2020.3

This release is identical to 2020.3-beta1, see that change log for all changes since last stable release.

2020.3-beta1

Security

• Fix stack overflow caused by WireGuard key rotation timers. When the daemon crashed it was
  restarted automatically. But it did not connect (depending on settings), leaving a leak.

2020.2

This release is identical to 2020.2-beta1, see that change log for all changes since last stable release.

2020.2-beta1

Added

• Add reconnect button to the desktop app.
• Add monochrome option for the tray icon on Windows and Linux.
• Show OS notification when account is close to expiry on desktop platforms.
• Warn users running old app versions when creating problem report.

Android

• Add option to enable or disable local network sharing.
• Show account history in login fragment

Changed

• Change project copyright and company name from Amagicom AB to Mullvad VPN AB
• Only reconnect when settings change if a relevant tunnel protocol is used.
• Adjust padding of tray icon on Windows and Linux to better match other icons.
• Change the zoomlevel of the map in the desktop app to make it less zoomed in.
• Bundle new API IP with the app (Old: 193.138.218.73, new: 193.138.218.78)

Removed

• Remove city/country labels on map in the desktop app.

Fixed

• Fix app sometimes getting stuck in connecting state when using WireGuard.

Android

• Fix crash when removing the service from foreground on Android versions below API level 24.
• Fix crash that happened in certain situations when retrieving the relay list.
• Fix crash caused by initialization race condition.

Windows

• Fix "exhausted namespace" installation error on some non-English systems.

Security

• Stop DNS leak that could happen on all desktop platforms if "Local network sharing" was enabled
  and the device had a default DNS resolver on the local private network. The leak could happen
  during these states: While connecting, when blocked due to an error happening and when
  disconnected if the "block when disconnected" setting was enabled.
  This issue has been present on all previous versions of the app.

Windows

• Prevent DNS leak that could happen while connected if "Local network sharing" was enabled
  and the device had a default DNS resolver on the local private network. This issue was
  only present in the 2020.1 release.

2020.1

This release is identical to 2020.1-beta1, see that change log for all changes since last stable release.

2020.1-beta1

Added

• Add translations for Finnish and Danish.
• Copy WireGuard key when clicking on it.

Windows

• Sign all binaries in the app instead of just the installer.

Changed

• Increase OpenVPN ping timeout from 20 to 25 seconds. Might make working tunnels disconnect
  a bit less frequently.
• Use traffic data from WireGuard to infer connectivity, instead of continuously pinging.
  Should improve stability of the connection and reduce power use.
• Update wireguard-go to v0.0.20200121
• Remove WireGuard keys from accounts when they are removed from the local account history.
• Upgrade from Electron 6 to Electron 7.
• Disable WireGuard protocol option if there's no WireGuard key.

Android

• Wait for traffic to be routed through the tunnel device before advertising blocked state.
• Connect automatically if MullvadVpnService is started with an intent which
  has the android.net.VpnService action. Effectively, this should enable
  Always On behavior on Android versions where it's supported.
• Allow notification to be dismissed when the UI is not shown and the tunnel is disconnected.

Windows

• Use a branded TAP driver for OpenVPN to prevent conflicts with other software and solve issues
  related to driver upgrades. Also use the NDIS 6 driver on Windows 7.
• Be more aggressive when installing routes, in effect taking ownership of existing duplicate route
  entries. This allows the daemon to initialize properly even if a previous instance did not have a
  clean shutdown.

Fixed

• Don't try to replace WireGuard key if account has too many keys already.
• Fix bogus update notification caused by an outdated cache.
• Fix layout issues when showing messages in WireGuard key view.
• Fix translation of "System default" after selecting "System default" in language settings.

Windows

• Fix regression due to which a TAP adapter issue was not given as the specific block reason when
  the tunnel could not be started.
• Fix occasional failure to shut down the old daemon process during installation by killing it if
  necessary.
• Make WireGuard work with IPv6 enabled even if there is no functioning TAP adapter for OpenVPN.
• Restart daemon when coming back from system hibernation with terminated user session, since
  it's perceived as a cold boot from the user's perspective, so the app should act accordingly.
• Change the optimization level for releases from the default value to s, as a temporary fix for
  the system service crashing on Windows for newer CPU models.

Android

• Fix notification message to not show null version when version check cache is stale right
  after an update.
• Fix null pointer exception when connectivity event intent has no network info.
• Fix fast loop trying to fetch location and preventing the device from sleeping. This should
  improve battery life in some cases.
• Fix crash when starting the app right after quitting it.
• Restart background service if it stops responding.
• Fix crash when VPN permission is revoked, either manually or by starting another VPN app.
• Fix crash caused by local JNI reference table overflow after running for a long time.
• Dismiss notification after service has stopped.
• Don't show missing connectivity error message in WireGuard key management screen if a
  reconnection is expected to happen.
• Fix showing new key as invalid immediately after regeneration.

Linux

• DNS management with static /etc/resolv.conf will now work even when no
  /etc/resolv.conf exists.

