- New audit found no significant vulnerabilities in Mullvad's GotaTun
- Minor identified issues are already fixed, says Mullvad
- GotaTun replaced the old WireGuard implementation in December
Mullvad VPN's WireGuard implementation, GotaTun, has received the green light in a security audit completed by independent auditors, reporting no significant vulnerabilities.
Written in the Rust programming language, GotaTun is a user-space implementation of the WireGuard network tunneling protocol that Mullvad introduced as an open-source replacement for its previous Go-based implementation.
Implemented in December, shortly before Mullvad’s complete retirement of the OpenVPN protocol, it has so far brought faster performance, longer battery life on mobile devices, and significantly fewer app crashes, making the app much more stable overall.
Article continues below
But even the best VPNs cannot simply claim that their new code is free of security flaws; a third-party auditor is needed to verify that the code is indeed up to par.
What the audit found — and what didn’t
Between January 19 and February 15, Gothenburg-based Assured Security Consultants conducted a brief review of GotaTun's code to test its entire configuration, with the exception of the command line interface and specific DAITA code.
The code got the all clear, reassuring Mullvad’s users that the VPN has accurately and securely implemented the WireGuard protocol in their native programming language.
"Based on our code review, GotaTun has no major vulnerabilities," auditors conclude in their report.
This will be happily received by users who had previously experienced crashes from the earlier non-Rust implementation, who can now rest assured that the new, sleeker user experience is accompanied by continued levels of security.
Our WireGuard implementation, GotaTun was recently audited by Assured Security Consultants. Two identified low severity issues were fixed prior to the completion of the audit. No major vulnerabilities were found.Read more here: https://t.co/ouHlGhr8JgMarch 6, 2026
Indeed, Mullvad had previously reported that 85% of all crashes logged on its Android app were directly related to conflicts between Mullvad's Rust code and WireGuard's Go implementation.
It was then that the privacy VPN team rewrote the WireGuard implementation in Rust to fit their stack: GotaTun, or “the future of WireGuard,” as Mullvad called it, whose implementation virtually eliminated these issues, with a crash rate on Android dropping from 0.4% to around 0.01%.
The audit further confirmed that both Mullvad and its users have reason to celebrate and fears of crashes are now unfounded: the code is fit for purpose.
Minor flaws found
However, it is important to note that the audit results were not flawless. Two minor issues were identified and reported for correction, where Mullvad's Rust implementation did not perfectly follow the official WireGuard protocol.
A padding error indicated that the format of the numerical data sent by the Rust implementation was not consistent with the protocol specifications.
A second issue also highlighted that, while the WireGuard protocol requires the assignment of a random number, Mullvad did not use a completely random method, but a more predictable method to generate the number.
The audit also pointed out that the Rust WireGuard code still contains three comments saying "TODO: validate checksums," with the last instance having a question mark at the end. These should be replaced with comments explaining why checksums are not necessary, the auditors said.
Finally, some parts of the code are mainly maintained by very small teams, consisting of one or two people. While this does not currently pose any security risks, it does raise some long-term concerns in terms of quality and maintenance, as statistically larger teams tend to find more bugs and reduce potential code flaws in the future, the auditors said.
Mullvad stated that most of these recommendations had been fixed before the publication of the results, a claim that will likely be verified in their next audit.
However, for existing and potential Mullvad users, these current results reinforce Mullvad's status as a VPN that prioritises user privacy and anonymity, continuing to improve its core principles through meaningful third-party evaluations.
And it seems that, for now, no app crash will prevent it from achieving its goal.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
English (US) ·