Research says Mullvad’s shared exit IPs can still help fingerprint users
Mullvad’s rotating IPs may be less anonymous than they look
New research suggests that Mullvad VPN’s shared exit IP system, designed to reduce the downsides of crowded VPN addresses, can still be used to fingerprint users in ways that may affect privacy.
Mullvad is unusual among VPN providers in offering multiple exit IPs per server. That means two people connecting to the same server will often appear to websites under different public IP addresses. The setup is meant to avoid the problems that come with packing too many users behind one IP, especially on services that aggressively block or rate-limit VPN traffic.
But the research indicates that the assigned exit IP is not randomly chosen each time a user connects. Instead, it is deterministically selected based on the user’s WireGuard key, which rotates every 1 to 30 days unless a third-party client is used, in which case it may never rotate.
To test the system, the researcher repeatedly changed a public key and collected exit IPs from nine servers, generating data for 3,650 pubkeys overnight. That was enough to map each server’s exit IP range. Although the possible combinations across those servers added up to more than 8.2 trillion, the observed results collapsed into just 284 combinations.
The pattern was even more striking when the researcher converted exit IPs into positions within each server’s pool. Across the 284 combinations, the IPs consistently landed at the same percentile within their respective pools — in one case, the 81st percentile. That suggests Mullvad is not selecting any IP at random, but choosing neighboring exit IPs in a coordinated way across servers.
Two servers, cl-scl-wg-001 and za-jnb-wg-002, repeatedly shared the same IP indexes across all observed combinations. The researcher says both have pool sizes of 11, pointing to a seed-based random number generator as the likely mechanism, with the pubkey or tunnel address acting as the seed and the pool size as the bound.
The implication is that even though Mullvad’s exit IPs are shared, they may still form a stable pattern that can be used to identify or track users over time.
Sources: