
Firefox Full-device VPN - heh
https://private-network.firefox.com/vpn
======
jplayer01
I don't understand. Their partner is Mullvad. Mullvad has servers across the
entire god damn globe. Why is this US-only? Why is it US-only going into early
2020, as in, _months_ to provide service to non-US regions in what's probably
going to be a limited roll-out to "select regions"? It's not the 90s anymore.
It's time to drop the US-centric crap. They're not a publisher. They're not
distributing movies or TV series.

~~~
tmikaeld
I think it's because Firefox have made their own client and they only want to
offer Wireguard connections.

Since Wireguard is still a bit new and buggy, they probably want to make sure
it's stable and roll out in stages.

~~~
jplayer01
Wireguard isn't US-only in any way. Like, I literally do not understand at
all. I can download a working, functional, largely stable Wireguard client on
my phone or configure it on my Linux desktop without issue from outside the
US. Like, US-based has no bearing on any of this. At all.

~~~
warhorse10_9
Where did you get an implication that Wireguard was US-only. The poster you
are replying to is simply stating since Wireguard may still be a bit buggy,
they are rolling this out in the US first to iron out any kinks before making
it widely available.

~~~
admax88q
But how does rolling it out US only first help with the fact that Wireguard is
buggy.

They are already rolling it out slowly via a waiting list. Limiting that to US
only doesn't really change how "widely available" it is in order to iron out
the kinds. Seem more likely this is regulatory related.

~~~
michaelbuckbee
Trying to do support in multiple languages and timezones can be tricky (and
surely adds to the cost), I don't know for sure if that's the reason but it's
a reasonable one.

------
kgwxd
With the pending sale of PIA to CyberGhost, I was looking for an alternative
to Librem Tunnel. A lot of users on the Purism forum suggested Mullvad and it
looks like this uses that. I'll definitely be trying this on Linux when it's
available.

It's a shame Purism picked PIA to partner with, I want to support the company
but Librem Tunnel is the only feature justifying the $7.99/month Librem One
fee for me and I don't want any of that going to CyberGhost. I use Librem Mail
too, but they don't offer a price package that includes email without VPN.

~~~
ericvolp12
Mullvad already supports linux wireguard clients if you want to just cut out
the firefox middleman and use it internationally too -
[https://mullvad.net/en/download/#linux](https://mullvad.net/en/download/#linux)

------
azinman2
Perhaps Mullvad is great. I don’t know. The whole VPN industry is full of
shucksters, and when Mozilla says that Mullvad has “committed” to privacy
doesn’t sound like enough heft to me.

Why isn’t Mozilla running their own servers if this really is something worth
getting into? They’re one of the few privacy and public good companies we have
left.

~~~
lmorchard
Consider another angle: Mozilla doesn't have experience running a VPN. There
are a lot of terrible mistakes to be made there.

If Mozilla can secure a good contract with folks who _have_ run a VPN, isn't
that a better technical scenario? I mean, sure, you have to assume that the
contract has teeth to enforce privacy guarantees. But I think that's part of
the value proposition here.

------
hellcow
Last time this was presented Mozilla mentioned a partnership with ProtonVPN.

To any Mozillians reading this, what was the reason for the switch to Mullvad?

Also will we be able to use our own standard Wireguard clients to connect?

~~~
commoner
It doesn't look like ProtonVPN supports WireGuard yet.

[https://protonvpn.com/blog/whats-the-best-vpn-
protocol/](https://protonvpn.com/blog/whats-the-best-vpn-protocol/)

Edit: As Gaelan mentioned below, this is an answer to hellcow's first
question.

~~~
fulafel
Why would WireGuard be important? It's nice technically but the benefits vs
mature protocols are not really material in a vpn service's value proposition,
compared to other properties.

~~~
Semaphor
I recently became a mullvad customer and used wireguard for the first time.
Maybe this is a windows thing, but it's so, so much faster than what I was
used to from openVPN, ike, etc.

~~~
fulafel
Anyone know if there's something weird about OpenVPN that makes it
particularly bad? You'd think crypto + UDP encapsulation at consumer internet
speeds would be pretty straightforward to implement performantly in this day
and age.

~~~
persona_reuse
5 years of VPN admining here.

The openvpn community is pretty nonexistent. Core is about 10 guys (half on
loan from the for-profit company) and they're multiple years behind on where
the development should be.

