- New audit found no significant vulnerabilities in Mullvad’s GotaTun
- Minor issues identified are now fixed, says Mullvad
- GotaTun replaced the old WireGuard implementation in December
Mullvad VPN’s WireGuard implementation, GotaTun, was given the green light in a security audit by independent auditors, who reported no significant vulnerabilities.
Written in the Rust programming language, GotaTun is a userspace implementation of the WireGuard network tunneling protocol that Mullvad introduced as an open source replacement for its previous Go-based implementation.
Implemented in December, shortly before Mullvad completed Retiring the OpenVPN protocol has so far delivered faster performance, longer battery life on mobile devices, and significantly fewer app crashes., making the app much more stable overall.
Article continues below.
But even the best VPNs can’t simply claim that their new code is free of security flaws; An external auditor is needed to verify that the code is indeed up to par.
What the audit found and what it didn’t
Between January 19 and February 15, Gothenburg-based Assured Security Consultants conducted a brief code review of GotaTun to test its entire configuration, with the exception of the command-line interface and specific details. DAITA code.
The code was made clear, assuring Mullvad users that the VPN has accurately and securely implemented the WireGuard protocol in its native programming language.
“Based on our code review, GotaTun does not have any significant vulnerabilities,” the auditors conclude in their report.
This will be welcomed by users who had previously experienced crashes due to the previous implementation without Rust, who can now be assured that the new, sleeker user experience is accompanied by continued levels of security.
Our WireGuard implementation, GotaTun, was recently audited by Assured Security Consultants. Before completing the audit, two low-severity problems identified were resolved. No major vulnerabilities were found. Read more here: https://t.co/ouHlGhr8JgMarch 6, 2026
In fact, Mullvad had previously reported that 85% of all crashes recorded in its Android app were directly related to conflicts between Mullvad’s Rust code and WireGuard’s Go implementation.
That’s when the Privacy VPN team rewrote the WireGuard implementation in Rust to fit their stack: GotaTun, or “the future of WireGuard” as Mullvad called it, whose implementation virtually eliminated these problems, with the failure rate on Android dropping from 0.4% to around 0.01%.
The audit further confirmed that both Mullvad and its users have reason to celebrate and fears of failures are now unfounded: the code is fit for purpose.
Minor defects found
However, it is important to note that the audit results were not perfect. Two minor issues were identified and reported for fix, where Mullvad’s Rust implementation did not perfectly follow the official WireGuard protocol.
A padding error indicated that the format of the numerical data sent by the Rust implementation was not consistent with the protocol specifications.
A second issue also highlighted that while the WireGuard protocol requires the assignment of a random number, Mullvad did not use a completely random method, but rather a more predictable method to generate the number.
Finally, some parts of the code are maintained primarily by very small teams, consisting of one or two people. While this does not currently pose any security risk, it does raise some long-term concerns in terms of quality and maintainability, as statistically larger teams tend to find more bugs and reduce potential code flaws in the future, the auditors said.
Mullvad stated that most of these recommendations had been resolved before the results were published, a claim that will likely be verified in its next audit.
However, for current and potential Mullvad users, these current results reinforce Mullvad’s status as a VPN that prioritizes user privacy and anonymity, and continues to improve its core principles through meaningful third-party evaluations.
And it seems that, for now, no application crash will prevent it from achieving its goal.
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
