Hacker News new | past | comments | ask | show | jobs | submit login
Firefox Full-device VPN (firefox.com)
247 points by heh 3 days ago | hide | past | web | favorite | 115 comments

I don't understand. Their partner is Mullvad. Mullvad has servers across the entire god damn globe. Why is this US-only? Why is it US-only going into early 2020, as in, months to provide service to non-US regions in what's probably going to be a limited roll-out to "select regions"? It's not the 90s anymore. It's time to drop the US-centric crap. They're not a publisher. They're not distributing movies or TV series.

It’s pretty normal to test features in one market and then roll it out and solve scaling issues or bugs that crop up. If you have a flawless strategy to scale and roll out a big bug free release across the globe I’m sure a lot of people would be interested in that.

Just like Disney+ that started in the Netherlands months before starting in the US.

My guess is everyone on here defending US only... is in the US.

Could be wrong.

I'm not in the US but "It’s pretty normal to test features in one market and then roll it out" and "Just like Disney+ that started in the Netherlands months before starting in the US" make perfect sense to me.

I get that everyone wants everything right now, but if you're not in the US, surely you still understand domestic-market roll out? Doesn't seem like it's worthy of anything more than a passing "damn, too bad."

Nope. Rolling out features in your home country is pretty normal. Apple does it all the time.

What I have problem is slow roll out features across the globe, when you cant see or understand the reason behind it.

Bad example, Apple's market share is tiny anywhere besides the US.

And this isn't a new thing. They partnered with an established vpn provider. Horizontal scaling won't be an issue there.

There is really no reason, but I don't really care either

And there is really no reason to not go to the actual provider. Same price and you can use it on all platforms. They even provider a wireguard backend.


>Apple's market share is tiny anywhere besides the US


So is iPhone Upgrade Programme, or Apple Pay where NFC were well established. There are always things to iron out before taking it further.

Apple's market share in Japan is big.

Not sure about other places yet.

I mean, also computers are hard and this is a thing that's worth getting right by reducing variables and taking it small steps at a time?

So why not start with a nice small country?

What are the legal implications for Mozilla with this? Hand waving that all the technology is available outside the US doesn't absolve Mozilla from Liability or Legal obligations in the US or anywhere else it's offering the service.

It's in Beta, why should they go through all the legal processes to launch the product globally where there's still the potential that the final product might look completely different or never release?

I think it's because Firefox have made their own client and they only want to offer Wireguard connections.

Since Wireguard is still a bit new and buggy, they probably want to make sure it's stable and roll out in stages.

Wireguard isn't US-only in any way. Like, I literally do not understand at all. I can download a working, functional, largely stable Wireguard client on my phone or configure it on my Linux desktop without issue from outside the US. Like, US-based has no bearing on any of this. At all.

Where did you get an implication that Wireguard was US-only. The poster you are replying to is simply stating since Wireguard may still be a bit buggy, they are rolling this out in the US first to iron out any kinks before making it widely available.

Wireguard itself is probebly not buggy, but the problem is the whole software and infrastructure around it can absolutly be buggy. So it makes sense.

But how does rolling it out US only first help with the fact that Wireguard is buggy.

They are already rolling it out slowly via a waiting list. Limiting that to US only doesn't really change how "widely available" it is in order to iron out the kinds. Seem more likely this is regulatory related.

Trying to do support in multiple languages and timezones can be tricky (and surely adds to the cost), I don't know for sure if that's the reason but it's a reasonable one.

Let’s take the fact that they don’t have the resources to launch to every user all at one for the reasons stated in comments near this one. Do you agree with that premise? If so, what do you propose as a more ideal limited rollout strategy? First come first served? That has its own share of problems with user burnout and people feeling annoyed after being left out as well.

That is a very good point on it possibly being regulatory related. I agree, that is probably also a big part of it.

I think you might be underestimating the breadth of i18n & l10n for a brand new beta, especially for an organization that is built on not making privacy or legal missteps. They only have 1 / 6 clients ready and zero customers yet, their attention has to be split all over the place, so limiting some variables in the meantime seems like a reasonable idea.

The VPN tech itself is not the only concern. Localization & payments & legal are also huge concerns beyond the US. This is also aimed at not necessarily tech-savvy folks, so that is also a concern.

But national boundaries are so antiquated.

Give them some time, eh?

How about offering support in all the countries and time zones a world-wide rollout would require? That's not trivial.