2.4 release: currently 3 years old, decently robust, but limited. 2.5 release:
38 of 51 blockers still open, no release date in sight. 3.0 release: roadmap
was written in 2010, no release date in sight.

OpenVPN 2.5 is where we'll have per-user tls-crypt. tls-auth/tls-crypt in 2.4
means when the PSK (that all clients share) leaks, you have to rotate a PSK
for ALL users all at once. Or you could not use that PSK at all and just get
DoS'ed over UDP all the time. OpenVPN 3 is where they're looking at being
multithreaded. Let that sink in for a minute, because the devs haven't. You
share one core with EVERYONE who's connected. openvpn is, performance-wise, a
glorified openssl-pipe-to-nc at that point.

These are features that any server admin should be dying to have, because
they're what let you scale from "my cute little tunnel from my home to my
cloud instance" to "endpoints that can scale."

Tuning to get solid performance means getting the client config right with a
lot of low-level tweaks, a lot of iperf and network-ops knowledge, shipping it
out to the userbase, and hoping it works in their situation. Tuning later
because you screwed anything up is hit and miss: some features you can 'push'
out and fix, some you can't. The devs can't imagine tunnels where someone who
isn't as immersed in the code as them doesn't control all endpoints and all
configs, or where there's no burden to walking around and changing every
user's config. I'm years into this and I'm still finding things to adjust or
submit patches for, to make my users happier.

OpenVPN has one thing that other VPNs severely lack: a ABSOLUTELY SUPERB hook
system. You want to have actions trigger scripts, they got u fam. You can do a
lot of serverside and clientside magic because of that, integrating with your
SSO and ACL management. Wireguard is much more in the beautiful-in-its-
simplicity-but-that-still-means-simple 'static definition' camp (for now).

~~~
fulafel
Thanks for the explanation!

If it's not multithreaded, sounds like one thing to try could be just to run
an instance per user, but I guess that may not be straightforward to operate.

Oh well, at least we have IPsec.

------
LatteLazy
I'm way below the technical skill average on HN, so can I prevale upon someone
to correct me?

This is just a vpn right? My existing vpn is already putting all device
traffic through its servers (though it would actually be nice to turn it off
for some apps, as I can't order takeaway because everyone thinks I'm in
Iceland).

And its $5 a month, which is about what I already pay.

Plus its not available except on windows 10 (where its beta).

And its US only

What is Firefox/Mozilla offering me here that I don't get from NordVpn (who I
hifhly recommend)?

~~~
hellcow
You mean the NordVPN that was hacked for god knows how long, knew about it
themselves for months, and both deliberately hid that information from their
customers and failed to fix the issue in a reasonable timeframe? [0]

With Mozilla you get someone you can hopefully trust (hopefully being the
operative word).

[0] [https://techcrunch.com/2019/10/21/nordvpn-confirms-it-was-
ha...](https://techcrunch.com/2019/10/21/nordvpn-confirms-it-was-hacked/)

~~~
godelski
I'm curious about the parent's question, but consider that Mullvad is about $5
on its own anyways. It also already supports international customers and
multiple platforms. So I'm not sure why you would buy it through FF and not
directly from Mullvad? It just seems like a middleman with no benefits.

~~~
ensignavenger
I would like to buy it through Mozilla in order to support the Mozilla
Foundation, because I want to support their work and help them break their
dependency on Google for funding.

~~~
godelski
I can justify this, but I'm wondering why Mullvad doesn't give them a slightly
better deal. It is basically the same deal that you get if you pay with
crypto, except you -- the user -- lose all the benefits of that. So why not
charge something like $4.50? Or $4? They are bringing bulk to Mullvad. One of
them, or both, could eat the cost until the price stabilized. I'm sure at
Mozilla's scale they could push Mullvad's operating price down.

But the fact is that this does create more links in the VPN, and thus more
security risks. Which isn't a big deal for the 99% of us that are just using
them to torrent and prevent Comcast from seeing our data, but there's still a
principle thing, which is part of why people are jumping from PIA before the
merger has even happened.

------
gnulinux
So do they keep access logs for law enforcement? If this is the same VPN as
Mullvard that means they don't? Could someone clarify maybe?

~~~
heavyset_go
If Mullvad is in the US, courts can compel Mullvad to siphon their clients'
information and not disclose it despite any claims their policy makes.

~~~
alexfromapex
Yeah I wouldn’t use any US VPN unless it had a warrant canary and didn’t keep
logs

~~~
tssva
It which countries do you think a VPN provider can ignore a court issued
warrant?

