In this web content, the author announces that the Netherlands-based security firm Radically Open Security (RoS) has completed the third audit of their VPN infrastructure. The focus of the audit was on VPN servers that run from RAM, specifically an OpenVPN server and a WireGuard server. The final report of the audit, which was concluded in June 2023 with fixes implemented in late June and re-tests and verification performed in July, is available for reading. RoS discovered several findings, including no logging of user activity data and a mature architecture for the Mullvad VPN relays. Some of the key issues discovered were related to production multihop traffic, insecure directory permissions, administrator access to production machines, and shared Influx database credentials. The author highlights that changes have already been made to address these issues and mentions the ongoing efforts to improve the infrastructure.
https://mullvad.net/en/blog/2023/8/9/infrastructure-audit-completed-by-radically-open-security/