Server list updated with provider and ownership
Our server list has been updated to contain the following two major additions:
- Provider - The name of the hosting provider that we rent the server or server space from
- Ownership - A flag describing if Mullvad owns or rents the server
With the updated server list in place, you as a customer can make a more informed decision about which server(s) you want to use. At the moment we have two kinds of servers, rented and hardware that we own ourselves.
Before we go into details about these two kinds of servers, it's important to understand that for all VPN servers we use encryption to secure their data. You cannot simply unplug a server and boot it up and mount the disk to copy any keys, unless you know the encryption passwords. The encryption passwords are only known and accessible to relevant Mullvad staff. Furthermore, each server has unique encryption passwords, as well as certificates and private keys for their VPN tunnels. This means that in the unlikely event that any of these were to be extracted from a server, they would only affect that one individual server.
Ownership
Rented servers
We rent dedicated servers only. No virtual servers. In order to ensure sound and secure deployment procedures we always perform hardening and sanity checks on all servers before provisioning our own software and letting customers connect to them.
Remote management software (IPMI/iLO/iDRAC/KVM)
- If the server has remote management, it should be on a dedicated port only accessible via or by the hosting provider and not available on the public Internet.
- We recheck our configurations regularly to ensure that no public addresses are attached to our IPMI interfaces.
On which level and for what purposes do external parties have access to rented servers?
Hosting providers do the initial operating system installations (most often through the remote management software), after that we remove their access from the server. After this they may have access to the remote management software of the servers, so that they may aid in rebooting and reinstalling faulty servers, but they have no direct access to the operating system or the software running on the server itself.
Mullvads own servers
Remote management software (IPMI/iLO/iDRAC/KVM)
On our own servers, remote management resides behind bastion hosts (a special-purpose computer on a network specifically designed and configured to withstand attacks). In order to use the remote management software on these servers you first have to connect to a bastion host. Apart from requiring access through a bastion, each server has their own specific network port for remote management that resides on a LAN that is separate from the rest of the network. Some hosting providers have KVMs that they can enable if we ask them to, if the remote management should for some reason be unavailable.
On which level and for what purposes do external parties have access to our own servers?
For hosting providers where we host our own servers, most of the time we troubleshoot, reinstall or do initial operating system installation ourselves through the remote management behind the bastion. On a few occasions, hosting providers may be asked to troubleshoot hardware issues or reinstall servers that are not working as intended, but in contrast to rented providers, they will either have to enable and use their KVM (if available) or physically plug themselves into the server.
The hosting provider 31173
A special focus on network performance and connectivity for all servers hosted at 31173’s locations exist. We actively invest time into making sure the network runs well, and that connectivity between locations have fiber wavelengths to other locations. For instance there are wavelengths from Amsterdam to Malmö, London, and Frankfurt to improve performance and reduce latency, and also to ensure that the users traffic can travel as far as possible within 31173’s network without using other network providers.
Future management of servers
The management software provided by computer manufacturers are closed source and riddled with bugs and security vulnerabilities, therefore we are active in these two projects: