Skip to main content

Overview

Quantum-resistant tunnels add an additional layer of encryption to WireGuard connections using post-quantum cryptography. This protects your VPN traffic from potential future attacks by quantum computers that could break current encryption algorithms. Mullvad implements quantum resistance through ephemeral pre-shared keys (PSK) negotiated using post-quantum key encapsulation mechanisms (KEM).
Quantum-resistant tunnels are available on all platforms: Windows, Linux, macOS, Android, and iOS.

How It Works

Traditional WireGuard Encryption

Standard WireGuard uses:
  • Curve25519: Elliptic curve cryptography for key exchange
  • ChaCha20-Poly1305: Symmetric encryption
These algorithms are secure today but could potentially be broken by quantum computers in the future.

Quantum-Resistant Enhancement

Mullvad adds a quantum-resistant layer:
  1. Post-Quantum KEM: Generates ephemeral key pairs using post-quantum algorithms
  2. PSK Exchange: Securely negotiates a pre-shared key with the relay server
  3. WireGuard PSK: The negotiated key is used as WireGuard’s pre-shared key field
  4. Hybrid Security: Combined classical (Curve25519) + post-quantum cryptography
┌─────────────────────────────────────────────────────┐
│   Application Data (Your Internet Traffic)          │
└─────────────────────────────────────────────────────┘


┌─────────────────────────────────────────────────────┐
│   WireGuard Encryption (ChaCha20-Poly1305)          │
│   + Pre-Shared Key (Post-Quantum)                   │
└─────────────────────────────────────────────────────┘


┌─────────────────────────────────────────────────────┐
│   Curve25519 Key Exchange (Classical)               │
└─────────────────────────────────────────────────────┘
This “hybrid” approach provides security even if either the classical or post-quantum algorithm is compromised.

Key Exchange Process

Ephemeral PSK Negotiation

The PSK is never persisted to disk and is regenerated for each tunnel:
  1. Key Generation: Client generates post-quantum KEM key pairs
  2. Request: Client sends public key to relay server via TLS 1.3
  3. Encapsulation: Server generates shared secret and encapsulates it
  4. Response: Server returns encapsulated secret
  5. Decapsulation: Client decapsulates to derive shared secret
  6. PSK Derivation: Shared secret becomes WireGuard PSK
The PSK is stored in memory only and is never written to disk. It’s automatically zeroized when the tunnel is torn down.

Enabling Quantum-Resistant Tunnels

Using the GUI

1

Open Settings

Launch Mullvad VPN and navigate to SettingsVPN settings
2

Enable Quantum Resistance

Find the Quantum-resistant tunnel option and toggle it On
3

Reconnect

The app will automatically reconnect with quantum-resistant encryption enabled

Using the CLI

# Enable quantum-resistant tunnels
mullvad relay set tunnel wireguard quantum-resistant on

# Disable quantum-resistant tunnels
mullvad relay set tunnel wireguard quantum-resistant off

# Check current setting
mullvad relay get

Verify It’s Active

When connected with quantum resistance enabled: 
mullvad status -v
You should see: 
Connected to ...
Quantum resistant: yes
The connection panel in the GUI will also display a quantum resistance indicator.

Performance Impact

Connection Establishment

  • Slight increase in connection time: Additional PSK negotiation adds ~100-200ms
  • Key generation: Post-quantum key pair generation takes a few milliseconds

Ongoing Connection

  • No throughput impact: Once established, performance is identical to standard WireGuard
  • No additional CPU overhead: PSK is used in existing WireGuard encryption
The performance impact is minimal and only affects the initial connection. Once connected, there’s no difference in speed or bandwidth.

Security Properties

Threat Model

Quantum-resistant tunnels protect against:
  • Store-now-decrypt-later attacks: Adversaries recording encrypted traffic today to decrypt with future quantum computers
  • Future quantum cryptanalysis: Breaks in classical ECC algorithms

Cryptographic Algorithms

Mullvad uses NIST-approved post-quantum algorithms for KEM:
  • Post-quantum key encapsulation mechanisms
  • Hybrid construction combining classical and post-quantum security

Limitations

Does not protect against:
  • Traffic analysis (see DAITA)
  • Correlation attacks on VPN servers
  • Compromise of the Mullvad service itself
  • Local device compromise

Compatibility with Other Features

Quantum-resistant tunnels work with:

Example: Quantum-Resistant Multihop

# Enable quantum resistance with multihop
mullvad relay set tunnel wireguard quantum-resistant on
mullvad relay set tunnel wireguard use-multihop on

Technical Details

PSK Storage

From the source code (talpid-types/src/net/wireguard.rs:295-306): 
/// A WireGuard preshared key (PSK). Used to make the tunnel quantum-resistant.
#[derive(Clone, PartialEq, Eq, Hash, Zeroize, ZeroizeOnDrop)]
pub struct PresharedKey(Box<[u8; 32]>);
  • PSK is 32 bytes (256 bits)
  • Automatically zeroized on drop (secure memory cleanup)
  • Never serialized or deserialized to disk

Key Rotation

PSKs are ephemeral:
  • New PSK negotiated for each tunnel connection
  • PSK is discarded when tunnel disconnects
  • No persistent key storage

Troubleshooting

Connection Failures

If quantum-resistant connections fail:
  1. Check server support: Ensure selected relay supports quantum resistance
  2. Network connectivity: PSK exchange requires API connectivity
  3. Firewall rules: Ensure HTTPS (443) to Mullvad API is allowed
  4. Temporary disable: Try disabling quantum resistance to isolate the issue

Verification

# Check if quantum resistance is active
mullvad status -v | grep -i quantum

# View tunnel configuration
mullvad relay get

Migration from Legacy Settings

Older Mullvad versions used use_pq_safe_psk setting:
  • Automatically migrated to quantum_resistant in newer versions
  • auto setting means enabled by default
  • Settings persist across app updates

Best Practices

Enable all quantum-resistant features:
mullvad relay set tunnel wireguard quantum-resistant on
mullvad relay set tunnel wireguard use-multihop on
mullvad tunnel set tunnel wireguard daita on

Further Reading

Build docs developers (and LLMs) love

Get started for freeTalk to us