------
threatofrain
Mozilla need to clarify their relationship and perspective with ProtonVPN,
especially because they always stay above the dirt slinging with the CEO of
PIA claiming on HN and Reddit that ProtonVPN is a low credibility business.

~~~
commoner
Firefox Private Network uses Cloudflare for the browser extension and Mullvad
for the desktop and mobile clients.

> Our partner for FPN Browser Protection is Cloudflare. Our partner for FPN
> Full-device Protection is Mullvad.

[https://www.mozilla.org/en-US/privacy/firefox-private-
networ...](https://www.mozilla.org/en-US/privacy/firefox-private-network/)

Mozilla previously sold ProtonVPN as an affiliate for $10/month, but Firefox
Private Network doesn't use them at all.

[https://blog.mozilla.org/futurereleases/2018/10/22/testing-n...](https://blog.mozilla.org/futurereleases/2018/10/22/testing-
new-ways-to-keep-you-safe-online/)

~~~
threatofrain
But is Mozilla dropping mention of ProtonVPN due to a loss of confidence after
the PIA CEO engaged in mud slinging on public forums? It’s noticeable that
Mozilla never really defended their “associate”.

~~~
protonmail
No, and this is supported by the timing. PIA made the inaccurate (and now
withdrawn) allegations in July. Mozilla was aware of the allegations, visited
Proton in Geneva, looked into said allegations, and announced the Proton
partnership in October.

Proton doesn't support Wireguard which is the protocol Mozilla wanted to use.
This was a conscious decision because Wireguard is UDP only, which poses a
significant problem for many Proton users which are based in countries with
strict censorship and UDP VPN protocols are easier to block. Therefore,
Proton's VPN focus has shifted to working on TCP based solutions which can
resist DPI.

While Proton and Mozilla's VPN focuses have diverged, there is still
collaborations and discussions in other areas. For example, Thunderbird is
integrating Enigmail, which is based upon the OpenPGPjs library that Proton
maintains.

Proton and Mozilla have similar missions, and will continue to support each
other in the future.

------
atonse
To those who are curious (as I was), they use Wireguard and have partnered
with Mullvad for the servers.

~~~
darau1
Where's that mentioned?

edit: never mind

~~~
commoner
> About our trusted partner

> Firefox Private Network full-device protection is a VPN built by Firefox
> using global WireGuard servers provided by Mullvad, which has committed not
> to keep logs of any kind.

[https://private-network.firefox.com/vpn](https://private-
network.firefox.com/vpn)

------
rinchik
I might be paranoid a bit - I'm skeptical about "you can pick your location"
feature. And generally I have a very little trust in US-based VPN service
providers.

No matter the location, they'll keep logs forever for the gov or some other
equally unreliable entity.

~~~
commoner
Mullvad is based in Sweden. Their site has details on their no-logging policy
and summaries of the relevant Swedish laws:

[https://mullvad.net/en/help/no-logging-data-
policy/](https://mullvad.net/en/help/no-logging-data-policy/)

[https://mullvad.net/en/help/swedish-
legislation/](https://mullvad.net/en/help/swedish-legislation/)

Of course, it's up to you to determine how much you want to trust them.

------
angerbot
I thought WireGuard was not yet ready for primetime, why is it being used
here? I've been wanting to stand up a VPN at work to make my life easier than
SSH tunneling but I was waiting for a 1.0 release of WG.

~~~
dx87
Looking on the WireGuard site, it says that it's still a work in progress that
"may contain security quirks", but they also say "already it might be regarded
as the most secure, easiest to use, and simplest VPN solution in the
industry." Both statements could be true, but I guess it's up to you whether
or not you want to wait for a 1.0 release.

~~~
zx2c4
We'll change the language on the site once we're upstream in the Linux kernel.
Hopefully that's around the corner.

------
freedrock87
Watching Firefox sinking to essentially licensing its name like an obsolete
fashion brand is sad.

~~~
basch
It's a great idea to use Firefox like Wirecutter, as a recommendation for the
best of each service type. Combine that with some thin interface over the top,
like an OS, to control all the services you subscribe to with unified billing.
Password leaks, manager, file sharing, bookmark sync, vpn, dns, newsfeed. Now
a new person starting out on the internet doesnt need to learn about
haveibeenpwned, dropbox, mullvad, cloudflare, and facebook/pocket. They can
let Firefox (hopefully) select the best of each product type, and white label
it as part of the Firefox family.

