Welcome to The Privacy Dad's Blog!

Paying for Mullvad VPN Anonymously with Monero

Last updated 12 January 2025

In today's post I will describe my experience with Mullvad VPN. While I will attempt to explain what a VPN does, detailed explanations will be left to the experts.

I will also describe how payment for a Mullvad subscription can be done with Monero (XMR), which makes using Mullvad VPN entirely anonymous, as it does not require an email address, username or password.

Paying for Mullvad VPN using normal means, and then downloading and using the Mullvad app is easily achieved; paying for the app with an anonymous digital currency requires a bit more known-how.

What is a VPN?

My best explanation is that using a VPN is like having a private fiber optic cable between your device at home (or in a restaurant, hotel, or at work or school) and a computer somewhere else in the world, which is managed by your VPN provider.

While the beginning of the cable always starts with your device, the end point of the cable can easily be moved between different computers managed by the VPN provider in different locations worldwide.

Normally, all your web requests travel via your home network (or, if you are out, the hotel, train, airport's network) first. The manager of whatever network you are using can see the metadata of your requests. The request is then passed on to your ISP, who can also see the metadata, and then onto the wider web.

The content of your Internet interactions are mostly secure whether you use a VPN or not. This is because 90% or more of websites use HTTPS to encrypt that content while it is on route.

When using a VPN, the managers of local networks and your ISP can no longer see the details of your request. They do see that you are using the VPN.

The VPN provider will see the metadata of your request, as the cable ends with them, and they will pass it on from their own computers, so that the requested site information can be returned to you.1

A VPN enables us hide metadata from the local network manager and the ISP, but we now have to trust the VPN provider instead; so you end up have to trust someone either way.

Better explanations

I did visit thenewoil.org recently in order to learn more about VPNs, and found this succinct paragraph helpful:

A VPN protects from local attackers. While most of the internet is encrypted, not all of it is, and unfortunately important websites like government websites are typically the worst offenders for this. While unlikely, public Wi-Fi is also susceptible to being spoofed or spied on, so a VPN can keep your traffic safe from a malicious or nosey admin. Even at home, your Internet Service Provider can see your traffic and legally can sell your browsing data to marketers or inject their own ads in some countries. A VPN also has the advantage of obscuring your IP address, which is an important piece of identifying information about you online, thus helping to protect your privacy. As a peripheral benefit, many VPN providers offer servers in multiple countries so you can bypass geographic content restrictions on sites like Netflix and YouTube.

It is interesting to note that The New Oil rates using a VPN as one of their 'less important' steps for achieving digital privacy.

Additionally, I found detailed information on the Electronic Frontier Foundation's site, specifically in these two articles "How to: Understand and Circumvent Network Censorship" and "Choosing the VPN That's Right for You". I recommend reading those.

Lastly, the first 15 minutes of this episode of the Firewalls Don't Stop Dragons podcast explains VPNs really well.

The sites I have consulted (see Documentation) agree that a VPN only protects your privacy in specific ways and should never be viewed (or advertised) as an all-in-one solution.

With that in mind, here are a few more points various privacy sources agreed on.

Commonly raised points

  1. VPN companies that promise total anonymity and/or security should not be trusted
  2. Using a VPN should be viewed an additional measure for helping with privacy and security. Switching to a different browser and search engine, using a password manager and two-factor authentication, and regularly updating your systems are all examples of essential measures
  3. By using a VPN tool, you are switching who you trust: your local network manager and your Internet Service Provider (ISP), versus the company providing the VPN service
  4. Look for a 'no logging' VPN provider, but know you will not be able to verify that is actually happening
  5. While a VPN is in essence a product for user privacy, many large VPN companies will sell your data on to advertisers

Three top choice VPNs

The same three VPN providers are listed as the top recommendations across several reputable privacy sources (Seth for Privacy, The New Oil, Privacy Guides). These are, in no specific order:

  1. Mullvad VPN
  2. Proton VPN
  3. IVPN

These companies provide clear, good information about VPNs in general on their websites; it's worth having a read through their blogs and guides too.

Lastly, if you want a detailed comparison of specific VPN features, Techlore has a neat interactive VPN Toolkit.

Mullvad VPN

I have been using Mullvad VPN for about two years now. While many users will pay for a VPN in order to watch geo-blocked content (on Netflix, for example), I use it purely for privacy.

The few times I did try to use Mullvad to access geo-blocked streaming sites, it didn't work, so keep that in mind if privacy is not your main concern.

As a beginner, it is not difficult to get started with Mullvad.

