'No Major Vulnerabilities' — Mullvad’s WireGuard Implementation Gets Thumbs up From Independent Security Audit

Mullvad’s decision to replace its Go‑based WireGuard client with a Rust implementation reflects a broader industry shift toward memory‑safe languages. Rust’s ownership model eliminates many classes of bugs that traditionally plagued VPN software, resulting in measurable improvements: users report faster connection times, reduced latency, and notably longer battery life on mobile devices. By rebuilding the core tunneling engine as GotaTun, Mullvad also addressed a persistent stability problem, slashing Android crash rates from 0.4% to a mere 0.01%, which translates into a smoother experience for millions of privacy‑conscious users.

The recent audit by Gothenburg‑based Assured Security Consultants focused on GotaTun’s codebase, excluding only the command‑line interface and specific DAITA modules. Reviewers found the implementation to be functionally sound, with no critical vulnerabilities. Two minor flaws—a padding error and a predictable random number generator—were identified but already remediated before the audit’s final report. The auditors also highlighted lingering TODO comments about checksum validation, suggesting documentation improvements. Overall, the clean bill of health underscores that a well‑engineered Rust client can meet the rigorous security expectations of modern VPN services.

Independent verification carries weight in the privacy‑VPN market, where trust is paramount. Mullvad’s transparent disclosure of audit results and swift patching of identified issues signal a proactive security culture that can differentiate it from competitors. Moreover, the audit’s limited scope and the fact that much of the code is maintained by a small team raise questions about long‑term maintainability, emphasizing the need for broader community involvement or larger development resources. As more providers consider Rust for cryptographic workloads, Mullvad’s experience offers a practical case study on balancing rapid innovation with rigorous security oversight.