Mullvad Exit IP Fingerprinting: A Surprising Privacy Risk

A Hacker News story reveals that Mullvad VPN's exit IPs are “surprisingly identifying.” The post, from a user who analyzed Mullvad's WireGuard implementation, shows that Mullvad deterministically selects an exit IP based on your WireGuard public key, not randomizing it per connection. Every session from the same key gets the same IP, making it easy for websites to fingerprint you across sessions—defeating a key privacy expectation.

The Discovery

The original article, Mullvad exit IPs as a fingerprinting vector, explains that exit IP assignment is a deterministic function of your WireGuard private key. The official client rotates that key every 1–30 days, so the exit IP changes only when the key does. But if you use a third-party client that never rotates keys, the exit IP stays static indefinitely.

The author demonstrates how to predict your exit IP from your public key, arguing this undermines the basic privacy benefit that each connection should look like it comes from a different IP. The post has gained traction on HN (score 102, 26 comments) because it touches on fundamental trade-offs in VPN design.

Why It Matters

Deterministic exit IPs mean every site you visit can tie all your sessions together, especially if they share data via cookies or browser fingerprinting. The VPN stops your ISP from seeing your traffic, but it hands the same tracking ability to any website. For a privacy-focused service, that's a poor trade-off.

Mullvad's official client rotates keys periodically, but the default interval of up to 30 days still allows a tracking profile to build. Users running third-party WireGuard clients that never rotate keys are completely static. The fix is trivial: randomize exit IP per session or use a time-based seed. The HN thread notes Mullvad could add a “pseudorandom seed” based on connection timestamp.

The deeper issue: VPNs are often marketed as privacy tools, but their architectures rarely address application-layer tracking. DNS leaks, WebRTC, browser fingerprinting, and now deterministic exit IPs all chip away at the privacy promise. Mullvad's choice likely prioritizes load balancing or anti-abuse over pure privacy—a legitimate trade-off, but one that should be transparent.

The Debate on HN

The HN thread shows divided opinions. Some defend Mullvad's design, arguing VPNs aren't anonymity tools. One commenter wrote:

“The purpose of a VPN does not include anonymizing users with respect to the sites they visit, so it shouldn't be too surprising that Mullvad doesn't enforce unique exit IPs. Users who want anonymity should use networks like Tor.”

Others see it as a real flaw for a privacy-focused VPN. Another commenter countered:

“Deterministic exit IPs let any site build a persistent profile across sessions. You're not eliminating tracking, just shifting who does it. Bad trade for a privacy VPN.”

The community remains split between accepting this as a deliberate trade-off and calling it a design mistake.

What This Means for VPN Users

If you use Mullvad to hide your IP from websites, this matters. A static exit IP per key period allows sites to track you easily. If you only use a VPN for geo-spoofing or encrypting traffic from your ISP, this may not affect you. But for anyone expecting anonymity, deterministic exit IPs are a significant flaw. Mullvad should address this, and given the community response, likely will. Until then, users can take steps:

• Use the official Mullvad client, which rotates keys periodically.
• Manually rotate your WireGuard key more frequently.
• Consider using Tor for true anonymity.
• Evaluate VPNs that explicitly randomize exit IPs per session.

Lessons for Builders

If you're building a VPN service or any system routing traffic through proxies, think about IP assignment. A simple fix is to rotate exit IPs per connection or use a pool of IPs with random selection. Here's a pseudocode example of random assignment:

import random
import ipaddress

exit_pool = [
    ipaddress.IPv4Address('198.51.100.1'),
    ipaddress.IPv4Address('198.51.100.2'),
    # ...
]

def assign_exit_ip(user_key):
    # Random per session (not deterministic)
    return random.choice(exit_pool)

But random assignment can break things like session persistence on banking sites. A better approach uses a time-based seed: assign a temporary user ID that rotates every hour and hash that to select an IP.

For more on WireGuard internals, check the WireGuard documentation. Mullvad's official site provides details on their setup.

The Takeaway

Mullvad remains a reputable provider with strong security practices, but deterministic exit IPs let websites track you across sessions. Users who value anonymity should either rotate keys frequently or switch to tools like Tor. VPN builders should consider how IP assignment affects privacy—random or time-based assignment is better than a static hash tied to long-lived keys.