There is no way to generate your own private key with Wireguard on Mullvad VPN. You must use their key generator which potentially means they have your private key. This is no good, many privacy minded people use this service and it is even recommended by privacytools.io. @jonah perhaps this is of concern to you.
@mister_monster honestly I haven’t looked into WireGuard too much because I don’t use it myself. But presumably Mullvad can see all your traffic either way so I’m not sure it matters?
@jonah Wireguard is absolutely excellent, you should look into it.
They can see your traffic with just the public key, but they would have no way to imitate you (or allow others to imitate you) without the private key. It is not a deal breaker as long as it is fixed in the long run, I assume they built the keygen tool this way to make it easy to use, but it is not ideal and is a security vulnerability.
@jonah in Wireguard, your peer (which would be the VPN provider) *only* needs your public key to decrypt your packets and verify your identity. None should generate your private key for you or require you to provide it to them. This is asymmetric cryptography 101. Would you met an email service generate your PGP key for you?
@mister_monster yes but that is a different situation, because I don’t want my email provider reading my emails. In this situation, your VPN provider can read your traffic regardless, so it is moot.
@jonah yes but then they can sign messages as you when they are not from you. I trust Mullvad when they say they don't log traffic, but that is *trust*. If they're lying, and they can fake traffic from you, that is potentially very bad. The protocol was designed for each peer to *never* exchange private keys, only public keys. Yet here we have a private key being potentially shared. You don't think it is a security vulnerability that the VPN provider can potentially impersonate you?
@mister_monster I don’t know what you mean. Impersonate you where exactly?
@jonah alright, so you sign packets with your private key, send them to the peer, the peer decrypts them with the public key. If the peer has your private key, they can sign packets from you and "prove" that those packets came from you. If I had your PGP key I could sign messages from you and cryptographically prove that you created those messages. Same concept. Assymetric cryptography is just as much about establishing authenticity as it is protecting information.
@mister_monster I’m not aware of *any* VPN provider that lets you generate your own private key. I don’t see how this is a security vulnerability anyhow.