2024.9-beta1

This release is for desktop only.

Here is a list of all changes since last stable release 2024.8.

Added

• Add a new access method: Encrypted DNS Proxy. Encrypted DNS proxy is a way to reach the API via
  proxies. The access method is enabled by default.

macOS

• Detect whether full disk access is enabled in the split tunneling view.
• Add button to restart system service in split tunneling view. This can help mitigate edge-case
  issues when enabling full disk access.

Changed

• Replace the draft key encapsulation mechanism Kyber (round 3) with the standardized
  ML-KEM (FIPS 203) dito in the handshake for Quantum-resistant tunnels.
• Make Smart Routing override multihop if both are enabled. To manually set the entry relay,
  explicitly enable the "Direct only" option in the DAITA settings.
• Update maybenot from 1.1.3 to 2.0.1.

Windows

• Enable quantum-resistant tunnels by default (when set to auto).

Fixed

• Handle network switching better when using WG over Shadowsocks.
• Fix multihop entry location list sometimes being shown when multihop is disabled.

macOS

• Fix packets being duplicated on LAN when split tunneling is enabled.
• Fix DNS issues caused by forcibly using a local DNS resolver in all states.
  Note that this fix is not present on macOS versions between 14.6 and 15.1.

Security

Windows

• Block WSL/Hyper-V traffic in secured states (except the connected state). The normal firewall
  (WFP) filters normally do not apply for VMs. This mitigates the issue by ensuring that it does not
  leak (as easily) when the VPN tunnel is up. Previously, WSL would leak while in the blocked or
  connecting state, or while lockdown mode was active.

2024.8

This release is for desktop only.

This release addresses issues identified in a recent audit. Here is a list of all changes since last stable release 2024.7.

Security

• Remove invalidly set up alternative stack for fault signal handlers on unix based systems. This prevents potential stack overflow and heap memory corruption. Fixes audit issue MLLVD-CR-24-01.
• Remove/disable not signal safe code from fault signal handler on unix based systems. Fixes audit issue MLLVD-CR-24-02.

Windows

• Fix issue where the installer would allow any executable named taskkill.exe in the working directory to run as admin. This fixes audit issue MLLVD-CR-24-06.

Linux

• Prevent attackers able to send ARP requests to the device running Mullvad from figuring out the in-tunnel IP. Fixes 2024 audit issue MLLVD-CR-24-03.

android/2024.9-beta1

Added

• Add a new access method: Encrypted DNS Proxy. Encrypted DNS proxy is a way to reach the API via
  proxies. The access method is enabled by default.

Changed

• Animation has been changed to look better with predictive back.

Fixed

• Fix a bug where the Android account expiry notifications would not be updated if the app was
  running in the background for a long time.
• Fix ANR due to the tokio runtime being blocked by getaddrinfo when dropped.

android/2024.8

Here is a list of all changes since last stable release android/2024.7:

Added

• Add feature indicators to the main view along with redesigning the connection details.
• Add new "Connect on device start-up" setting for devices without system VPN settings.
• Add a confirmation dialog shown when creating a new account if there's already an existing
  account in the account history of the login screen.

Changed

• Replace the draft key encapsulation mechanism Kyber (round 3) with the standardized
  ML-KEM (FIPS 203) dito in the handshake for Quantum-resistant tunnels.
• Move version information and changelog to a new app info screen.
• Update icons to material design.

Fixed

• Fix the account number input keyboard being broken on Amazon FireStick by adding a workaround.
  This should eventually be fixed by Amazon since the FireStick behavior is broken.
• Improve connection stability when roaming while using Shadowsocks.
• Fix MTU calculation to avoid connectivity issues when using some specific settings.
• Fix unlabeled icon buttons for basic accessibility with screen readers.

2024.7

This release is for desktop only.

This release is identical to 2024.7-beta1.

Here is a list of all changes since last stable release 2024.6.

Fixed

macOS

• Fix DNS not working due to broken PF redirect.

2024.7-beta1

This release is for desktop only.

Here is a list of all changes since last stable release 2024.6.

Fixed

macOS

• Fix DNS not working due to broken PF redirect.

android/2024.8-beta2

Fixed

• Improve connection stability when roaming while using Shadowsocks.
• Fix incorrect MTU calculation to avoid connectivity issues when using obfuscation.

2024.6

This release is for desktop only.

Here is a list of all changes since last stable release 2024.5:

Added

• Add WireGuard over Shadowsocks obfuscation. It can be enabled in "WireGuard settings". This will
  also be used automatically when connecting fails with other methods.
• Add feature indicators to the main view along with redesigning the connection details.
• Add "Smart Routing" feature which simplifies connecting to DAITA-enabled relays.

Changed

• Never use OpenVPN as a fallback protocol when any of the following features is enabled:
  multihop, quantum-resistant tunnels, or DAITA.
• Improved output format of mullvad status command, which now also prints feature indicators.
• Move DAITA and multihop to the root settings view along with moving multihop into a dedicated
  view with more information.

macOS

• Disable split tunnel interface when disconnected. This prevents traffic from being sent through
  the daemon when the VPN is disconnected.
• Enable IPv6 by default. This fixes DNS and routing being broken on some systems.
• Proxy DNS queries through a local resolver.

Fixed

Linux

• Set tunnel name to wg0-mullvad for userspace WireGuard.

macOS

• Exclude programs when executed using a relative path from a shell.
• Reduce packet loss when using split tunneling.
• Don't block fragmented packets in the PF firewall. Fixes various issues relating to connecting
  (and general instability) when IP fragmentation is present.
• Fix Apple services not working by forcing stray connections out through the VPN tunnel. This fix
  only applies to Wireguard, OpenVPN is still affected.
• Disable DNS redirect when custom DNS is set to localhost.

New Contributors

• @dpaoliello made their first contribution in #6315
• @magnus-lindstrom made their first contribution in #6632
• @lamtrinhdev made their first contribution in #6670
• @arunsathiya made their first contribution in #5860

android/2024.8-beta1

Added

• Add feature indicators to the main view along with redesigning the connection details.
• Add new "Connect on device start-up" setting for devices without system VPN settings.
• Add a confirmation dialog shown when creating a new account if there's already an existing account in the account history of the login screen.

Changed

• Replace the draft key encapsulation mechanism Kyber (round 3) with the standardized ML-KEM (FIPS 203) dito in the handshake for Quantum-resistant tunnels.
• Move version information and changelog to a new app info screen.
• Update icons to material design.

Fixed

• Fix unlabeled icon buttons for basic accessibility with screen readers.

android/2024.7

Here is a list of all changes since last stable release android/2024.6:

Fixed

• Fix a bug where tunnel obfuscation (UDP-over-TCP or Shadowsocks) only worked in combination with either DAITA or quantum-resistant tunnels, but only after the initial tunnel negotiation used for both DAITA and quantum-resistant tunnels. This combination of issues made the obfuscation methods effectively unusable behind restrictive firewalls regardless of setting combination.