Mullvad’s new WireGuard implementation, GotaTun, has passed its first independent security audit.
The protocol is used in VPN apps for Android and “no serious vulnerabilities were found.” Assured Security Consultants completed the audit in early 2026, and the tests covered most, but not all, of GotaTun v0.2.0.
Our WireGuard implementation, GotaTun, was recently reviewed by security consultants Assured Security. Two low severity issues identified were resolved prior to completion of the audit. No serious vulnerabilities were found. More details here: https://t.co/ouHlGhr8Jg.March 6, 2026
“No serious vulnerabilities found”
The GotaTun audit took place from January 19 to February 15, 2026, with the participation of Mullvad. publication of results March 6, 2026
DAITA, GotaTun CLI and “external dependencies” were not part of the audit. However, the rest of GotaTun v0.2.0 has been assessed by Assured Security Consultants.
The group stated that “GotaTun does not have any significant vulnerabilities” and two low severity issues were identified.
Most recommendations were corrected prior to publication of the audit findings, including recommendations for low severity findings. Mullvad said some of the entries “do not require immediate attention.”
What were the results?
In GotaTun, 24 bits of the WireGuard session ID were static. The remaining eight were “a predictable counter that increased with each new session.” This differs from WireGuard’s own specification, which recommends generating a random 32-bit integer for each session.
Mullvad said this was inherited from BoringTun – the original WireGuard project in Rust – and has been patched to conform to the WireGuard specification. Mullvad said the issue “probably doesn’t provide much information to a passive observer” and is one of two “low” risk vulnerabilities.
The second low-risk vulnerability involved packet stuffing. According to the WireGuard specification, packets must be padded before encryption, and their length must be divisible by 16. Mullvad confirmed that it has updated its code “to always pad the payload before encrypting it.”
It was noted that “in most cases” GotaTun “incorrectly started sending packets to the new address” if the user’s IP address changed. Thus, it did not handle user roaming correctly.
Mullvad stated that this does not affect Mullvad VPN as its “servers never change IP addresses during an active WireGuard session.” However, VPN decided that the problem was important enough to fix.
All Mullvad fixes are available in GotaTUn v0.4.0. VPN representatives said that after this audit they are “even more confident in the reliability of GotaTun.” Its deployment on other platforms is planned for 2026.
Mulvad posted full results of the GotaTun audit on its website.
We test and review VPN services in the context of legal entertainment use. For example: 1. Accessing a service from another country (subject to the terms and conditions of that service). 2. Protect your online security and enhance your online privacy when you’re abroad. We do not support or condone the illegal or malicious use of VPN services. The use of paid pirated content is not approved or endorsed by Future Publishing.
#Mullvads #GotaTun #WireGuard #Implementation #Passes #Independent #Security #Audit #Heres #trending #[now:year]
