Mullvad removes port-forwarding on security grounds

Mullvad VPN app working on a laptop

Swedish virtual private network (VPN) provider Mullvad has removed its port-forwarding option on security grounds.

This is a feature that many of the best VPN services nowadays include in their software. But, while it can be an added value for sharing connections with friends when gaming or torrenting, it sadly allows avenues for abuse, too.

That's why, starting on May 29, Mullvad users can no longer add new port-forwards. Subscribers have until July 1 to enjoy their existing ports, before these are finally removed.   

Port-forwarding's security issues

"Since Mullvad is taking a great deal of effort into keeping users private, and not logging traffic, we can not block bad users or identify bad users, so we become a safe haven for bad stuff. This is not always in line with our values and what we stand for," Jan Jonsson, CEO at Mullvad, told TechRadar. 

The company reports having suffered concrete issues due to people engaging in illegal activities via ports forward-linked to its servers. Some of its IP addresses got blacklisted and hosting providers withdrew from its service, for example. Law enforcement also got involved in some instances. 

Being Mullvad a truly no-log VPN, user data has always been safe and secure—even following an inconclusive police raid. However, Jonsson felt that the service was in some ways letting down their subscribers who cannot use it as they wish to.

"The abuse vector of port-forwarding has caught up with us, and today we announce the discontinuation of support for port-forwarding," reads the official announcement.  

"This means that if you are a user of forwarded ports, you will not be able to add or modify the ports you have in use. We have removed the ability to add port-forwards on all accounts."

A more straightforward method of moving data inside a defined network, port-forwarding provides a bridge between devices located on an external network (WAN)—like the internet—with those on a private local area network (LAN). As mentioned before, this type of technology is generally used for multiplayer gaming, P2P activities, web hosting, and remote desktop access.

As we have seen, port-forwarding comes with some intrinsic security vulnerabilities—even when using a VPN. Hackers might be able to exploit this enter-point to steal people's data or even launch malware attacks on their devices. Port-forwards can cause IP leaks when torrenting, too.

"By simply banning ports, we get rid of abuse of content hosted by our IPs via ports, and can focus on giving better privacy for the broader mass of people," said Jonsson.

Mullvad is one of many VPN providers that have decided to cut off this feature to better protect user security online. Yet, keen gamers and torrenters might be looking for alternatives now. Jonsson recommends carefully choosing a secure VPN alternative for those really in need of using port-forwarding.

Windscribe and Hide.me are currently the best options offering port forwarding, but we still advise using this feature with caution. We also flag ExpressVPN's Device Group feature and NordVPN's new technology Meshnet as more secure ways for sharing connections. 

He said: "Statically linked port-forwards are not good for privacy, it can be linked to a user account. A VPN service that can identify a user, is not a good option for using port-forward with, if anonymity is important."

Ultimately, this is a devastating blow to Mullvad's torrenting community, and just another reason why it's so important to use only the best torrenting VPN.

Chiara Castro
Senior Staff Writer

Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life—wherever cybersecurity, markets and politics tangle up. She mainly writes news, interviews and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar Pro, TechRadar and Tom’s Guide. Got a story, tip-off or something tech-interesting to say? Reach out to chiara.castro@futurenet.com