Security

• Add automatic key rotation for WireGuard (every 7 days by default). This limits the potential
  for an attacker to correlate traffic with a public key and identity, and reduces the harm of
  software that might leak the private tunnel IP (since it is no longer fixed).

Windows

• Stop OpenVPN from loading C:\etc\ssl\openssl.cnf on start. This file was being loaded when an
  OpenVPN tunnel was being created. Any user could create the file, and the process loading it runs
  as the SYSTEM user. Since the config file allows loading arbitrary code, it was an attack vector
  allowing local unprivileged users to run code as SYSTEM.

macOS

• Limit macOS firewall rules to only allow UDP packets in the rules meant to enable being a DHCPv4
  server when local network sharing is enabled.

2019.10

Fixed

• Fix improved WireGuard port selection

Windows

• Register 'NSI' service as a dependency of the daemon service.
• Set daemon service SID type as 'unrestricted'.
• Properly tear down routes after disconnecting from WireGuard relays.
• Fix bug that prohibited WireGuard from working over port 53.

Security

Linux

• Stop CVE-2019-14899 by dropping all packets destined
  for the tunnel IP coming in on some other interface than the tunnel.

The rest is identical to 2019.10-beta2, see that change log for all changes since last stable release.

2019.10-beta2

Added

• Add mullvad relay set tunnel-protocol subcommand to the CLI to specify what tunnel protocol
  to use.
• Add mullvad reconnect subcommand to the CLI to make the app pick a new server and reconnect.

Windows

• Full WireGuard support, GUI and CLI.
• Install Wintun driver that provides the WireGuard TUN adapter.
• Remove Mullvad TAP adapter on uninstall. Also remove the TAP driver if there are no other TAP
  adapters in the system.

Android

• Add connectivity status check. Stopping the app from sitting in a reconnect loop while the
  device is offline.

Changed

• Notifications shown when connecting to a server include its location.
• Upgrade OpenVPN from 2.4.7 to 2.4.8.
• Upgrade OpenSSL from 1.1.1c to 1.1.1d.
• When using WireGuard without specifying a specific relay port, port 53 will be used after 2
  failed connection attempts for 2 out of 4 each successive connection attempts

Windows

• Use a larger icon in notifications on Windows 10.
• Only update DNS settings if updating would change the effective settings. This is a work-around
  to avoid invoking netsh unnecessarily and getting stuck in associated hangs.
• Don't restart the service immediately if it aborts several times in a row. Leave a window of ten
  minutes to allow for addressing the issue.
• Upgrade libsodium from 1.0.17 to 1.0.18.
• Upgrade NDIS 6 TAP driver from 9.21.2 to 9.24.2.

Fixed

Linux

• Improve stability on Linux by using the routing netlink socket in its own thread.
• When trying to use resolvconf for managing DNS, the daemon will check if
  dnsmasq is running and misconfigured.
• Improve stability on Linux by simplifying route management code.

Windows

• Detect removal of the OpenVPN TAP adapter on reconnection attempts.
• Improve robustness in path environment variable logic in Windows installer. Handle the case
  where the registry value type is incorrectly set to be a regular string rather than an expandable
  string.
• Fix suspend and resume issues with OpenVPN by upgrading the TAP driver.
• Minor adjustment in online/offline detection logic. This change addresses misbehaving drivers
  that report the adapter flags incorrectly.

Android

• Don't try to fetch location when the app knows that it has no connectivity. This should reduce
  wake-ups (improving battery life) and also fix very large log files consuming storage space.
• Fix crash when a new version event is received while the app is in the main screen.

Security

• Force OpenVPN to use TLS 1.2 or newer, and limit the TLS 1.3 ciphers to only the strongest ones.
  The Mullvad servers have never allowed any insecure ciphers, so this was not really a problem.
  Just one extra safety precaution.

2019.10-beta1

This release is for Android only.

Added

Android

• Use authenticated URLs to go to wireguard key page on website.
• WireGuard key fragment has been made more similar to its desktop counterpart.

Fixed

• Fix bad file descriptor errors caused by sending a file descriptor between the daemon and the
  wireguard-go library.
• Recreate tun device after a fixed number of connection attempts on the same tun device. Breaks
  infinite reconnection loops on broken tun devices.

2019.9

Added

• Add ability to submit vouchers from the CLI.

Linux

• Add a symlink for mullvad-problem-report directly in /usr/bin. So the tool is available.

Windows

• Install the OpenVPN certificate to avoid the TAP adapter driver installation warning on
  Windows 8 and newer.

Changed

Windows

• Rename the problem-report tool to mullvad-problem-report.

Fixed

• Fix Norwegian (Bokmal) language detection.
• Fix missing localizations when formatting date and time in Norwegian (Bokmal).
• Use authenticated URL to go to account page from expired account view.

macOS

• Remove mullvad and mullvad-problem-report symlinks from /usr/local/bin on uninstall.

The rest is identical to 2019.9-beta1, see that change log for all changes since last stable release.