Back to articles

Firefox's free built-in VPN reviewed: how it stacks up against VPN extensions

Firefox 149 ships a free built-in VPN with 50GB/month, no downloads needed. Here's how it compares to Proton VPN, Mullvad, and NordVPN extensions in 2026.

Maxim Kosterin
10 min read

Firefox just shipped something I didn't expect: a free built-in VPN. No extension required, no companion app, no subscription.

Firefox 149, released March 24, 2026, includes a built-in proxy-based VPN that hides your IP address and location — free for users in the US, UK, France, and Germany, with a 50 GB monthly data cap. Mozilla called it out directly in their release announcement: "Free VPNs can sometimes mean sketchy arrangements that end up compromising your privacy, but ours is built from our data principles and commitment to be the world's most trusted browser."

That's a direct shot at the VPN extension market. So I want to do what I've been meaning to do anyway: put Firefox's new VPN head-to-head against the best VPN extensions currently available. What do you actually get from each option, and which should you trust?

Quick verdict

Firefox built-in VPN Proton VPN extension Mullvad extension NordVPN extension
Cost Free Free tier available Paid only (~$5/mo) Paid only
Traffic covered Browser only Browser only (or full device with app) Browser only (SOCKS5) Browser only (proxy)
Extension permissions None (built in) proxy proxy proxy, storage
No-logs policy Mozilla data principles Audited Audited Audited
Regions 4 (US, UK, FR, DE) 100+ 40+ 60+
Independent audit Not yet disclosed Yes Yes Yes

Bottom line: Firefox's built-in VPN is the right choice if you're already on Firefox, you're in one of the four supported countries, and you want zero-effort IP masking with no extra software. If you need more server locations, cross-browser support, or a full-device VPN option, a dedicated VPN extension wins.


What Firefox VPN actually does

One thing to be clear about upfront: Firefox's built-in VPN is technically a proxy, not a full encrypted VPN tunnel. It routes your browser's HTTP/HTTPS traffic through Mozilla's servers to mask your IP and approximate location. Traffic from other apps on your device — desktop email clients, games, other browsers — is unaffected.

For most browser-specific privacy use cases, that's completely fine. If your concern is a website logging your real IP, an ISP watching your browsing patterns, or someone on a shared network tracking what you're doing, a proxy handles all of that. Where it falls short is if you need system-wide protection or are running a VPN to route traffic from apps outside the browser.

The 50 GB monthly cap is generous for casual use. Most browser traffic doesn't come close to that unless you're streaming HD video in the browser all day. The bigger practical limitation is geographic: at launch, the VPN is only available to users in the United States, France, Germany, and United Kingdom. If you're elsewhere, it simply doesn't activate.

According to Mozilla's official blog, the built-in VPN routes traffic through a proxy infrastructure consistent with their data privacy principles. They haven't yet published independent audits of this infrastructure, which is worth noting — established VPN providers like Proton and Mullvad have commissioned third-party audits of their no-logs claims.


Security analysis: built-in vs extension-based VPNs

No extension means no extension attack surface

This is the biggest security advantage Firefox's built-in VPN has over any extension: it introduces zero new extension permissions to your browser.

VPN extensions — even legitimate ones from reputable companies — typically require the proxy permission to route traffic. Some also request storage or host permissions. Every permission an extension holds is part of your attack surface. Extensions can be compromised through supply chain attacks, ownership transfers that weaponize a previously-safe extension, or silent updates that introduce malicious behavior.

If you've been following the security news this year, you know this isn't theoretical. Extensions that were legitimate when you installed them have turned malicious months or years later. The Extenshi catalog tracks these events — you can check real-time security alerts for VPN extensions to see whether any of your installed add-ons have raised flags. A built-in browser feature managed by Mozilla has a very different threat model than a third-party extension in the Chrome or Firefox store.

The proxy vs full VPN difference

How VPN extensions actually work depends on whether you have a companion desktop app installed:

  • Without the companion app: The browser extension routes traffic through the VPN provider's proxy servers — functionally similar to what Firefox's built-in VPN does.
  • With the companion app running: The extension communicates with the desktop client, which routes traffic through a full encrypted tunnel (WireGuard or OpenVPN protocol). This is meaningfully stronger.

So when comparing Firefox's built-in VPN to something like the Proton VPN Firefox extension without the Proton app installed, you're comparing two proxy-based setups. The real upgrade to a true encrypted tunnel comes from running the full desktop VPN app alongside the browser extension.

Trust model: Mozilla vs third-party VPN providers

Mozilla's privacy principles are well-documented. They're a nonprofit with a published data policy and a long track record of advocacy for user privacy. The infrastructure for their built-in VPN proxy is managed in line with those principles, according to the Mozilla Blog.

That said, "trust Mozilla's principles" is a different thing from "independently audited no-logs policy." Proton VPN and Mullvad have both published audit results confirming their no-logs infrastructure. NordVPN publicly disclosed a server breach in 2018 — a Finnish data center server was accessed without authorization — and has since commissioned multiple independent audits to verify their security posture. All of this public audit history is a data point in favor of established VPN providers who have had to defend their claims under scrutiny.

