Is this true @obscuracarl ? Can Mullvad identify users across sessions?
I donāt see much point in using Obscura, Iām simply not sold. Hosting hy2 yourself or using a VPN provider with proper sing-box/xray/native cores gives users more options for evading censorship while being cheaper. Obscuraās censorship resistance claims are valid only for the European countries and maybe for corporate environments where network admins cosplay security, but then again any Wireguard packet mixing trick like AmneziaWG and whatever Mullvad does in their client will be less computationally expensive and more performant. The PII separation doesnāt interest me personally. I donāt see a world where Mullvad would do such a thing/Iād be hurt from an intelligence operation because Iām a law abiding citizen after all. Not having a proper client for anything but apple is also kek worthy.
Its a neat idea nonetheless and i can see the value proposition for non technical people. Still a hard pass because of the vendor lock in.
I can dunk on Obscura for claiming to be censorship resistant while relying solely on 2 protocols and not having server override options, seemingly not rotating server IPs, probably being fingerprintable through domain name resolution, not having a censorship resistant client-server coordination, but there is a more fundamental issue i want to address. I dislike the fact you guys chose the vendor lock in route. Democratizing censorship evasion by funding open source clients, protocols and server implementations while simply offering a service is a much more powerful idea. Itād be great if an open source client could afford being audited by Cure53 and not just a startup that looked at the hy2 implementation, copied it and made a hard vendor lock in for it.
QUIC is honestly a very base requirement. Without it, anti-deep-packet-inspection tools (like Mullvadās DAITA) for example, lose a lot of their utility.
imo a lot of ground to cover still, before this starts looking like a decent option to me
How come? While itās true that China was historically detecting fully encrypted traffic based on TLS or HTTP heuristics for TCP but wasnāt doing it for UDP, itās entirely possible to do this for QUIC. QUIC still needs to have dynamic handshakes, traffic flow randomness. DAITA makes it easier to detect the fact of encapsulation, not harder. Itās much easier for censor to fully block QUIC altogether without disruption to actual web traffic. Weāre honestly lucky to have QUIC only partially blocked in censored countries.
This doesnāt make any sense to me. Doesnāt DAITA itself makes packet sizes constant?
Reminded me of this: My YC app: Dropbox - Throw away your USB drive | Hacker News
I assume their primary audience is quite different from users who would be able to do this.
Interesting comment on capabilities of European states, is there a public source you know this from or are your part of European LE and/or Intelligence establishment? It would be an engaging read if the source can be shared here.
Two assumptions in one, explicit trust in Mullvadās ability to protect from insider and outsider threats even if they donāt turn entirely rogue, and that being ālaw-abidingā and āwonāt be hurt in an intelligence operationā are in anyway related. Holding the first assumption might be hard for some, and the second is objectively false.
@ignoramous has raised some very interesting questions. I would be eager to see @obscuracarl respond, especially to the part where the Obscura MPR is actually a multi hop wireguard rather than a true MPR. I could not see anything relevant in the audit with regards to this, although it said it covered the architecture.
But then again i can imagine a world where a universal proxying app would take your crypto via a verifiable smart contract and top up virtual accounts balances of many service providers. Itās a more powerful, revolutional idea to get behind, just as dropbox. NymVPN is kinda headed in this direction already?
I havenāt seen any mentions of government DPI equipment usage being forced on ISPs. I was watching Sam Bentās video the other day where he in his typical stupidity claimed a German company bragging about being able to detect Shadowsocks somehow contributed to censorship in either China in particular or in EU as a whole. In reality, such DPI systems only exist in corporate environments.
There are a couple of anecdotal reports suggesting some local ISPs are terminating Wireguard connections in the US, but i havenāt seen any proofs so far.
We have reassurances of ātreasonā code paths not existing as well as insider threats being unrealistic at least at the time of yearly audits. I think they verify the fact Mullvadās infrastructure is robust enough to be protected against insider threats. I also place trust in Mullvad as a whole, yes.
