Mullvad VPN

Mullvad VPN tunnels in Wirebump include post-quantum encryption by default. No extra configuration. No performance penalty. Every Mullvad circuit you deploy gets PQ protection automatically.

For users who need traffic analysis defense or obfuscation, Wirebump supports DAITA, LWO, and QUIC. These features come with tradeoffs you should understand before enabling them.

Post-Quantum Encryption (Default)

Every Mullvad VPN tunnel Wirebump creates uses post-quantum protection. This guards against “store now, decrypt later” attacks where an adversary records your encrypted traffic today and decrypts it later when quantum computers become capable.

What you get by default:

PQ encryption on all Mullvad VPN tunnels
Fast circuit builds (seconds, not minutes)
Minimal memory footprint
Low CPU overhead
Full line-speed throughput on modest hardware

This is the experience most users want. If you deploy a Mullvad VPN circuit without any special flags, you already have PQ protection.

Advanced Options (Containerized Mode)

These features require Wirebump to run Mullvad VPN in a separate LXC container. This adds overhead but enables capabilities that raw WireGuard cannot provide.

DAITA (Defense Against AI-guided Traffic Analysis)

DAITA adds decoy traffic to obscure patterns in your network activity. Even encrypted traffic reveals information through timing, packet sizes, and flow patterns. DAITA makes these patterns harder to analyze.

Server availability is limited. DAITA is only available on a small subset of Mullvad cities, and within those cities, sometimes only a single server or a couple of servers support it. Your choices get even more limited if you need DAITA combined with LWO or QUIC.

Performance note: In my testing, DAITA servers tend to have noticeably higher latency than standard servers. My hypothesis is that since so few servers support DAITA, they end up overloaded. If you’re monitoring latency, you’ll see it climb significantly once connected to a DAITA server. This is not entirely explained by the traffic timing obfuscation. Real performance falls off.

To see current DAITA server availability, check the Mullvad servers page where you can filter by feature. Or fire up Wirebump’s Circuit Builder and enable DAITA. The server list filters automatically to show what’s available.

For more on traffic analysis and why it matters, see the What’s Next section on the About page.

LWO (Lightweight WireGuard Obfuscation)

LWO wraps WireGuard traffic to make it harder to identify as VPN traffic. Useful when network operators block or throttle known VPN protocols. LWO is computationally cheap compared to other obfuscation methods.

QUIC Obfuscation

QUIC obfuscation disguises VPN traffic as standard QUIC web traffic (UDP port 443). This can bypass deep packet inspection that targets WireGuard signatures. QUIC is more computationally expensive than LWO.

LWO and QUIC are mutually exclusive. Pick one or the other. You cannot enable both simultaneously.

Performance Tradeoffs

This is the critical decision point. Default mode and containerized mode have significantly different resource requirements.

Default Mode (No Advanced Options)

Metric	Behavior
Circuit build time	Seconds
Memory per tunnel	Minimal
CPU overhead	Low
PQ encryption	Yes

This is what you want for most deployments. Fast topology testing. Quick redeployment when servers underperform. Responsive hot-swapping mid-call.

Containerized Mode (DAITA, LWO, or QUIC)

Metric	Behavior
Circuit build time	Noticeably longer
Memory per tunnel	Higher (container overhead)
CPU overhead	Higher
PQ encryption	Yes
Additional features	DAITA, LWO, or QUIC

Each parallel tunnel in containerized mode adds additional overhead.

Hardware Considerations

The reference hardware (Intel i5-8250U from 2017) handles containerized mode fine at gigabit speeds. Less capable hardware may struggle.

Signs you need more power:

Circuits fail to deploy or time out
Memory pressure during multi-tunnel builds
CPU saturation affecting throughput

If you see these issues:

Disable DAITA, LWO, and QUIC
Verify default mode works at your target throughput
Upgrade hardware if containerized features are required

When to Use What

Scenario	Recommendation
Standard privacy needs	Default mode (PQ included)
Testing different topologies	Default mode (faster iteration)
Traffic analysis concerns	Enable DAITA (accept the overhead)
VPN blocking by network operators	Enable LWO or QUIC
Pushing gigabit+ with advanced features	Ensure sufficient hardware

Most network professionals find default mode sufficient. You get post-quantum protection without any of the containerization overhead. The advanced options exist for specific threat models, not everyday use.

Configuration Examples

Default (Recommended for Most Users)

Select Mullvad VPN as your provider. Choose your city and tunnel count. Deploy.

PQ encryption activates automatically. No flags needed.

With DAITA

Enable DAITA in the circuit configuration. Wirebump automatically switches to containerized mode and filters the server list to show only DAITA-capable servers.

Expect slower circuit builds, higher CPU load, and potentially higher latency due to limited server availability.

With Obfuscation

Enable LWO or QUIC (not both) in the circuit configuration. Useful when your network blocks or throttles standard WireGuard traffic.

Device Limits

Mullvad VPN accounts have a 5-device limit. Each containerized tunnel consumes one device slot. Wirebump manages device lifecycle automatically, but be aware of this limit when running many parallel containerized tunnels.

Default mode shares credentials across tunnels and does not consume device slots as quickly.

Verification

After deploying a Mullvad VPN circuit, verify it is working:

# Check Mullvad connectivity status
curl -s https://am.i.mullvad.net/connected

# View your exit IP
curl -s https://am.i.mullvad.net/ip

The response shows your exit server and confirms whether you are connected through Mullvad VPN.

Mullvad and Mullvad VPN are trademarks of Mullvad VPN AB.