For legal and payment processing reasons most likely. May need extra time to set up for other countries. Hi dang ;)

With the pending sale of PIA to CyberGhost, I was looking for an alternative to Librem Tunnel. A lot of users on the Purism forum suggested Mullvad and it looks like this uses that. I'll definitely be trying this on Linux when it's available.

It's a shame Purism picked PIA to partner with, I want to support the company but Librem Tunnel is the only feature justifying the $7.99/month Librem One fee for me and I don't want any of that going to CyberGhost. I use Librem Mail too, but they don't offer a price package that includes email without VPN.

Mullvad already supports linux wireguard clients if you want to just cut out the firefox middleman and use it internationally too - https://mullvad.net/en/download/#linux

Could you expand on why you, if I understood correctly, distrust CyberGhost?

It's getting hard to identify a trustworthy VPN provider, and CyberGhost seems to rate decently on thatoneprivacysite.net; in which, incidentally, I'm unsure whether to trust, although its VPN evaluation vectors do seem pretty appropriate and complete.

Perhaps Mullvad is great. I don’t know. The whole VPN industry is full of shucksters, and when Mozilla says that Mullvad has “committed” to privacy doesn’t sound like enough heft to me.

Why isn’t Mozilla running their own servers if this really is something worth getting into? They’re one of the few privacy and public good companies we have left.

Consider another angle: Mozilla doesn't have experience running a VPN. There are a lot of terrible mistakes to be made there.

If Mozilla can secure a good contract with folks who have run a VPN, isn't that a better technical scenario? I mean, sure, you have to assume that the contract has teeth to enforce privacy guarantees. But I think that's part of the value proposition here.

Exactly. I was baited by the Firefox name.

Last time this was presented Mozilla mentioned a partnership with ProtonVPN.

To any Mozillians reading this, what was the reason for the switch to Mullvad?

Also will we be able to use our own standard Wireguard clients to connect?

It doesn't look like ProtonVPN supports WireGuard yet.


Edit: As Gaelan mentioned below, this is an answer to hellcow's first question.

Why would WireGuard be important? It's nice technically but the benefits vs mature protocols are not really material in a vpn service's value proposition, compared to other properties.

I recently became a mullvad customer and used wireguard for the first time. Maybe this is a windows thing, but it's so, so much faster than what I was used to from openVPN, ike, etc.

Anyone know if there's something weird about OpenVPN that makes it particularly bad? You'd think crypto + UDP encapsulation at consumer internet speeds would be pretty straightforward to implement performantly in this day and age.

5 years of VPN admining here.

The openvpn community is pretty nonexistent. Core is about 10 guys (half on loan from the for-profit company) and they're multiple years behind on where the development should be.

2.4 release: currently 3 years old, decently robust, but limited. 2.5 release: 38 of 51 blockers still open, no release date in sight. 3.0 release: roadmap was written in 2010, no release date in sight.

OpenVPN 2.5 is where we'll have per-user tls-crypt. tls-auth/tls-crypt in 2.4 means when the PSK (that all clients share) leaks, you have to rotate a PSK for ALL users all at once. Or you could not use that PSK at all and just get DoS'ed over UDP all the time. OpenVPN 3 is where they're looking at being multithreaded. Let that sink in for a minute, because the devs haven't. You share one core with EVERYONE who's connected. openvpn is, performance-wise, a glorified openssl-pipe-to-nc at that point.

These are features that any server admin should be dying to have, because they're what let you scale from "my cute little tunnel from my home to my cloud instance" to "endpoints that can scale."

Tuning to get solid performance means getting the client config right with a lot of low-level tweaks, a lot of iperf and network-ops knowledge, shipping it out to the userbase, and hoping it works in their situation. Tuning later because you screwed anything up is hit and miss: some features you can 'push' out and fix, some you can't. The devs can't imagine tunnels where someone who isn't as immersed in the code as them doesn't control all endpoints and all configs, or where there's no burden to walking around and changing every user's config. I'm years into this and I'm still finding things to adjust or submit patches for, to make my users happier.

OpenVPN has one thing that other VPNs severely lack: a ABSOLUTELY SUPERB hook system. You want to have actions trigger scripts, they got u fam. You can do a lot of serverside and clientside magic because of that, integrating with your SSO and ACL management. Wireguard is much more in the beautiful-in-its-simplicity-but-that-still-means-simple 'static definition' camp (for now).

