2023.3

Added

• Add Kyber1024 KEM algorithm into the Post-Quantum secure key exchange algorithm. This means the
  Quantum-resistant-tunnels feature now mixes both Classic McEliece and Kyber for added protection.
• Add notification dot to tray icon and system notification throttling.
• Add troubleshooting information to some in-app notifications.
• Add setting for quantum resistant tunnels to the desktop GUI.
• Enable TCP_NODELAY for the socket used by WireGuard over TCP. Improves latency and performance.

Changed

• Update the Post-Quantum secure key exchange gRPC client to use the stabilized
  PskExchangeV1 endpoint
• Add "auto" setting for the quantum-resistant tunnel feature, and make it the default. If it was
  previously set to off, it will now be set to auto instead. That currently means the same thing as
  "off", but this might change in the future.
• Update OpenVPN to 2.6.0 from 2.5.3.
• Update OpenSSL to 1.1.1t from 1.1.1j.
• Post-Quantum secure tunnels and multihop can now be used at the same time.
• Change WireGuard key rotation interval to 14 days. It was 7 days.

Windows

• Remove automatic fallback to wireguard-go. This is done as a first step before fully
  deprecating it on Windows.

Removed

• Remove port 443 as valid port for WireGuard over TCP. Keep only port 80 and 5001. The reason is
  to free up port 443 for other TCP based obfuscation later.

Fixed

• Fix close to expiry notification not showing unless app is opened once within the last three days
  in the desktop app.
• Retry if PQ PSK negotiation fails for any reason.
• Fix accumulated tunnel state notifications sometimes displayed after suspend.

2023.3-beta1

Added

• Add Kyber1024 KEM algorithm into the Post-Quantum secure key exchange algorithm. This means the
  Quantum-resistant-tunnels feature now mixes both Classic McEliece and Kyber for added protection.
• Add notification dot to tray icon and system notification throttling.
• Add troubleshooting information to some in-app notifications.
• Add setting for quantum resistant tunnels to the desktop GUI.
• Enable TCP_NODELAY for the socket used by WireGuard over TCP. Improves latency and performance.

Changed

• Update the Post-Quantum secure key exchange gRPC client to use the stabilized
  PskExchangeV1 endpoint
• Add "auto" setting for the quantum-resistant tunnel feature, and make it the default. If it was
  previously set to off, it will now be set to auto instead. That currently means the same thing as
  "off", but this might change in the future.
• Update OpenVPN to 2.6.0 from 2.5.3.
• Update OpenSSL to 1.1.1t from 1.1.1j.
• Post-Quantum secure tunnels and multihop can now be used at the same time.

Windows

• Remove automatic fallback to wireguard-go. This is done as a first step before fully
  deprecating it on Windows.

Removed

• Remove port 443 as valid port for WireGuard over TCP. Keep only port 80 and 5001. The reason is
  to free up port 443 for other TCP based obfuscation later.

Fixed

• Fix close to expiry notification not showing unless app is opened once within the last three days
  in the desktop app.
• Retry if PQ PSK negotiation fails for any reason.
• Fix accumulated tunnel state notifications sometimes displayed after suspend.

2023.2

This release is for desktop only.

Fixed

Windows

• Fix desktop app not quitting properly after switching from unpinned to pinned window.
• Fix service not starting when LSA protection is enabled (which is the default on Windows 11 22H2).
• Fix some issues with setting system DNS by using SetInterfaceDnsSettings when it's available (on
  Windows 10, version 1809 and above).

2023.1

This release is for desktop only.

Here is a list of all changes since last stable release 2022.5.

Added

• Add quit button to tray context menu on Linux and Window.
• Add search bar to location list in desktop app.

Windows

• Remove all settings when the app is uninstalled silently.

Changed

• Update Electron from 19.0.13 to 21.1.1.

