Great find by the author and I have no trouble believing this is an oversight by Mullvad. Kind of shocking that something this simple slips by them but I could see myself missing it.
Putting aside the IP correlation across multiple servers, at first I wondered why even keep the user IP stable on one server. But I think it makes sense because as the author states other VPNs usually have only one IP per server so they are essentially simulating that. The advantages for the user are, if they find a server that works for accessing some service they can connect to that server again and it will work again because they get the same IP.
The IP correlation across multiple servers they should fix though with something like rand.seed(user_pub_key + server_id)
> The advantages for the user are, if they find a server that works for accessing some service they can connect to that server again and it will work again because they get the same IP.
On the flip side, if they’re getting banned by a service because of a noisy neighbor on the same IP, they’d have no way to work around that, no?
You mean if the neighbor somehow burned every VPN location?
Doesn’t even need to be every location. Some services are only accessible from a single country, and Mullvad has at most a handful of locations per country.
All things considered, there are just an incredibly small number of IPs shared among all users, no matter the allocation strategy.