Not particularly pleased about the decision when OpenVPN is the most supported protocol.
Meanwhile their competitor IVPN even does IPsec.
I assume this is because, in addition to the missing ciphers as referenced in the linked article, OpenVPN, even though it uses TLS, it initially uses a very identifiable handshake before initiating TLS, which is not hard to block. I have personally had problems specifically with OpenVPN being targeted/blocked in this way.
Wireguard is not difficult to block either, it’s not designed to be hidden. China, Russia, etc have learned long ago how to detect and block it. The only semi-reliable way to bypass sophisticated VPN blocking techniques is to use protocols that mask as regular https traffic (and self-host it since well know public VPNs will of course be dealt with by simply blocking packets to their ip addresses).
But why disable it for the people who can use it? Unless there’s a security implication to the handshake?
And I specifically had luck with OpenVPN TCP on port 443 on network which DPI-blocked Wireguard.
Yeah OpenVPN is often used for business reasons (e.g. by remote workers), so it’s usually not blocked wholesale, only throttled (and known public VPNs providers and blocked via blacklisting their endpoints’ ip addresses). Wireguard meanwhile is used much more rarely so there is less fallout from blocking it completely.
Yea every network may do things differently… in my case tcp/443 openvpn is blocked at several places that I frequent.
I find when using Mullvad a lot of sites are blocked vs other VPNs. Are all their IPs on a blacklist somewhere?
I find frequently switching works well. It’s a bit of effort, but I have a small list of countries that work best with certain websites.
Yes, that was the technique used by interpol to get mullvad to comply with a csam investigation. The terms were ”give us user information or drop port forwarding unless you wanna remain on a global blacklist” and mullvad chose to drop port forwarding.
And remained on a blacklist anyway.
Not in the slightest. Web accessibility using mullvad before and since has tracked the ongoing trend of websites blocking vpn services and almost all their endpoint ips have rolled over since then.
In my own experience, sites that weren’t blocking mullvad before and were blocking during the csam investigation aren’t blocking now. That’s because the blocking was mostly happening at the cdn level.
They didn’t remain on the blocklist but the web is becoming hostile to vpn ips. One way around this is by using a web proxy defined in your browsers settings.
Well that’s annoying. When using it with Gluetun, I’m not sure I can even use Wireguard there.
I used Mullvad wire gluetun for about a year without issues. I’m pretty sure it’s just a simple config difference
Maybe, but I’m using Gluetun’s API too (which is very badly documented), and it seems to me some of the endpoints only work for OpenVPN. But I’ll have to look into it properly.
Ah, no idea about that then
deleted by creator
Why this change?
Mullvad has stated years ago that “WireGuard is the future” because it supports different cryptographic primitives that they prefer to what OpenVPN supports, it uses less lines of code which makes implementations less prone to errors, and it has a different architecture that reduces the risk from certain kinds of cryptographic attacks.
At least, that’s what they claimed back in 2017. It seems they still believe that WireGuard is better than OpenVPN now, but I don’t know if they have any more reasoning beyond what they wrote about in 2017 as to why.
Thank you for the reply!
did you read the article?
AirVPN also really good. Plus they have static port forwarding. And very easy flipping of OpenVPN to wireguard
anyone know alternative VPNs that also include http or socks proxies?
deleted by creator
