What’s new in this version:
Mullvad VPN 2025.11
– Change log not available for this version
Mullvad VPN 2025.10
Added:
– Add helpful warnings when clearing account history. This helps users not lose their account numbers
Windows:
– Add additional logging for tunnel devices and split tunneling to problem reports
– Log WFP sessions when transaction lock timeout occurs
Changed:
– Move placement of login button from inside the account number input to under account number
Windows:
– Implement UDP GSO for QUIC on client socket. This improves download speeds slightly.
Fixed:
– Fix version being labeled unsupported unexpectedly. So far, this only an issue when using development builds.
– QUIC obfuscation only using one in-address when connecting. It will now randomly select one of the available in-addresses for each connection attempt.
– quinn_udp crate flooding mullvad-daemon.log with warnings.
Security:
Windows:
– Block traffic to exit node from non-Mullvad processes. This fixes a leak where traffic could be encrypted once, but leave the entry node unencrypted, if and only if the destination were the exit node. E.g., this might occur if a browser tries to open a TCP connection to the exit node IP.
Mullvad VPN 2025.9
Added:
– Add QUIC obfuscation (WireGuard only). It will be used automatically when connecting fails with other methods.
Fixed:
macOS:
– Add support for parsing eslogger output version 10. This fixes split tunneling on macOS 26.
– Avoid interpreting negative numbers from eslogger as PIDs
Mullvad VPN 2025.8
Added:
– Add in-app updates to Windows and macOS. This new feature lets you download, verify, and install
– new versions from within the app.
Windows:
– Add a button to start the Mullvad VPN system service if it’s unavailable at launch
Changed:
Windows:
– Make firewall rules applied while upgrading the app not persist on reboot, unless “Lockdown mode”
– or “Auto-connect along with “Launch app on start-up” is enabled. This serves as a safety fallback
– if the update fails and the user is left with blocking firewall rules and no app.
Fixed:
Security:
– Prevent unprivileged users from impersonating the gRPC server. This was relatively harmless
– previously but is required due to in-app updates.
Windows:
– Enable control flow integrity checks (CFG) for some C++ code. This excludes wintun,
– wireguard-nt, and OpenVPN. This addresses MLLVD-CR-24-101 to the extent that we found
– it valuable.
Mullvad VPN 2025.7
Added:
– Add notification that shows when the user is connected to WireGuard with a port that is not
supported
Changed:
– Replace Classic McEliece with HQC as one of the post-quantum safe key exchange
mechanisms used for the quantum-resistant tunnels. The main benefits here are that HQC
uses a lot less CPU to compute the keypair, and the public key sent to the server
is drastically smaller.
Fixed:
– Automatically connect when IP version becomes available
Windows:
– Fix issue where daemon got stuck trying to connect only over IPv4 (or only IPv6)
Mullvad VPN 2025.6
Added:
– Add a notification for notifying users about the sunsetting of OpenVPN
Changed:
Windows:
– Rename win-shortcuts native module to windows-utils
Removed:
– Remove “Automatic” option for tunnel protocol. The default is now WireGuard
Fixed:
– Fix mullvad-cli panicking if it tried to write to a closed pipe on Linux and macOS
– Fix bug where new users are not forwarded to the main view after payment
– Will no longer try to connect over IPv4 if IPv4 is not available
Windows:
– Fix error setting up tunnel when MTU was incorrectly set to a value below 1280 for IPv6
– Fix node native module being unpacked to a temporary folder
– Fix BSOD caused by routing loop in wireguard-nt
Mullvad VPN 2025.5
Added:
Windows:
– Add support for DAITA V2
– Add back wireguard-go (userspace WireGuard) support
Removed:
– Stop bundling /mullvad/apisocks5 as a standalone binary
Fixed:
macOS:
– Fix daemon ending up in blocked state if the user toggled split tunneling without having granted
– Full Disk Access to mullvad-daemon. This could only ever be accomplished from the CLI
– Fix routing issue caused by upgrading tun
Removed:
– Remove Google’s resolvers from encrypted DNS proxy
Mullvad VPN 2025.4
– Fix GUI crashing at launch on some systems
Mullvad VPN 2025.3
Added:
– Add support for Windows ARM64
Changed:
– Move changelog from a dialog to a separate view
– Reduce the setup time of PQ tunnels by pre-computing McEliece keys
– Change order of items in settings view to show DAITA and multihop at the top
– Update Electron from 30.0.4 to 33.4.0
Fixed:
– Add the correct route when using obfuscation with Wireguard
Mullvad VPN 2025.2
– Fix crash when Wireguard tunnel setup timed out
Mullvad VPN 2025.1
Added:
– Add a new access method: Encrypted DNS Proxy. Encrypted DNS proxy is a way to reach the API via proxies. The access method is enabled by default.
Changed:
– Replace the draft key encapsulation mechanism Kyber (round 3) with the standardized
– ML-KEM (FIPS 203) dito in the handshake for Quantum-resistant tunnels
– Make Smart Routing override multihop if both are enabled. To manually set the entry relay, explicitly enable the “Direct only” option in the DAITA settings.
– Update maybenot from 1.1.3 to 2.0.1
Fixed:
– Handle network switching better when using WG over Shadowsocks
– Fix multihop entry location list sometimes being shown when multihop is disabled
Security:
– Block WSL/Hyper-V traffic in secured states (except the connected state). The normal firewall
– (WFP) filters normally do not apply for VMs. This mitigates the issue by ensuring that it does not leak (as easily) when the VPN tunnel is up. Previously, WSL would leak while in the blocked or connecting state, or while lockdown mode was active