Fixed

• When a country is selected, and the constraints only match relays that are not included on the
  country level, select those relays anyway.
• Fix regression where WireGuard relays were connected to over OpenVPN after a couple of failed
  attempts, when the tunnel type was set to any.
• Fix missing connect timeout when connecting to a WireGuard relay over TCP.
• Fix failure to apply firewall rules that could occur when connecting timed out.
• Fix sorting of devices in the "too many devices"-view to properly sort on device creation time.

Windows

• Don't fail to show the mullvad-daemon help text if some of the default paths cannot be obtained.

macOS

• Fix fish shell completions when installed via Homebrew on Apple Silicon Macs.
• Improved reliability of the connectivity check workaround by adding an extra captive portal check
  domain.
• Show "Mullvad VPN" in the Login Items UI instead of "Amagicom AB".
• Detect whether users need to approve the launch daemon in the Login Items UI.

Linux

• Remove last filesystem dependency of early boot blocking unit.
• Ensure RPM package removes all application directories when uninstalled.
• Fix architecture field for ARM RPM builds so the app installs on Fedora based distros.

Windows

• Ignore adapters that have no valid GUID when removing obsolete Wintun interfaces during install.
  Previously, the installer would abort.
• Revert to using netsh for DNS config, as some Windows builds did not deal with changes correctly.
  TALPID_DNS_MODULE can be used to override this.
• Fix deadlock that could occur when the default route changed while initializing split tunneling.

Removed

macOS

• Remove ⌘Q shortcut.

Security

Windows

• DNS loopback traffic is no longer blocked. Note that local resolvers are still unable to forward
  queries to servers that would normally be blocked.

2023.1-beta2

Fixed

• Fix sorting of devices in the "too many devices"-view to properly sort on device creation time.

macOS

• Improved reliability of the connectivity check workaround by adding an extra captive portal check
  domain.
• Show "Mullvad VPN" in the Login Items UI instead of "Amagicom AB".
• Detect whether users need to approve the launch daemon in the Login Items UI.

2023.1-beta1

Added

• Add quit button to tray context menu on Linux and Window.
• Add search bar to location list in desktop app.

Windows

• Remove all settings when the app is uninstalled silently.

Changed

• Update Electron from 19.0.13 to 21.1.1.

Fixed

• When a country is selected, and the constraints only match relays that are not included on the
  country level, select those relays anyway.
• Fix regression where WireGuard relays were connected to over OpenVPN after a couple of failed
  attempts, when the tunnel type was set to any.
• Fix missing connect timeout when connecting to a WireGuard relay over TCP.
• Fix failure to apply firewall rules that could occur when connecting timed out.

macOS

• Fix fish shell completions when installed via Homebrew on Apple Silicon Macs.

Linux

• Remove last filesystem dependency of early boot blocking unit.
• Ensure RPM package removes all application directories when uninstalled.
• Fix architecture field for ARM RPM builds so the app installs on Fedora based distros.

Windows

• Ignore adapters that have no valid GUID when removing obsolete Wintun interfaces during install.
  Previously, the installer would abort.
• Revert to using netsh for DNS config, as some Windows builds did not deal with changes correctly.
  TALPID_DNS_MODULE can be used to override this.
• Fix deadlock that could occur when the default route changed while initializing split tunneling.

Removed

macOS

• Remove ⌘Q shortcut.

Security

Windows

• DNS loopback traffic is no longer blocked. Note that local resolvers are still unable to forward
  queries to servers that would normally be blocked.

android/2022.3

Added

• Add privacy policy link in settings
• Add initial privacy consent which is showed on each start until approved

android/2022.2

This release is for Android only. Here's a list of the changes since last stable release android/2022.1:

Added

Android

• Add device management to the Android app. This simplifies knowing which device is which and adds
  the option to log other devices out when the account already has five devices.

Changed

Android

• Lowered default MTU to 1280 on Android.
• Disable app icon badge for tunnel state notification/status.

Removed

Android

• Remove WireGuard view as it's no longer needed with the new way of managing devices.

