In May 2026, the privacy community lit up after a technical limitation was discovered in Mullvad VPN, one of the most respected providers in the space.
The issue: even with Mullvad, it's possible to correlate sessions from the same user across server changes, because of how IP addresses are assigned in their WireGuard infrastructure.
TLDR: Mullvad is excellent, but its WireGuard IP assignment creates a session correlation vector most users don't know about. If your threat model is serious, there's a harder setup that addresses it (and it costs more than you'd expect).
The Problem, Explained Simply
Every Mullvad user gets assigned a private WireGuard key and an internal tunnel IP. Mullvad servers use public IP ranges, and the relative position of your exit IP (the one sites actually see) stays statistically stable within the server's range. That means an observer (a website, a tracker, or an adversary) can, with non-trivial probability, infer that 2 sessions belong to the same user even after a server switch.
This directly weakens unlinkability: the guarantee that your sessions can't be tied together. That matters a lot for journalists, whistleblowers, OSINT researchers, or anyone with a real threat model.
Mullvad acknowledged the problem and recommends fully disconnecting and reconnecting to regenerate a new key on each major server change. Not ideal for smooth daily use.
The Options, From Simple to Advanced
1. Stay on Mullvad (minimal approach)
Advantages: simplicity, strong blending across thousands of users, proven no-log policy. Downside: you need to reconnect frequently to break correlation. Fine for casual use or if you're comfortable with the tradeoff.
2. Self-hosted with an exit node
Instead of a shared VPN, you spin up your own internet exit via a VPS. 3 solid options here:
- Tailscale: great UX, very easy to set up, but proprietary (use Headscale if you want full self-hosting)
- NetBird: fully open-source, modern interface, granular ACLs, solid self-hosting story
- Nostr VPN: the most decentralized option. Identity and peer discovery happen via Nostr keys (npub). No third-party company in the coordination layer.
All 3 follow the same principle: you rent a VPS, configure it as an exit node, and all your devices route through it via WireGuard. Everything exits from that VPS IP. The self-hosting philosophy here isn't far from rebuilding a $200/month setup for a fraction of the cost (control and cost reduction are the same trade).
Full control, no third party on the coordination layer. The major downside: datacenter IPs are easy to detect, which means captchas, blocks, and high risk scores on most services.
3. Self-hosted + residential proxy
This is the harder setup. You route your VPS traffic through a residential proxy instead of letting sites see a hosting provider IP. They see a regular residential IP, ideally rotating. This is roughly the same run-your-own-infrastructure-on-a-cheap-VPS mindset, applied to privacy infrastructure instead of AI agents.
Fewer flags, better blending, optional IP rotation. It works. I think this setup scales well for individual threat models, though I'm honestly not sure how it holds up under sustained adversarial targeting (that's a different game).
Proxy providers worth looking at: Bright Data, Oxylabs, Decodo, IPRoyal, NetNut, and Webshare.io (competitive pricing, good entry point).
Webshare.io: A Solid Budget Option for This Setup
Webshare.io offers datacenter proxies, static residential IPs, and rotating residential IPs. A few reasons it fits here: aggressive pricing, SOCKS5 support (easy to wire into a VPS config), both static and rotating residential options, and 10 free proxies to test the setup before committing.
With NetBird or Nostr VPN + a VPS + Webshare as exit, you get an encrypted mesh between your devices, residential IP output (rotating if you want), and full infrastructure control.
Comparing the Options
Mullvad only: excellent blending, medium flag resistance, medium control, around 5-6 EUR/month, almost zero complexity.
VPS + Tailscale or NetBird (no proxy): weak blending, bad flag resistance, excellent control, 10-30 EUR/month, medium complexity.
VPS + NetBird or Nostr VPN + residential proxy: good blending, good flag resistance, excellent control, 50-300 EUR+/month, high complexity.
Self-hosted + Webshare: good blending, good flag resistance, very good control, 40-250 EUR/month, medium to high complexity.
The Mullvad limitation is a good reminder of the fundamental truth in privacy: it's all tradeoffs.
Mullvad stays excellent for most people because of natural blending at scale. Self-hosted setups with residential proxies are for people who want maximum control and are willing to pay for it in both money and complexity. Adding Webshare significantly improves the experience by masking the datacenter origin.
If your threat model is serious, the self-hosted + rotating residential proxy combo is one of the strongest approaches available right now.
Sources
This post may contain affiliate links. If you click them, I might earn a small commission (costs you nothing, and helps me keep shipping quality articles every day for your reading pleasure).
Top comments (0)