Thanks for the explanation!

If it's not multithreaded, sounds like one thing to try could be just to run an instance per user, but I guess that may not be straightforward to operate.

Oh well, at least we have IPsec.

Setup and tear down time are arguably a more important performance metric, especially on mobile devices where internet connections change frequently.

The parent comment specifically states that Mozilla switched to Mullvad as the provider, and the linked article mentions that Mullvad uses Wireguard.

hellcow was asking why they switched to Mulled. commoner suggested it was because ProtonVPN didn't do WireGuard.

I'm way below the technical skill average on HN, so can I prevale upon someone to correct me?

This is just a vpn right? My existing vpn is already putting all device traffic through its servers (though it would actually be nice to turn it off for some apps, as I can't order takeaway because everyone thinks I'm in Iceland).

And its $5 a month, which is about what I already pay.

Plus its not available except on windows 10 (where its beta).

And its US only

What is Firefox/Mozilla offering me here that I don't get from NordVpn (who I hifhly recommend)?

You mean the NordVPN that was hacked for god knows how long, knew about it themselves for months, and both deliberately hid that information from their customers and failed to fix the issue in a reasonable timeframe? [0]

With Mozilla you get someone you can hopefully trust (hopefully being the operative word).

[0] https://techcrunch.com/2019/10/21/nordvpn-confirms-it-was-ha...

I'm curious about the parent's question, but consider that Mullvad is about $5 on its own anyways. It also already supports international customers and multiple platforms. So I'm not sure why you would buy it through FF and not directly from Mullvad? It just seems like a middleman with no benefits.

I would like to buy it through Mozilla in order to support the Mozilla Foundation, because I want to support their work and help them break their dependency on Google for funding.

I can justify this, but I'm wondering why Mullvad doesn't give them a slightly better deal. It is basically the same deal that you get if you pay with crypto, except you -- the user -- lose all the benefits of that. So why not charge something like $4.50? Or $4? They are bringing bulk to Mullvad. One of them, or both, could eat the cost until the price stabilized. I'm sure at Mozilla's scale they could push Mullvad's operating price down.

But the fact is that this does create more links in the VPN, and thus more security risks. Which isn't a big deal for the 99% of us that are just using them to torrent and prevent Comcast from seeing our data, but there's still a principle thing, which is part of why people are jumping from PIA before the merger has even happened.

Mullvad is 5€, slightly more

> Mullvad is __about__ $5

5€ is currently $5.54. I'd call that about $5. It's about the same price as if you paid with crypto too.

I just wanted to a) mention the exact price and b) that this might be a reason for some to cut out the middleman.

Again, I'm happy to be corrected, but I thought that affected 1 server out of 1000s? Errors will inevitably happen with any system on that scale. Will Mozilla be more forthcoming or secure? Maybe but surely 1 error per 1000 servers is a manageable known risk vs Mozilla "may be perfect or terrible"?

NordVPN was mainly criticized for how they handled the disclosure. They didn't admit to the server breach until a whistleblower revealed it publicly a year later.


The utility of a VPN is mainly based on trust, and NordVPN's lack of transparency in that incident is a breach of trust.

> The breach was done by “exploiting a vulnerability of one of our server providers, which hadn’t been disclosed to us,” according to the company [NordVPN]’s statement.

Laying the blame on an undisclosed vulnerability is pretty ironic of them

Yeah, that's shitty of them...

On reputation alone, I would put Firefox/Mozilla above NordVPN if I was looking at buying a personal VPN.

Best I can find is the primatives "Ed25519 for certificates, Curve25519 for key exchange (ECDHE), and ChaCha20-Poly1305 for data streams but that suite isn’t supported by OpenVPN"...

They use Wireguard a new better VPN, faster and safer. It also deals better with interuptions in the connection. This should work fine one Linux but they seem to be working on their own client.

Mullvad is a great company they help finance development for Wireguard VPN, I don't know about NordVPN.

Fair enough, thanks!

This one is also limited to 5 devices.

So do they keep access logs for law enforcement? If this is the same VPN as Mullvard that means they don't? Could someone clarify maybe?

If Mullvad is in the US, courts can compel Mullvad to siphon their clients' information and not disclose it despite any claims their policy makes.

Mullvad is in Sweden IIRC.

Yeah I wouldn’t use any US VPN unless it had a warrant canary and didn’t keep logs

It which countries do you think a VPN provider can ignore a court issued warrant?