Once you've paid for your subscription you can download a small program that will run in the background. It switches the VPN either on or off. You can install Mullvad VPN on up to five different devices; you do not need to be the owner of all of them.

Mullvad UI

Mullvad VPN desktop user interface

In the desktop app, you can toggle the VPN on or off. The attractive interface enables you to choose different end locations in the world, check your remaining subscription time, and toggle various technical settings.

Each Mullvad VPN installation has its a randomly assigned name, like "Mellifluous Owl". As the the subscriber, you can manage these instances. This is useful if you want to install Mullvad on a new device, for example, your child's smartphone, but have used up all five installs.

Toggling the VPN on or off on a smartphone or tablet is just as easy; my children are comfortable using it.

On Windows or MacOS you can update the software from within the interface or the store. On Linux updates may require extra steps, depending on how you've installed Mullvad.

Mullvad subscription and account number

A subscription with Mullvad comes at a flat rate of 5 euros (a little over 5 USD) per month, as advertised on the website (Mullvad are based in Sweden). Buying more months or years does not give you a reduction in price, but they haven't raised the price in over a decade.

On first purchase, I was surprised not to be asked for identifying information, such as an email address, a username and a password. Instead, Mullvad VPN works with an account number, which reminds me of the use of license keys in audio software. The website states:

A Mullvad account has two properties: the account number and the time remaining on that account.

The 'no logging' policy then lists specifically what information is not logged:

We log nothing whatsoever that can be connected to a numbered account's activity:

no logging of traffic
no logging of DNS requests
no logging of connections [...,] or any kind of timestamp
no logging of IP addresses
no logging of user bandwidth
no logging of account activity except total simultaneous connections (explained below) and the payment information detailed in this post.

Source: Mullvad No-logging data policy

I want to take a moment to consider the simplicity of this anonymous transaction mechanism. It makes me wonder: Why don't more companies sell digital products in this way? It is clearly possible.

In a physical shop, anonymous cash transactions are (still) accepted. When I buy gum, or a newspaper, I don't need to give the shopkeeper my name and address in order to take the item home. But in online commerce this type of anonymous transaction is so rare, that when you see it in action, you're surprised it is even possible. I should not have to be asked to give up personal identifying information for the purchase of a digital product.

It takes is a willingness on the part of the seller to stop asking for and storing user information just because they can. A user can always reveal their identity at a later point, should they need support with the product, for example. This is how it works for Mullvad subscribers.

Combine Mullvad's account number system with the anonymity that comes with physical or digital cash, and you end up with a unique experience: a legal and fully anonymous transaction for a product that you can use.

Paying for Mullvad with Monero (XMR)

It is possible to go even further in terms of anonymity and pay for your Mullvad VPN subscription in hard cash. You have to send them an envelope with your account number and the cash, and your subscription will be extended. But it is also possible (less time-consuming, more reliable) to pay for your VPN subscription with digital cash.

I've written about Monero before. I became interested in Monero through privacy podcasts and articles.

Monero, or 'XMR' is a ledger-based digital currency. It is my understanding that only a handful of cryptocurrencies come close to providing the anonymity of a physical cash transaction, with Monero being one of those.

Monero has a vibrant community and a relatively long record of stable development. You can of course never tell, but, having spent a number of years following its development and participating in the communities, I feel confident Monero is not a scam.

I learned how to use Monero, and created digital wallets for myself and family members. During one of my restless tinkering spells, I set up a Monero mining rig on an unused computer, and it continues to run to this day, churning out symbolic fractions of XMR each week, if I am lucky.

The slow accumulation of mined XMR on that old computer is sometimes just enough to pay for another month's subscription with Mullvad.

It feels revolutionary to pay for a legal digital product without disclosing your identity, and with anonymous digital money that you've mined yourself.

Doing so proves to me that this type of payment model is viable, and therefore presents the possibility of a much better form of capitalism than the total surveillance nightmare we are nosediving into today.

If the anonymous consumer transaction experience were common, then I would have a practical use for Monero or any other private cryptocurrency. At the moment, however, it appears we are headed in the opposite direction. We'll be seeing the roll out of Central Bank Digital Currencies, probably in the near future, which is a form of digital cash that records every transaction.

Problems

I have experienced several issues using Mullvad VPN. Some of these are not Mullvad's fault, but depend on how organisations and companies perceive and respond to VPNs generally.

It seems like companies and governments worldwide are playing a cat-and-mouse game involving the creation, discovery and blocking of VPN servers, with streaming companies keen to stop people from trying to side-step subscription boundaries. It is a pity that a smaller, privacy-first company like Mullvad, whose VPN is not built for bypassing streaming services, ends up being blocked more often as a result of this geo-blocked content issue.