NordVPN stated that no user credentials or activity logs were exposed in the 2018 incident, and they have not publicly issued any updated statements contradicting that assessment.


Privacy permissions breakdown for VPN extensions

Since Firefox's built-in VPN is not an extension, it doesn't appear in the Extenshi catalog. But the major VPN extensions do, and their permission profiles matter. Here's what they request — and what that actually means:

proxy permission: Lets the extension route your browser traffic through its servers. Required for any VPN extension to work. Standard and expected.

storage permission: Lets the extension persist settings locally. Some VPN extensions use this to save your preferred server location and connection preferences. Low risk on its own.

<all_urls> host permissions: Some VPN extensions request access to intercept all URLs to implement connection logic. This is broader than necessary for pure proxy functionality and worth examining if an extension requests it.

Before installing any VPN extension, I'd check its permission profile and active alerts on Extenshi's catalog. The catalog aggregates security signals and lets you see what permissions each extension actually holds versus what it claims to need.


The three best VPN extension alternatives

Proton VPN for Firefox and Chrome

The most direct comparison to Firefox's built-in VPN. Proton VPN offers a free tier with access to servers in a handful of countries — no data cap, but slower speeds on free servers. The paid plan unlocks faster speeds, 100+ countries, and the option to use WireGuard through the desktop app.

Proton's no-logs policy has been independently audited. They're based in Switzerland, where privacy laws are stricter than EU baseline. The browser extension works as a proxy when used standalone, or tunnels through the desktop app when it's running.

Best for: People who want a free VPN option with more country coverage than Firefox's 4-country list, especially outside the US/UK/FR/DE region. Check Proton VPN's security report on Extenshi.

Mullvad Browser extension

Mullvad is aggressively privacy-focused — no email required to create an account, payment by cash or crypto accepted, and an independently audited no-logs policy. The browser extension works as a SOCKS5 proxy that connects to your Mullvad subscription. No free tier; accounts cost around $5/month.

Compared to Firefox's built-in VPN, you're getting a more transparent privacy posture (published audit reports), more server locations, but you're also adding an extension with proxy permissions and paying for the service.

Best for: Users who are already or willing to become Mullvad subscribers and want a clean, audited privacy tool with minimal extension footprint.

NordVPN extension

NordVPN's browser extension operates as a proxy to their server network. Like others in this list, it functions as a proxy in standalone mode — a full tunnel requires the desktop app. The NordVPN extension requests proxy and storage permissions.

NordVPN is one of the most recognized VPN brand names. Their 2018 server incident (publicly disclosed by NordVPN) and subsequent response — including commissioning multiple external audits — has become a reference case in how VPN companies handle security disclosures. Check NordVPN's extension on Extenshi for its current permission and alert status.

Best for: Existing NordVPN subscribers who want browser-integrated proxy controls alongside their desktop client.


Who should use what

Use Firefox's built-in VPN if:

  • You're on Firefox and you're in the US, UK, France, or Germany
  • You want zero-effort IP masking with no additional software or extension
  • You trust Mozilla's data principles and don't need an independently audited no-logs certificate
  • 50 GB/month of browser-only proxy is enough for your use case

Use a dedicated VPN extension (like Proton VPN's free tier) if:

  • You're in a country not covered by Firefox's 4-region launch
  • You use Chrome, Edge, or Brave and need a browser-level VPN
  • You want the option to upgrade to a full encrypted tunnel via a companion desktop app
  • An independently audited no-logs policy matters to you

Skip browser VPNs entirely and use a full desktop VPN app if:

  • You need system-wide protection, not just browser traffic
  • You're doing anything that requires real cryptographic guarantees (like using a VPN for actual threat modeling, not just IP masking)
  • You need to tunnel your entire connection through a specific jurisdiction

Final recommendation

Firefox's built-in VPN is a genuinely useful addition for Firefox users who want low-friction privacy. It doesn't require trusting a third-party extension developer, it doesn't add to your extension attack surface, and it costs nothing. For someone who has never set up a VPN before and just wants to stop leaking their IP on every site they visit, this is the fastest path there.

Where it falls short is in independent verification and geographic scope. The extension VPNs — Proton VPN in particular for the free-tier crowd — have a longer public audit trail and cover more of the world.

One thing I'd recommend regardless of which option you pick: audit your full extension list while you're thinking about privacy. You might be surprised what permissions other installed extensions are sitting on while you're using a VPN extension to protect your traffic.

Check your VPN extension's security report on Extenshi →


This article is based on publicly available security research and news reporting. Extenshi does not independently verify all claims made by third-party researchers. References to specific companies or products reflect the findings of cited sources and do not constitute accusations of intentional wrongdoing. If you believe any information is inaccurate, please contact us at [email protected].

Related Articles