Iām not sold on the idea of PII separation personally because i donāt see the scenario where Mullvad willingly breaks itās promise as realistic, and the only potential Obscura customers left with legit reasons to use it must be choosing it for itās supposed protections against correlation, timing attacks. Coming back to the dropbox analogy, what % of marketshare can high profile Apple users provide? 
I was just pulling your leg there. Your comment explicitly reminded me of the structure of comment made about dropbox being replaced by ftp and stuff, but I donāt think Obscura is doing something that revolutionary since providers like Apple already do it well. 
I mostly agree. DPI is not used often in democratic liberal nations. I was more interested in why single out Europe, I donāt think even US authorities are doing DPI on all traffic of their citizen, even under patriot act.
Oh, I guess those people should sue the ISP. That would be against free speech.
I too donāt think it is likely. I was just pointing out that customers may think it necessary, and that is there market. There are people out there that would use Huawei because they believe everything else is bugged, so customer preferences are weird.
Agree that they are most prevalent in corporate environments, but Iāll point out that more and more commercial environments have these as well: hotels, airports, coffee shops, etc.
For residential, mid-last year, our website (not VPN servers) was actually blocked by Spectrum and Xfinity ISPs because some AI-generated blocklist erroneously flagged us. They did so by doing SNI-sniffing, and the block was implemented on their stock gateway routers (people who had their own gateway routers were fine).
Totally agree, I trust Mullvad quite a lot (thatās why we partnered with them!).
Though I think defense-in-depth should be practiced wherever possible: even if an insider threat is unlikely, it is possible for undiscovered vulnerabilities exploited by external parties to be a real threat (especially with a big of a target as Mullvad).
Everyoneās threat model is different of course, so itās good that we have options 
1 Like
And did you implement any countermeasures? Thanks for the pointer btw, i was really confused when people told me about Wireguard not working in some cases in the US when using some VPN providers.
Support for glueton would be what Iām looking for, to pipe my privacy respecting self hosted services through it. Mullvad has good support at the moment for gluetun right now.
Otherwise, Mullvad has a CLI you can look at and takes notes from. Given you use Mullvad, if your CLI experience is similar, may make migration for Mullvad CLI users easier.
Semi-related, but Secureblue support for their āujustā VPN installation could be nice. However, that distro is not as common, and Iām biased as I use it for my daily driver now 
Yeah we did for the VPN service itself, but not much we can do for our marketing website since all browsers sen SNI (which is in plaintext). I suppose the solution is to use a VPN! 
(oddly meta)
Thatās interesting, weāve had people ask for this in the past. Am I correct in that the main point of this is to set up a kind of split-tunnel where your main machine is not on VPN by default but your docker-hosted services are on VPN?
Good point, weāll definitely take a look.
Obscura does have my attention, and Iām interested in trying it out, but Iām sort of surprised that PG isnāt recommending it. Whatās the issue? Obviously, I expect you to be biased. 
Any plans for Obscura to take advantage of the new DNS feature in iOS 26? In the real world like China, Mullvad is absolutely useless in Mainland China even with Quic. Iām not too hopeful that Obscura will be any better.
Itās been documented that VPNs on iOS leak. Is Obscura any better? What are you doing to mitigate such risk?
For one, you cannot buy anonymously.
This is not a VPN issue but iOS issue.
1 Like
Any way to get around it? Iām reading that using iOS with a VPN in the router will eliminate the threat.
I suppose this can work.
So youāre not sure?
Its just a manner of speaking.. Yes, it bypasses the concern when its on the router. I donāt see how it canāt.
1 Like
Itās more fine grained than that. Glutun is running its own docker network, such that you can opt in/out of using the VPN in different containers just by swapping the configured docker network. I.e., my Jellyfin is not operating under the gluton, but the downstream services which deal with media downloading are in a VPN, but all is configured within the Docker ecosystem.