Security Audit Validates Mullvad’s GotaTun WireGuard Implementation

A comprehensive security assessment of Mullvad’s innovative WireGuard implementation has concluded with positive results, according to the VPN provider’s recent announcement. The evaluation of GotaTun, Mullvad’s custom WireGuard protocol implementation, was performed by Assured Security Consultants from Gothenburg during a four-week period spanning late January through mid-February 2026.

This marks Mullvad’s eighteenth independent security evaluation since beginning its audit program in 2017, reinforcing the company’s reputation for transparency within the VPN industry. Among leading VPN services, only ExpressVPN exceeds Mullvad’s audit frequency, having commissioned twenty-three security reviews since 2018.

The security firm conducted an extensive code review of GotaTun, which represents Mullvad’s Rust-based approach to implementing the WireGuard tunneling protocol. The assessment encompassed source code analysis and comprehensive testing of the complete GotaTun system, though it excluded Mullvad’s DAITA traffic analysis protection feature and command-line tools. While auditors discovered no critical security flaws, they identified two minor issues requiring attention.

The first concern involved GotaTun’s approach to creating session identifiers. Investigators found that the system employed a 24-bit Linear Feedback Shift Register for generating these identifiers, while WireGuard’s official specification requires 32-bit random numbers. According to the audit findings, this deviation could potentially expose information about peer connections and handshake frequency to network traffic observers, though it doesn’t compromise tunnel security directly.

Mullvad responded that this weakness provided minimal additional intelligence to potential attackers, as they would already possess information about peer counts and session durations. Nevertheless, the company promptly addressed the issue in a subsequent software update, ensuring compliance with official WireGuard standards.

The second identified issue concerned data packet handling, specifically GotaTun’s failure to pad packets to 16 bytes before encryption as specified in WireGuard documentation. While auditors classified this as a non-critical cryptographic concern, they recommended implementing proper padding to maintain specification compliance.

Mullvad has since resolved this issue as well, noting that the protection offered by such padding resembles but is less comprehensive than their proprietary DAITA functionality. The company advises users concerned about sophisticated traffic analysis to consider activating DAITA for enhanced protection.

Although independent security audits have limitations and can only validate findings within their specific timeframe, this assessment demonstrates how regular evaluations help VPN providers identify and address vulnerabilities regardless of their severity level.

Mullvad’s dedication to transparency extends beyond commissioning external audits. The company maintains fully open-source software, making all code publicly accessible for independent review. This dual approach of open development and professional auditing reinforces their commitment to user privacy and security.

The favorable evaluation from Assured Security Consultants strengthens confidence in GotaTun’s security architecture while enhancing Mullvad’s overall privacy credentials. GotaTun represents Mullvad’s effort to enhance WireGuard performance and reliability, initially launching for Android devices in December with planned expansion to additional platforms throughout the current year.