Exit IP fingerprinting between VPN servers | Mullvad VPN
Skip to main content
VPN<br>Browser<br>Pricing<br>Downloads<br>Why privacy matters
Log in Get started
Exit IP fingerprinting between VPN servers<br>May 20, 2026 News Privacy<br>On Friday the 15th of May, we became aware of a fingerprinting issue affecting Mullvad users.
When a user switches from one VPN server to another, this sometimes makes it possible for services such as websites to confidently guess that the same user that connected from the new VPN server is the one that connected from the previous VPN server.
This does not reveal the identity of the user. It can however reveal the fact that someone that previously connected from one VPN server has now connected from another VPN server.
Fingerprinting is telling devices apart by looking at properties that make them unique or close to it. Fingerprinting is a problem in many domains. The Mullvad Browser and DAITA are examples of protections against fingerprinting in web browsers and traffic analysis.
How it works
Each VPN server has many users. For both IPv4 and IPv6 every user will be assigned one exit IP address on the server from which the user's traffic will be sent out to the internet. There are technical limitations to how many users can use the same exit address, which is why servers have a range of several exit addresses. Each user device has a unique WireGuard key used to encrypt the connection. There is also an internal tunnel address that is usually but not always correlated with the user’s WireGuard key.
The issue arises when connecting to different VPN servers with the same internal tunnel address. Then the user is likely to be assigned an exit address with the same relative position in each VPN server's range of exit addresses. If for example this is 40%, then it will be an exit address about 40% into in the range on all VPN servers.
Server A
1.1.1.1<br>1.1.1.2<br>1.1.1.3<br>1.1.1.4 Server B
2.2.2.101<br>2.2.2.102<br>2.2.2.103<br>2.2.2.104 Usually, lots of users are assigned to every exit address so this will not provide certainty but in many cases good guesses can be made.
What should I do?
Depending on your threat model, you only need to change your behavior if you change VPN servers specifically to stop the ability to link what you do on one server to what you do on another. In this case, our recommendation would be to log out and log in again in the Mullvad app if switching servers. This will regenerate the WireGuard key and change the internal IP address.
What is being done
Going forward, our new method to assign which exit IP addresses someone is using on one VPN server, will give no information on which exit address is used on another VPN server, or by another user on the same server. This change is currently being tested and is planned to start being rolled out to our VPN servers in the coming weeks. Progress updates will be available here.
Policies
Address<br>Mullvad VPN AB<br>Box 53049<br>400 14 Gothenburg<br>Sweden<br>support@mullvadvpn.net<br>GPG key<br>Onion service
Follow us<br>Language<br>English العربيّة<br>Dansk<br>Deutsch<br>English<br>Español<br>فارسی<br>Suomi<br>Français<br>Italiano<br>日本語<br>한국어<br>Nederlands<br>Norsk<br>Polski<br>Português<br>Русский<br>Svenska<br>ภาษาไทย<br>Türkçe<br>Українська<br>简体中文<br>繁體中文