Mullvad VPN will only establish connections when the anti-censorship mode “UDP-over-TCP” is enabled. Using that mode produces very low internet speeds (~2,000 kb/s) and an unstable link. This behavior occurs only on Kicksecure, so I suspect it’s caused by specific system hardening measures in this distribution.
Has anyone found a fix or workaround?
I have experienced the same issue, even my speed is 20 times lower than yours because I am connecting from a coubtry wiyh heavily censorship.
I can’t say it’s related to Kicksecure even though I can say that:
Since summer 2025, I could not even connect to Mullvad VPN withn Kicksecure 17, never being able to establish a connection
Under Kicksecure 18 the VPN connects but it’s extremely slow and often disconnects
Maybe not related but as Tor is totally blocked here (I can’t for example run Whonix because of that or have always sdwdate time out), I may suspect some my ISP is blocking things so much that my internet connection is barely usable for privacy purposes, including the use of VPN
I’m between pop, Ubuntu or kicksecure. Ubuntu is looking more and more unusable because of AI integration. The pop seems better but lacks the security of kicksecure from what I have read.
I like most things I read up on. The thing that popped out are that mullvad vpn won’t work unless the comp is on a specific setting. That setting takes the speed you have and turns it to dialup. That brought me to the fact I’m questioning this if so.
I like this, it seems like a way I want to go. That scared me however. I need security, I don’t like things that aren’t as secure as they should be.
Please help me out with this decision
Could you share a link to where you saw this? I’m aware that there may be some difficulties with Mullvad VPN but I’m not sure I recognize this particular issue.
(Edit: This post, and the one above it and below it were previously a separate post. Merged them here so that everything related to slow Mullvad VPN performance can be in a single thread.)
I’m sorry for not posting it Mullvad VPN only working with UDP-over-TCP on Kicksecure 17/18
Could someone here add some clarity if this encountered specifically in Kicksecure VM’s / Qubes Templates or is this issue experienced on host installation?
I’m using Mullvad VPN on host Kicksecure and I dont have this issue. I can double check what my settings are but I think standard UDP works for me.
The semi conclusion for me after looking at wiki is ARP and IPv4 settings documented on that page are unlikely to directly cause the UDP-over-TCP issue.
Mullvad VPN audit states they set net.ipv4.conf.*.arp_ignore=2 \
just like what is already set in Networking documentation.
On Linux we solved the issue by changing the kernel parameter
net.ipv4.conf.all.arp_ignoreto 2 whenever a VPN tunnel is established. This change was done in PR #7141 and is included in the desktop app release version 2024.8.[1]
I noticed that reverse path filtering (rp_filter) is set on the distro, and while I initially doubt it affects wiregaurd interfaces, the Mullvad documentation explicitly mentions it in relation to src_valid_mark.
TALPID_FIREWALL_DONT_SET_SRC_VALID_MARK - Set this variable to 1 to stop the daemon from setting the
net.ipv4.conf.all.src_valid_markkernel parameter to 1 on Linux when a tunnel is established. The kernel config parameter is set by default, because otherwise strict reverse path filtering may prevent relay traffic from reaching the daemon. Ifrp_filteris set to 1 on the interface that will be receiving relay traffic, andsrc_valid_markis not set to 1, the daemon will not be able to receive relay traffic.[2]
This raises the question: Is src_valid_mark=1 not being set correctly for Mullvad on KickSecure leading to UDP-over-TCP only?
When I get in front of my workstation, I will check if this specific kernel parameter is the culprit to all this minutia. I’ll check my settings cause don’t recall experiencing this forced “UDP-over-TCP” personally.
Well I just got back to testing on my machine and enabled mullvad log listen to log-level of “trace” and didn’t see anything indicating that only UDP-over-TCP was being set. I even disabled anti-censorship entirely and can connect just fine. This is on Kicksecure host install not a VM.
Didn’t see any errors about setting src_valid_mark=1 and talpid core firewall or tunnel indicating inefficient permissions in user mode to set this. Only a warning of inefficient permission about ping but this is normal. Unless I didn’t look hard enough I dont think this is the issue?
If @secure @cookie.monster @Lacekim or someone could provide some more info most importantly.
Is this encountered in Kicksecure Virtual Machines (KVM/Virtualbox/Qubes) or is this on Kicksecure host?
Thank you
For those who care, I resolved my issue simply by turning on Local Network Sharing in the settings of the Mullvad App.
Personally, I was encountering this issue on my host.