Mullvad VPN: We tasked the Netherlands based security firm Radically Open Security (RoS) with performing the third audit towards our VPN infrastructure.
We asked them to focus solely on VPN servers that run from RAM, one OpenVPN and one WireGuard server.
We invite you to read the final report of our third security audit, concluded in mid-June 2023, with many fixes deployed late June 2023. Further re-tests and a verification pass was performed during July.
RoS discovered a number of new findings, and we would like to thank them for their thorough and detailed report. They stated , amongst other things that: that whilst they found some issues, that: “The Mullvad VPN relays which were the subject of this test showed a mature architecture…” and “During the test we found no logging of user activity data…”
We gave RoS full SSH access to two (2) VPN servers that were running from RAM, using our latest slimmed down Linux kernel (6.3.2) and customised Ubuntu 22.04 LTS based OS. These servers were deployed as though they were to be production customer-facing servers, however these servers have never been utilised as such.
They keep saying “VPN server running from RAM”. Does this mean they have some that do not? How do I know mine is one?
VPN servers that run from RAM
Basically it runs just in the memory and does not store information on a hard disk, so your information is only temporary in the memory and will vanish as soon as the server reboots or shuts down. I don’t know if they have others, you can maybe ask support or maybe there is something on their site.
Here is an interesting article i found from privacyaffairs dot com
Yeah, It’s just worded weird to me. They set up some ram only VMs for the RoS to ssh into so they’re not in prod. Plus “asked them to focus solely on VPN servers that run from RAM”
To me, the way this is worded, suggest that they have VPN servers that do not run from ram. I know I can ask support but I’m not going to bother. Just curious what other people here thought.