Fixed

Android

• Fix unused dependencies loaded in the service/tile DI graph.
• Fix missing IPC message unregistration causing multiple copies of some messages to be received.
• Fix quick settings tile being unresponsive and causing crashes on some devices.
• Fix quick settings tile not working when the device is locked. It will now prompt the user to
  unlock the device before attempting to toggle the tunnel state.
• Fix crash when clicking in-app URL notifications.
• Fix tunnel info expansion state not remembered during pause and resume.
• Fix disabled login button on login failure. Instead, the login button will now still be enabled
  on login failures to let the user re-attempt the login.

Security

Android

• Prevent location request responses from being received outside the tunnel when in the connected
  state.

2022.5

This release is for desktop only.

Here is a list of all changes since last stable release 2022.4.

Added

• Add obfuscation settings under "WireGuard settings".
• Add custom option to WireGuard port selector.

Windows

• The default VPN protocol is slowly being changed from OpenVPN to WireGuard.
  The app fetches the ratio between the protocols from the API.

Linux

• GUI: Add electron flags to run Wayland native if in a compositor/desktop known to work well
• Add ARM64 (aarch64) builds. This is the first release with Linux ARM support.

Changed

• Reject invalid WireGuard ports in the CLI.
• Reorganize settings into more logical categories.
• Upgrade wireguard-go to 20220703234212 (Windows: v0.5.3).
• Prune bridges far away from the selected relay.
• Stay connected when desktop app is killed or crashes. The only situation where the app now
  disconnects on quit is when the user presses the quit button.
• Update Electron from 18.0.3 to 19.0.13.
• Expand allowed range of multicast destinations to include all of 239.0.0.0/8 (administratively
  scoped addresses), when local network sharing is enabled.
• Default to selecting Sweden as the entry location when using WireGuard multihop. Previously,
  a random location was used.
• Experimental: Upgrade the support for quantum-resistant WireGuard tunnels to a newer protocol.

Windows

• Remove dependency on ipconfig.exe. Call DnsFlushResolverCache to flush the DNS cache.
• Upgrade Wintun to 0.14.1.

Linux

• The daemon binary and systemd unit file will now be placed in /usr/bin/ and
  /usr/lib/systemd/system respectively, to aid with starting the system service on systems where
  /opt isn't mounted during early boot.

Fixed

• Connect to TCP endpoints over IPv6 if IPv6 is enabled for WireGuard.
• Fix udp2tcp not working when quantum-resistant tunnels are enabled.
• Quit app gracefully if renderer process is killed or crashes.
• Enable reconnect in blocked state in desktop app.
• Fix error handling during device removal in the desktop app.
• Enable interface settings when app is logged out
• Fix 'mullvad status -v' to include the port of the endpoint when connecting over TCP.
• Check whether the device is valid when reconnecting from the error state.
• Stop reconnecting when the account has run out of time.

Windows

• Only use the most recent list of apps to split when resuming from hibernation/sleep if applying
  it was successful.
• Don't fail install if the device tree contains nameless callout driver devices.

Linux

• Don't prevent early boot service from running if logging to a file fails.
• Fix app crashing immediately when using some icon themes.

Security

• When the system service is being shut down and the target state is secured, maintain the
  blocking firewall rules. Unless it's possible to deduce that the system isn't shutting down and the
  system service is being stopped by the user intentionally. This is to prevent leaks that might
  occur during system shutdown. Fixes 2022 Mullvad app audit issue item MUL22-02.

Windows

• Upgrade win-split-tunnel driver to version 1.2.2.0. Fixes incomplete validation of input buffers
  that could result in out-of-bounds reads. Fixes 2022 Mullvad app audit issue item MUL22-01.

Linux

• Added traffic blocking during early boot, before the daemon starts, to prevent leaks in the case
  that the system service starts after a networking daemon has already configured a network
  interface.

2022.5-beta2

Added

• Add custom option to WireGuard port selector.

Linux

• Add ARM64 (aarch64) builds. This is the first release with Linux ARM support.

Changed

• Experimental: Upgrade the support for quantum-resistant WireGuard tunnels to a newer protocol.

Fixed

Linux

• Fix app crashing immediately when using some icon themes.