This release is for Android only.
Added
- Improve accessibility in the desktop app. UI elements now have the correct role
and are labeled to allow usage of a screen reader. - Add
--wait
flag toconnect
,disconnect
andreconnect
CLI subcommands to make the CLI wait
for the target state to be reached before exiting. - Navigate back to the main view when escape is pressed.
- Add support for custom DNS resolvers on Windows, macOS and Linux. For now only resolvers in the
local network will work properly.
Windows
- Add setting that unpins the window from the tray icon to let the user move it around freely.
Changed
- Never use DNS to get the IP to contact the Mullvad API over. Instead a list of IPs is bundled
with the app, and updates are fetched from the API itself. This list is then shuffled and used
to pick a way to reach the API. This avoids censored/fake DNS responses and increases the
likelihood to be able to talk to the API. - Remove WireGuard keys during uninstallation after the firewall is unlocked.
- Rename CLI subcommand
mullvad relay set relay
tomullvad relay set hostname
. - Upgrade OpenVPN from 2.4.9 to 2.5.0.
- Upgrade Electron from 8.5.2 to Electron 11.0.2.
- Upgrade wireguard-go to v0.0.20201118.
- Reduce logging about time outs when conneting to a WireGuard tunnel.
Android
- Remove the Quit button.
- Add button to remove account and WireGuard key from history in the login screen.
- Improve navigation in the app using a keyboard, so that touchless devices (like TVs) can be used
more smoothly. - Run app in landscape mode on TVs.
- Try to connect even if VPN permission is denied, so that the app shows an error message saying
that the VPN permission was denied.
Windows
- Fully uninstall the old app when performing a downgrade. This solves the problem of downgrades
not being able to migrate from something newer. For example it fully removes any blocking
firewall rules a newer app might have put in place. - Use Wintun instead of the OpenVPN TAP driver for OpenVPN.
Linux
- Increase NetworkManager device readiness timeout to 15 seconds.
- Set up routes for OpenVPN using our route manager instead of relying on OpenVPN to do it.
- Use rule-based routing and static routes. Avoids monitoring and duplicating the main routing
table into a separate table.
Fixed
- Fix missing map animation after selecting a new location in the desktop app.
- Fix crash on older kernels which report a default route through the loopback interface.
Android
- Fix connect action button sometimes showing itself as "Cancel" instead of "Secure my connection"
for a few seconds. - Fix the notification sometimes leaving the foreground and becoming dismissable even if the UI was
still visible. - Fix crash if connection to service is lost while opening the Split Tunneling settings screen.
- Fix rare crash that could occur when the tunnel state changes when showing or hiding the quick
settings tile. - Fix app starting by itself sometimes.
- Fix apps not being excluded from the tunnel sometimes if auto-connect was enabled.
- Fix crash that happened sometimes when closing the app or when requesting from the notification
or the quick-settings tile for the app to connect or disconnect. - Fix app showing that it was blocking connections when it wasn't when VPN permission was denied.
- Fix internet not working for a minute or two after changing Allow LAN setting.
- Fix login appearing to be cancelled after leaving the login screen while logging in.
- Fix login input area missing some times when opening the login screen.
Windows
- Fix log output encoding for Windows modules.
- Fix app not appearing on top in some situations when pressing the tray icon.
- Fix memory leak in Windows firewall code.
Linux
- Stop reconnecting when using WireGuard and NetworkManager.
- Reset DNS config correctly when the tunnel monitor unexpectedly goes down.
- Set search domains in NetworkManager's DNS configuration, resolving issues where NetworkManager
is used to manage DNS via systemd-resolved. - Fix incorrect version string in .deb installer causing downgrade warnings when upgrading from beta
to stable. - Fix memory leak in firewall code via updating
nftnl
dependency. - Handle IPv6 traffic correctly using
mullvad-exclude
when there is no default route to any
non-tunnel interface. - Fix issues managing DNS when dnsmasq is used with NetworkManager.
- Fix issues with managing kernel WireGuard device via NetworkManager.
- Disable NetworkManager's connectivity check before applying firewall rules to avoid triggering
NetworkManager's bug
Security
- Restore the last target state if the daemon crashes. Previously, if auto-connect and
"Always require VPN" were disabled, the service would reset the firewall upon starting back up,
even if the tunnel was up when the crash occurred. - Add firewall rules for
mullvad-exclude
, i.e. split tunneling, that disallow all traffic in the
tunnel other than non-custom DNS traffic. This prevents leaks into the tunnel. - Force OpenVPN to use TLS 1.3 or newer.
Windows
- Block all traffic received or sent before the BFE service and daemon service have started during
boot, if "Always require VPN" or auto-connect is enabled.