I’m a new Mullvad VPN user and I wanted to ask what country is better in terms of privacy?
Should I avoid rented servers ?
Should I choose a server in my real location ?
I heard Switzerland is a good location for privacy but some of the servers are rented, on the other hand all Sweden servers are owned by Mullvad.
What do you guys think?
All Mullvad servers are equally as safe.
If you prioritize speed and latency, go with the one that’s closest to you.
It realistically won’t make a difference, but as About our servers says, their owned servers tend to be more secure. You can filter by ownership on their server list. 9 different countries have owned servers.
If at what @ph00lt0 wrote about the GDPR is accurate (and I’ve no reason to doubt it), I’d have a mild preference for EU servers (especially if I lived in the EU):
Also, one thing I’ve been thinking about lately is VPN server choice in the context of the Global Privacy Control (GPC) and other legal rights. Because I live in a state with decent GDPR-like privacy laws, I’d prefer not to lose out on those rights. The GPC is a feature/signal built into browsers. Outside of one of these states with decent privacy laws, it is similar to DNT (“Do Not Track”), in other words just a non-binding request without legal or technical teeth. But if you live in a state which does have stronger privacy laws, respecting the GPC is legally binding, and companies can be penalized for not respecting your GPC preference automatically. For this reason, when I choose a US server, I tend to select from the ~5 states with decent privacy laws.
I’m curious to hear what others think about this approach, I’ve only recently begun thinking about it.
In my experience Mullvad’s owned servers have fewer issues with websites restricting your access. Additionally, as Mullvad explains on their server page that Jonah already linked, their owned servers are more secure and also faster than their rented servers. Depending on the operating system where you use Mullvad, you could also choose to filter only Mullvad-owned servers.
Thanks, I haven’t noticed there’s a filter button for it.
There actually can be some benefit to some servers over others, specifically ones with the ISP supporting RPKI.
Cloudflare has a test website here: https://isbgpsafeyet.com/
I’ve yet to see a VPN provider solely offer RPKI enforcing exits or ability to filter them in client.
Without RPKI you can see events like this: Google goes down after major BGP mishap routes traffic through China | Ars Technica
I tested this with Mullvad’s Wireguard servers and here are all the server providers whose all servers implemented BGP safely according to the tool @SkewedZeppelin linked.
To add on to the findings by @Critical_Crab5543 about safe BGP implementations, here are the providers hosting Mullvad servers in the United States that pass the Cloudflare test that @SkewedZeppelin linked.
At the time of this post, the Detroit, MI servers are hosted by just HostRoyale, and the Secaucus, NJ servers are hosted by just Quadranet.
(I’m pointing this out since the Mullvad Android app does not yet allow you to filter servers by providers, so connecting to the two cities noted above will ensure you’re connecting to BGP-safe servers.)
Edit: With Mullvad’s 2024.1 release, it now allows you to filter servers by providers.
Thank you for reporting your findings. I only added server providers whose all servers implement BGP safely, so I didn’t include neither Quadranet or HostRoyale because some of their servers didn’t do that unfortunately.
Ah, you’re right. I amended my post to emphasize that my list covers just the U.S. (which has higher server density than other countries Mullvad serves) and to note the exception I found for Quadranet after more comprehensive testing. (All HostRoyale servers in the U.S. pass the test, but those in the U.K. don’t.)
probably best for users to reach out to their provider of choice and ask for client filtering support as opposed to manually checking
although I appreciate your testing efforts @Critical_Crab5543 & @Redoomed
Following up on OP’s questions: does it matter if you’re connecting to servers based in 5/9/14-eyes countries? and in case of multihop how does this affect the choice of entry and exit servers respectively?
In my own case, I am asking for EU countries (incl Swit). Is it good to choice Switzerland because they are strong on privacy? Germany is also strong on privacy but it’s 14-eyes, right? should it be avoided if a better country is available (and close enough)? Or it ok to choose Germany for entry (because the connection is encrypted) but not for exit?
We did away with the “eyes” nonsense some time ago, because it’s only one treaty of many. Many countries also do invasive surveillance nowadays.
In the case of VPN servers, well just because the company doesn’t reside in X country doesn’t mean that government isn’t monitoring what exits/enters their servers.
That’s why the whole “eyes” thing in regard to VPN servers makes no sense whatsoever.
VPN providers love to use “eyes agreements” in their marketing material - but this I feel is pointless. They shouldn’t be keeping any data, so there shouldn’t be anything to hand over
The “eyes” agreement is not the only intelligence gathering agreement out there, and depending on where an individual lives it actually might be of minimal importance. For example if you were living in a dictatorship your local state is likely to be a much higher priority on your list than a distant country who passively observes.
Thanks for the reply. Then let’s put the eyes thing side: any reason to prefer one country over another for privacy reasons? (meaning aside the proximity criterion)
Some countries might have better laws and a stronger judicial system in regard to protecting user privacy, that’s really about it.
Ok. When I hear that, I think Switzerland (although not EU), Germany and scandinavian countries. Is that a somewhat fair assessment?
Pretty much. Stick to products which provide E2EE and trust-less systems when possible.
Sure. VPN is already chosen and is one of the ones recommended by PG, so it’s not about choosing the VPN but the servers.
On Mullvad, in order to get performance needed for wifi calling via JMP.chat, I use librespeed.org to identify servers that are faster than others and regional to me. At most Mullvad locations, there are usually 1-2 servers much faster than the others. The slowest Mullvad servers won’t always work for wifi calls.
