Obscura VPN Review After Six Months of Multi-Hop Privacy Testing

Most VPNs ask you to trust their no-logs policy. Obscura asks you to trust math instead.

That's the core proposition behind this relatively new VPN service, which launched in February 2025 with an architecture designed to make surveillance technically impossible rather than merely against company policy. After tracking Obscura's development, security audits, and user discussions over the past several months, here's what the evidence shows about whether this approach actually delivers.

The Two-Hop Architecture Explained

Obscura's design splits the privacy problem in half through a partnership with Mullvad VPN. Your traffic passes through two separate hops controlled by different entities:

First hop (Obscura): Sees your real IP address but cannot see your destination or browsing activity. Your traffic is encrypted before it reaches Obscura's servers.

Second hop (Mullvad): Sees your browsing activity and destination but has no idea who you are. Mullvad receives traffic from Obscura's servers, not from your device.

Neither party has enough information to link your identity to your activity. Even if one provider were compromised, subpoenaed, or malicious, they couldn't provide a complete picture of what you were doing online.

This represents a meaningful departure from traditional VPNs, where a single company handles everything and asks you to trust their logging claims. With Obscura, the trust requirement is distributed, and the cryptographic separation means logging by either party would be useless.

The Cure53 Audit Results

Security claims require independent verification, and Obscura submitted to a 20-day penetration test and source code review by Cure53, completed in December 2025.

The results were notably clean. Cure53 found no high- or critical-severity vulnerabilities in Obscura's macOS app, network extension, or custom VPN protocol. Only two low-impact issues were discovered, both of which have since been addressed.

More interesting than the vulnerability count was what auditors noted about Obscura's foundational approach. The audit specifically called out their use of memory-safe, statically typed languages and minimal data-handling practices. The code simply doesn't collect or retain the information that would be necessary for surveillance.

This is the difference between "we promise not to log" and "we built systems that can't log." The former requires ongoing trust; the latter requires only verification of the code, which Obscura publishes on GitHub.

QUIC Stealth Protocol Performance

Obscura uses WireGuard encryption for the initial hop, wrapped in QUIC-based obfuscation that makes VPN traffic appear as standard HTTP/3 web browsing.

This matters for two scenarios: evading deep packet inspection (DPI) in restrictive environments, and avoiding VPN-specific throttling by ISPs.

Based on user discussions and technical documentation, the QUIC implementation appears effective at bypassing basic VPN detection. Traffic analysis shows patterns consistent with normal web browsing rather than the distinctive signatures of traditional VPN protocols.

However, the multi-hop architecture does introduce latency. Each additional hop adds round-trip time, and user reports suggest performance falls somewhere between traditional VPNs and Tor. For most browsing, streaming, and communication tasks, this overhead isn't noticeable. For latency-sensitive applications like competitive gaming, it may be.

What Obscura Gets Right

Anonymous signup: No email required. Account access uses randomized numbers.

Bitcoin Lightning payments: You can pay without creating identity links, maintaining privacy from signup through daily use.

Open source verification: The macOS app displays exit node WireGuard public keys, allowing technical users to verify connections. All source code is available for inspection.

Architectural guarantees: The two-hop design provides cryptographic assurance that goes beyond policy promises.

Current Limitations

Obscura remains macOS and iOS only as of early 2026. Windows and Android users have no option, which significantly limits the service's reach.

The Mullvad dependency is a consideration worth understanding. While the architecture ensures Mullvad can't identify users, it does mean Obscura's service quality depends partly on Mullvad's infrastructure and continued operation.

Server network coverage and connection speeds haven't been independently benchmarked at scale, so performance comparisons with established VPNs remain somewhat anecdotal.

Who Should Consider Obscura

Journalists, activists, researchers, and anyone whose threat model includes sophisticated adversaries will find Obscura's architecture compelling. If you've wondered whether your VPN provider might be compelled to log traffic or quietly cooperate with requests, Obscura's split-trust design removes that uncertainty.

Users in restrictive network environments dealing with active VPN blocking or throttling benefit from the QUIC stealth protocol. Corporate networks with aggressive DPI and countries that filter VPN protocols are the primary use cases here.

Privacy-conscious users who want something faster and more convenient than Tor but stronger than conventional VPNs represent the sweet spot. Obscura delivers enterprise-grade privacy architecture through a clean, simple interface.

The Bottom Line

Obscura represents a genuine architectural innovation in VPN design. The two-hop separation with Mullvad, clean Cure53 audit, open source code, and anonymous Bitcoin payments combine to create a service where privacy guarantees are structural rather than promissory.

The platform limitations are real. macOS and iOS only cuts out a large portion of potential users. But for those who can use it, Obscura offers something most VPNs cannot: mathematical certainty that no single entity can connect your identity to your activity.

Whether that matters depends on your threat model. For users who simply want to bypass geo-restrictions or add basic privacy, any reputable VPN will suffice. For those who need to ensure their VPN provider couldn't betray them even if compromised, Obscura's architecture provides that assurance in a way traditional no-logs policies cannot.