Conclusion

I wanted to share my personal experience with purchasing and using Mullvad VPN on different devices in and outside our home. Based on that, I would recommend using Mullvad.

I've also described what it feels like to conduct a cash-analogous, anonymous legal transaction when purchasing more months of VPN use with a digital currency like Monero. If you are interested in Monero, please check these posts.

I enjoyed learning more about how VPNs work in preparation for writing this article. I will link the sites I found helpful below. I have also added an addendum about a specific local area network attack called 'TunnelVision.'

I am not sure my research has made me any wiser about their practical use. Credible privacy guides and advocates include lots of caveats when discussing the relevance of VPNs, and some clearly label using a VPN as a secondary or tertiary measure. After reading about TunnelVision, I am not even sure VPNs really can protect you on networks in hotels, libraries and so forth, though I'm told this type of attack should be rare.

I will continue to use Mullvad and see where the VPN story goes, and I want to keep experiencing the joy of fully anonymous transactions. I love that Mullvad VPN have forgone the possible benefits to them of keeping track of their customers.

I hope more products and platforms will follow Mullvad's lead and stop requiring user information and data, just because they can. If this type of transaction were to become more mainstream, it could lead to a healthier Internet and society.

A special thanks goes to Nathan from The New Oil for taking the time to respond to my questions and help me better understand VPNs. Check out this, and other information on The New Oil.

Addendum: TunnelVision Local Area Network Attack

If you want to skip this section, the links are under Documentation at the bottom.

For a comprehensive explanation of the TunnelVision attack, I recommend listening to this interview with the researchers involved on the Firewalls Don't Stop Dragons podcast.

I got quite deep into the woods in my research and preparation for this article. Right before finishing this article, learned about the "TunnelVision Attack", described in a report published by security researchers Lizzie Moratti and Dani Cronce in May 2024. I found the report via the EFF article about choosing a VPN I mentioned earlier.

While some of the technical details and diagrams are beyond my understanding, the report is incredibly well written, making the overall case easy to follow.

Moratti and Cronce describe a specific type of attack that can be done on local networks (bar, library, work, home, hotel, etc.) which bypasses the VPN tunnel without the user or the software realising anything is wrong.

The researchers emphasise this as an important discovery (and a vulnerability that could have been known as far back as 2002) precisely because VPN companies advertise security and private web access on such local networks.

While they admit this type of attack could be rare, their aim in publishing the report is to hold VPN providers to account in terms of what they promise to paying users, for some of whom security and privacy may be crucial.

Nathan from The New Oil wrote to me explaining that, while this type of local network attack is known, he would still recommend using VPNs on local networks because the attack is unlikely. You'd have to be a targeted individual with a high threat model, like a journalist or an activist in a country where activism can lead to imprisonment or worse for someone to go through the trouble of that level of proximity attack (i.e. James Bond stuff). The EFF advises people with such threat models, which explains why they precede their article about VPNs with a warning box about the TunnelVision attack.

He also reiterated that turning on a VPN on your devices at home helps bypass your ISP, and that some ISPs might have commercial interests in your daily data and be subjected to less oversight than, for example, in places like the EU.

I have added this section as an addendum, because, interesting as it may be, I don't feel qualified to comment. If you are interested, I recommend reading the report written by the researchers. It has some incredible diagrams, for starters and is well-written.

I have reached out to Moratti and Cronce about a specific possible scenario described in their report, namely "A rogue administrator owns the infrastructure themselves and maliciously configures it." In the podcast interview, they also point to this as the most likely form of TunnelVision attack regular users might encounter.

Given the number of dodgy hotels I have stayed in when I was younger, having a local area network administrator attempt to snoop on guests does not seem like an unlikely scenario. I have asked them if such an attack would have to be targeted at one specific individual, or if a malicious hotel administrator could do a TunnelVision attack on anyone on the local network using a VPN. I doubt they will have time to respond, but if they do, I'll update here.

They do point out in the interview that, on the whole, hackers are not as interested in metadata as they might be in the actual content of our online communications. Governments and advertisers, on the other hand, are.

The researchers mention one mitigation against such local network attacks is to bypass the LAN and connect your laptop (with VPN) to a hot spot on your mobile device. An attacker on the same network would then not be able to snoop.

Android devices using a VPN are not vulnerable to TunnelVision attacks.