~~~
heavyset_go
> newsfeed

I must have missed this, what RSS solution have they put out?

~~~
basch
Pocket, their competitor to MSN and Facebook and Reddit. Lets be real, MOST
people are consuming from one of those three feeds daily.

~~~
heavyset_go
Does Pocket do feeds now? The last time I looked it was bookmark manager or
something.

------
jedisct1
So, the regular price is $5.00/month, but with that incredible partnership,
it's only $4.99! This is a game changer!

~~~
commoner
Mullvad actually charges €5/month, which is about $5.54. (This doesn't take
into account the 10% discount if you pay with Bitcoin or Bitcoin Cash.)

The $4.99 rate would be a 55 cent discount over the standard rate, which
matches the cryptocurrency discount and would likely help support Firefox
financially.

Mozilla has been trying to diversify its revenue for a long time:

[https://blog.mozilla.org/blog/2014/02/13/revenue-
diversifica...](https://blog.mozilla.org/blog/2014/02/13/revenue-
diversification-the-mozilla-way/)

~~~
myu701
I plan to do this as I was going to use Mullvad; now I can help Firefox reduce
the Google reliance at the same time? Sign me up

------
jumbopapa
So what is the benefit of getting this through Firefox instead of Mullvad?
They want my email to sign up for the waitlist, but Mullvad requires nothing.
Seems like it may even be linked to your Firefox account.

~~~
commoner
If you already use Mullvad, Firefox Private Network probably won't be an
improvement for you.

However, this partnership would most likely benefit both Firefox and Mullvad.
Firefox gets a stream of revenue (independent of Google) that would be used to
finance development, and Mullvad acquires additional customers through the
partnership who would otherwise not know about it.

~~~
jumbopapa
I know that, but what I'm saying is that you lose a degree of privacy going
through Mozilla.

------
phyzome
Given that they're rebranding Mullvad's service, I wonder if they'll still
accept anonymous payments.

------
morpheuskafka
One the one hand, I'm glad they are using a trusted partner like Mullvad. On
the other hand, why would you join a waitlist for a service that requires you
to link your account to a US credit card--when you can literally mail cash to
Mullvad and be completely anonymous.

------
Justsignedup
I guess it is Mozilla's name behind it... but... I guess fundamentally... you
still can't use shit like netflix or any other media services because they
actively block vpns.

------
qxnqd
Why is the Mozilla Corporation diluting the Firefox brand like this?

~~~
vinylkey
How is this brand dilution?

~~~
qxnqd
Because Firefox is a browser, not a family of products. Well, now it is, but
they already had a brand for their family of products: Mozilla.

~~~
vinylkey
They've been pivoting the Firefox name to encompass many privacy-minded tools
for a while now. I would argue that a Firefox VPN strengthens that branding.

[https://www.mozilla.org/en-US/firefox/](https://www.mozilla.org/en-
US/firefox/)

> Meet our family of products \- Browsers

\- Monitor

\- Send

\- Lockwise

\- Pocket

------
noisy_boy
Does Mullvad offer ad-blocking dns (like AdGuard)? Maybe Mozilla should start
a beta program for this considering they are considered fairly trustworthy.

~~~
heavyset_go
If it's WireGuard based, the client allows you to specify your DNS servers.

------
acd
Mullvad vpn is very good which Firefox vpn is based on.

------
rsync
Shouldn't this be served from firefoxfulldevicevpn.com ?

------
anewguy9000
just fyi opera has had a free built-in vpn for some time. works a peach.

~~~
danarel
Opera VPN collects user data. It's right in their policy. It's not a privacy
respecting service.

------
wnevets
This is how much it cost to run an outline vpn on digitalocean

~~~
commoner
Outline is an excellent piece of software, but VPN services mix traffic from
many users through the same IP address, which may improve anonymity.

------
imharvey
A partnership with OVPN.com would have been much better with their high
security focus. However, Mullvad is probably fine.

------
swebs
>Does Firefox Private Network log my browsing history?

>Firefox is committed to protecting your privacy. Our privacy policy describes
how we handle your data. The VPN is provided in partnership with Mullvad, who
is committed to not monitoring or logging your browsing or network history.

So in other words, Mullvad doesn't track you but Mozilla does. Is that
interpretation correct?

~~~
lmorchard
Nope, not correct.