They link to Mullvad's No Logging Policy: https://mullvad.net/en/help/no-logging-data-policy/

It's there on the page.

"About our trusted partner

Firefox Private Network full-device protection is a VPN built by Firefox using global WireGuard servers provided by Mullvad, which has committed not to keep logs of any kind."

Just because they don't now, doesn't mean they might later. Law enforcement may override that in some circumstances.

Mozilla need to clarify their relationship and perspective with ProtonVPN, especially because they always stay above the dirt slinging with the CEO of PIA claiming on HN and Reddit that ProtonVPN is a low credibility business.

Firefox Private Network uses Cloudflare for the browser extension and Mullvad for the desktop and mobile clients.

> Our partner for FPN Browser Protection is Cloudflare. Our partner for FPN Full-device Protection is Mullvad.


Mozilla previously sold ProtonVPN as an affiliate for $10/month, but Firefox Private Network doesn't use them at all.


But is Mozilla dropping mention of ProtonVPN due to a loss of confidence after the PIA CEO engaged in mud slinging on public forums? It’s noticeable that Mozilla never really defended their “associate”.

No, and this is supported by the timing. PIA made the inaccurate (and now withdrawn) allegations in July. Mozilla was aware of the allegations, visited Proton in Geneva, looked into said allegations, and announced the Proton partnership in October.

Proton doesn't support Wireguard which is the protocol Mozilla wanted to use. This was a conscious decision because Wireguard is UDP only, which poses a significant problem for many Proton users which are based in countries with strict censorship and UDP VPN protocols are easier to block. Therefore, Proton's VPN focus has shifted to working on TCP based solutions which can resist DPI.

While Proton and Mozilla's VPN focuses have diverged, there is still collaborations and discussions in other areas. For example, Thunderbird is integrating Enigmail, which is based upon the OpenPGPjs library that Proton maintains.

Proton and Mozilla have similar missions, and will continue to support each other in the future.

Only someone from Mozilla could tell you for sure, but I think it's more likely that Mozilla didn't choose ProtonVPN for FPN because ProtonVPN doesn't currently support WireGuard.

To those who are curious (as I was), they use Wireguard and have partnered with Mullvad for the servers.

Where's that mentioned?

edit: never mind

> About our trusted partner

> Firefox Private Network full-device protection is a VPN built by Firefox using global WireGuard servers provided by Mullvad, which has committed not to keep logs of any kind.


I might be paranoid a bit - I'm skeptical about "you can pick your location" feature. And generally I have a very little trust in US-based VPN service providers.

No matter the location, they'll keep logs forever for the gov or some other equally unreliable entity.

Mullvad is based in Sweden. Their site has details on their no-logging policy and summaries of the relevant Swedish laws:



Of course, it's up to you to determine how much you want to trust them.

I thought WireGuard was not yet ready for primetime, why is it being used here? I've been wanting to stand up a VPN at work to make my life easier than SSH tunneling but I was waiting for a 1.0 release of WG.

Looking on the WireGuard site, it says that it's still a work in progress that "may contain security quirks", but they also say "already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry." Both statements could be true, but I guess it's up to you whether or not you want to wait for a 1.0 release.

We'll change the language on the site once we're upstream in the Linux kernel. Hopefully that's around the corner.

WireGuard is, from what I understand, probably ready for prime-time, it simply hasn't been proven to be.

Watching Firefox sinking to essentially licensing its name like an obsolete fashion brand is sad.

Whatever it takes to get reduce their reliance on Google. Mozilla’s goals are at odds with the direction in which Google is taking Chrome, so their dependency on Google is unhealthy at best.

Money is a necessary evil, choices must be made.

This. And since I've been looking for a new VPN provider after recent issues with PIA and NordVPN, I'd be happy to pay Mozilla for it. I've also heard a lot of good things about Mullvad so I'm definitely a customer when it's available here.

I feel the same way.

I still have a PIA subscription for a few months, which I'm now planning on using until this becomes available in more regions (+ on more platforms, Linux and Android in my case), but as soon as it does, I'll be happy to switch over.

It's a great idea to use Firefox like Wirecutter, as a recommendation for the best of each service type. Combine that with some thin interface over the top, like an OS, to control all the services you subscribe to with unified billing. Password leaks, manager, file sharing, bookmark sync, vpn, dns, newsfeed. Now a new person starting out on the internet doesnt need to learn about haveibeenpwned, dropbox, mullvad, cloudflare, and facebook/pocket. They can let Firefox (hopefully) select the best of each product type, and white label it as part of the Firefox family.

