the year. You can get it for 29$ a year which is a great price and for 20$ more you have static IP and permanent port-forwarding. It’s a great deal for a trustworthy and feature rich VPN in my opinion
I switched to Air, its the slowest VPN I’ve ever used and I’m considering switching back once my subscription is up
Is that so. I also think that windscribe is better
Can second AirVPN being slow as shit
Good to hear I’m not alone
AirVPN also really good. Plus they have static port forwarding. And very easy flipping of OpenVPN to wireguard
Only downside is it’s based in Italy, the government of which has been somewhat hostile to privacy as of late. Still, AirVPN itself has been a longtime supporter of privacy and projects like Tor.
.
anyone know alternative VPNs that also include http or socks proxies?