Something to be aware of depending on your threat model.<\/p>\n\n\n\n
https:\/\/mullvad.net\/en\/blog\/2026\/5\/20\/exit-ip-fingerprinting-between-vpn-servers<\/a><\/p>\n\n\n On Friday the 15th of May, we became aware<\/a> of a fingerprinting issue affecting Mullvad users.<\/p>\n\n\n\n When a user switches from one VPN server to another, this sometimes makes it possible for services such as websites to confidently guess that the same user that connected from the new VPN server is the one that connected from the previous VPN server.<\/p>\n\n\n\n This does not reveal the identity of the user. It can however reveal the fact that someone that previously connected from one VPN server has now connected from another VPN server.<\/p>\n\n\n\n Fingerprinting is telling devices apart by looking at properties that make them unique or close to it. Fingerprinting is a problem in many domains. The Mullvad Browser and DAITA<\/a> are examples of protections against fingerprinting in web browsers<\/a> and traffic analysis.<\/p>\n\n\n\n Each VPN server has many users. For both IPv4 and IPv6 every user will be assigned one exit IP address on the server from which the user’s traffic will be sent out to the internet. There are technical limitations to how many users can use the same exit address, which is why servers have a range of several exit addresses. Each user device has a unique WireGuard key used to encrypt the connection. There is also an internal tunnel address that is usually but not always correlated with the user\u2019s WireGuard key.<\/p>\n\n\n\n The issue arises when connecting to different VPN servers with the same internal tunnel address. Then the user is likely to be assigned an exit address with the same relative position in each VPN server’s range of exit addresses. If for example this is 40%, then it will be an exit address about 40% into in the range on all VPN servers.<\/p>\n\n\n\n Server A<\/strong><\/p>\n\n\n\n 1.1.1.1 Server B<\/strong><\/p>\n\n\n\n 2.2.2.101 Usually, lots of users are assigned to every exit address so this will not provide certainty but in many cases good guesses can be made.<\/p>\n\n\n\n Depending on your threat model, you only need to change your behavior if you change VPN servers specifically to stop the ability to link what you do on one server to what you do on another. In this case, our recommendation would be to log out and log in again in the Mullvad app if switching servers. This will regenerate the WireGuard key and change the internal IP address.<\/p>\n\n\n\n Going forward, our new method to assign which exit IP addresses someone is using on one VPN server, will give no information on which exit address is used on another VPN server, or by another user on the same server. This change is currently being tested and is planned to start being rolled out to our VPN servers in the coming weeks. Progress updates will be available here<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":" Something to be aware of depending on your threat model. https:\/\/mullvad.net\/en\/blog\/2026\/5\/20\/exit-ip-fingerprinting-between-vpn-servers On Friday the 15th of May, we became aware of a fingerprinting issue affecting Mullvad users. When a user switches from one VPN server to another, this sometimes makes it possible for services such as websites to confidently guess that the same user that […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-17288","post","type-post","status-publish","format-standard","hentry","category-tech"],"blocksy_meta":[],"featured_image_src":null,"author_info":{"display_name":"Jason","author_link":"https:\/\/jasonsblog.ddns.net\/index.php\/author\/jturning\/"},"_links":{"self":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/17288","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/comments?post=17288"}],"version-history":[{"count":1,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/17288\/revisions"}],"predecessor-version":[{"id":17289,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/17288\/revisions\/17289"}],"wp:attachment":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/media?parent=17288"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/categories?post=17288"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/tags?post=17288"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}How it works<\/h3>\n\n\n\n
1.1.1.2
1.1.1.3
1.1.1.4 <–<\/strong>
1.1.1.5
1.1.1.6
1.1.1.7
1.1.1.8
1.1.1.9<\/p>\n\n\n\n
2.2.2.102
2.2.2.103
2.2.2.104 <–<\/strong>
2.2.2.105
2.2.2.106
2.2.2.107
2.2.2.108
2.2.2.109<\/p>\n\n\n\nWhat should I do?<\/h3>\n\n\n\n
What is being done<\/h3>\n\n\n\n