Mullvad has a page responding to the May 2024 report about TunnelVision. They write (emphasis mine):

We evaluated the impact of the latest TunnelVision attack (CVE-2024-3661) and have found it to be very similar to TunnelCrack LocalNet (CVE-2023-36672 and CVE-2023-35838).

We have determined that from a security and privacy standpoint in relation to the Mullvad VPN app they are virtually identical. Both attacks rely on the attacker being on the same local network as the victim, and in one way or another being able to act as the victim's DHCP server and tell the victim that some public IP range(s) should be routed via the attacker instead of via the VPN tunnel.

The desktop versions (Windows, macOS and Linux) of Mullvad's VPN app have firewall rules in place to block any traffic to public IPs outside the VPN tunnel. These effectively prevent both LocalNet and TunnelVision from allowing the attacker to get hold of plaintext traffic from the victim.

Android is not vulnerable to TunnelVision simply because it does not implement DHCP option 121, as explained in the original article about TunnelVision.

iOS is unfortunately vulnerable to TunnelVision, for the same reason it is vulnerable to LocalNet, as we outlined in our blog post about TunnelCrack. The fix for TunnelVision is probably the same as for LocalNet, but we have not yet been able to integrate and ship that to production.

Updates

Local network permissions fix

Blogger Luke Martell showed me how to fix to the issue I had of not being able to print on my local network with Mullvad VPN on. In settings, turn on 'local network sharing':

Local network sharing

This also fixed the SSH issue I described under Problems above.

Response from Lizzie Moratti about TunnelVision

Quoted with permission:

To answer your question, which was: In that scenario, would the attacker (perhaps a hotel network admin) need to have a specific target device in mind, or would they be able to snoop on all VPN connections routed through their LAN?

The answer is they do not need to have a specific target device in mind. Realistically, I would imagine the rogue admin would cast a wide net. It would be up to them to determine if they want to only target a specific user or set of devices, but that is completely optional albeit more complex.

Here are some technical reasons for why I think that:

  1. TunnelVision worked on nearly all operating systems* with the exception of Android, which does not implement DHCP option 121.

  2. The VPN client the victim is using does matter. There are some VPNs providers who implement host firewall mitigations, in which case the information they are leaking is lessened. In this case, in a 'rogue hotel admin' scenario they would probably lose interest.*

  3. If the technique fails because of VPN client mitigations, the victim would lose internet connectivity unless they choose to not use their VPN. If they do so, then from the rogue admin perspective it would be the same as if they had been successful in using the technique. This also means that the TunnelVision technique against a mitigated VPN client renders them functionally unusable.

Footnotes:

  1. Linux devices are unique have the capability to fully prevent TunnelVision from being exploited. In our experience, we did not find a single VPN provider that did configure their Linux client in this way WireGuard recommended. Our proof of concept video actually attacks the default install WireGuard on Linux to demonstrate this. I also have a higher resolution version if you need it btw, the low resolution video was a mistake by Leviathan's marketing department that I was unable to get them to fix before I left.

  2. A nation state who theoretically is targeting a specific person might find value in even the lessened amount of information. This is possible and we have a PoC here but it's pretty in the weeds.

If you haven't come across it yet, Dani and I have a website we maintain here: https://www.tunnelvisionbug.com/ that might be helpful too.

Thank you,

Documentation

VPN Providers

Mullvad VPN

Proton VPN

IVPN

Mullvad's no logging policy

Privacy policy

No logging policy

General information about VPNs

The New Oil

Privacy Guides overview

Privacy Guides

Privacy Guides video

Techlore

Seth for Privacy

Windscribe's VPN relationships diagram (last updated 2023)

Electronic Frontier Foundation VPN

Electronic Frontier Foundation on network censorship

Electronic Frontier Foundation on choosing a VPN

Proton VPN articles

Mullvad VPN articles (scroll down for general articles)

IVPN privacy guides

TunnelVision attack

TunnelVision research report 6 May 2024

Firewalls Don't Stop Dragons podcast interview 30 Sep 2024

Difference between LAN and Wi-Fi was useful to me: Wifi can be part of LAN

Mullvad's response 6 May 2024

https://www.tunnelvisionbug.com/


-----Discuss on Mastodon-----

Subscribe to my blog via email or RSS feed.

Find me on Mastodon.

Back to Blog

  1. Everyone uses an ISP to connect to the Internet. I have written about mine here, and about what I discovered this company can see and even sell to third parties. I learned all this from reading all the fine print of the user privacy agreement, and requesting my profile from them.

#digitalprivacy #journey #medium #mullvad #review #tunnelvision #vpn