>t's a great idea to use Firefox like Wirecutter

I feel we have reached peak Firefox. I have no qualms about supporting Mozilla by going with their VPN offering, even it costs a little more. I don't particularly have any objections to some of the recent features like Monitor, DoH, Sync etc. Once the rollout of their VPN product is complete, sometime next year, I would expect them to work with what they have at hand, rather than having too many balls in the air ie. instead of chasing down Chrome or integrating even more services, I hope they will concentrate on staying close to their values and committed to strengthening the core products.

> newsfeed

I must have missed this, what RSS solution have they put out?

Pocket, their competitor to MSN and Facebook and Reddit. Lets be real, MOST people are consuming from one of those three feeds daily.

Does Pocket do feeds now? The last time I looked it was bookmark manager or something.

Another way to look at it:

Watching Firefox leverage its reputation as a privacy and security advocate is helpful for many people who care, but are not technically inclined.

So, the regular price is $5.00/month, but with that incredible partnership, it's only $4.99! This is a game changer!

Mullvad actually charges €5/month, which is about $5.54. (This doesn't take into account the 10% discount if you pay with Bitcoin or Bitcoin Cash.)

The $4.99 rate would be a 55 cent discount over the standard rate, which matches the cryptocurrency discount and would likely help support Firefox financially.

Mozilla has been trying to diversify its revenue for a long time:


I plan to do this as I was going to use Mullvad; now I can help Firefox reduce the Google reliance at the same time? Sign me up

So what is the benefit of getting this through Firefox instead of Mullvad? They want my email to sign up for the waitlist, but Mullvad requires nothing. Seems like it may even be linked to your Firefox account.

If you already use Mullvad, Firefox Private Network probably won't be an improvement for you.

However, this partnership would most likely benefit both Firefox and Mullvad. Firefox gets a stream of revenue (independent of Google) that would be used to finance development, and Mullvad acquires additional customers through the partnership who would otherwise not know about it.

I know that, but what I'm saying is that you lose a degree of privacy going through Mozilla.

One the one hand, I'm glad they are using a trusted partner like Mullvad. On the other hand, why would you join a waitlist for a service that requires you to link your account to a US credit card--when you can literally mail cash to Mullvad and be completely anonymous.

I guess it is Mozilla's name behind it... but... I guess fundamentally... you still can't use shit like netflix or any other media services because they actively block vpns.

Why is the Mozilla Corporation diluting the Firefox brand like this?

How is this brand dilution?

Because Firefox is a browser, not a family of products. Well, now it is, but they already had a brand for their family of products: Mozilla.

They've been pivoting the Firefox name to encompass many privacy-minded tools for a while now. I would argue that a Firefox VPN strengthens that branding.


> Meet our family of products - Browsers

- Monitor

- Send

- Lockwise

- Pocket

Frankly, very few people know Mozilla. Many people know Firefox. There's been lots of brand research into this.

So, for many years now, "Firefox" has been morphing into a brand that encompasses many online tools beyond the browser that are all intended to be tied together by Mozilla's mission & manifesto.

Does Mullvad offer ad-blocking dns (like AdGuard)? Maybe Mozilla should start a beta program for this considering they are considered fairly trustworthy.

If it's WireGuard based, the client allows you to specify your DNS servers.

Mullvad vpn is very good which Firefox vpn is based on.

Given that they're rebranding Mullvad's service, I wonder if they'll still accept anonymous payments.

Shouldn't this be served from firefoxfulldevicevpn.com ?

just fyi opera has had a free built-in vpn for some time. works a peach.

Opera VPN collects user data. It's right in their policy. It's not a privacy respecting service.

This is how much it cost to run an outline vpn on digitalocean

Outline is an excellent piece of software, but VPN services mix traffic from many users through the same IP address, which may improve anonymity.

A partnership with OVPN.com would have been much better with their high security focus. However, Mullvad is probably fine.

>Does Firefox Private Network log my browsing history?

>Firefox is committed to protecting your privacy. Our privacy policy describes how we handle your data. The VPN is provided in partnership with Mullvad, who is committed to not monitoring or logging your browsing or network history.

So in other words, Mullvad doesn't track you but Mozilla does. Is that interpretation correct?

Nope, not correct.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact