mech.app
Dev Tools

Mullvad VPN Exit IP Fingerprinting Research - Critical Privacy Analysis

Deep technical analysis revealing how Mullvad VPN's deterministic exit IP assignment creates a fingerprinting vector that can correlate user identities with >99% accuracy across sessions.

Mullvad VPN Exit IP Fingerprinting Research - Critical Privacy Analysis

This is outstanding security research that belongs in every privacy-conscious developer’s reading list. The author demonstrates how Mullvad VPN’s multi-exit-IP feature - designed to improve privacy by distributing users across IPs - actually creates a fingerprinting vector through deterministic assignment.

The Core Discovery

The researcher discovered that Mullvad assigns exit IPs based on your WireGuard public key using what appears to be a seeded RNG. The critical insight: when you connect to multiple servers, each assigns an IP at the same percentile within its pool. This reduces millions of theoretical combinations down to just 284 observable patterns.

Technical Brilliance

The analysis of Rust’s random_range() behavior is particularly elegant. Most developers don’t realize that changing bounds doesn’t re-seed the RNG - it simply scales the same underlying float. This likely unintentional behavior creates the fingerprinting vector.

The math is straightforward but devastating: with just 9 servers, the researcher can narrow down users to 0.34% of the user base (340 out of 100,000 users) - >99% accuracy for correlation attacks.

Automation/Security Implications

For automation engineers and DevOps professionals using VPNs for:

  • Web scraping operations
  • API testing from different geolocations
  • Privacy-focused CI/CD pipelines
  • Automated security testing

This research reveals you may be creating persistent fingerprints across your “anonymous” sessions without realizing it.

Practical Value

The included seed estimator tool lets you immediately test your own fingerprint. The mitigation advice is actionable:

  1. Avoid server-hopping within a single pubkey rotation period
  2. Manually rotate keys by logging out

Why This Matters

This exemplifies the gap between intended and actual privacy properties in production systems. Even well-regarded privacy tools can have subtle implementation details that undermine their security model. For automation professionals, it’s a reminder that anonymity in distributed systems requires understanding the full stack - not just trusting the marketing claims.

The research quality, reproducibility, and practical implications make this essential reading for anyone building privacy-conscious automated systems.