mozilla-vpn-client icon indicating copy to clipboard operation
mozilla-vpn-client copied to clipboard
verified publisher icon mozilla-mobile

Linux allow mixing tunnelled and vpn containers

Open Cimbali opened this issue 2 years ago • 4 comments

Description

These changes allow to take split-tunnel as requested in e.g. mozilla/multi-account-containers#2259

The effect of this PR is to allow mixing non-VPN tabs and VPN tabs in Firefox:

  • Without proxy set for the container, tabs of that container bypass the VPN
  • With a proxy for the container set to the wireguard-default proxy socks://10.64.0.1:1080, tabs access the internet through the VPN location used for the connection
  • With a proxy for the container set by multi-account containers to a specific location, tabs access the internet through the specified location

In short, this is done by preventing the socks5 proxies used by mozillavpn/wireguard to be added to the split-tunnelling rules.

Changes are very lightweight (though only for Linux in this PR), and only affect private ranges of addresses (10.x). This means no side-effects even in the unlikely chance of users using the same range if IP addresses as mullvad in their LAN, as local routing rules are always checked before VPN routing (in which case the socks proxies are never reachable to start with).

Reference

mozilla/multi-account-containers#2259

Checklist

  • [x] My code follows the style guidelines for this project
  • [x] I have not added any packages that contain high risk or unknown licenses (GPL, LGPL, MPL, etc. consult with DevOps if in question)
  • [x] I have performed a self review of my own code
  • [x] I have commented my code PARTICULARLY in hard to understand areas
  • [x] I have added thorough tests where needed

Cimbali avatar Apr 15 '23 20:04 Cimbali

  • Rebased on master now #6505 is merged
  • Restrained range of socks relays to 124.0.0.0/20 instead of initially used 124.0.0.0/16
  • Moved table initialisation to nftIfup so it works after disconnect / reconnect

Cimbali avatar Apr 19 '23 14:04 Cimbali

Rebased to handle conflicts from whitespace changes in 7229a3fd3.

Cimbali avatar Jul 18 '24 17:07 Cimbali

Hey! Sorry for the late review for this - it dropped through the crack, if that happens again always feel free to either @ping me or anyone else from the team :)

The code looks great, no comments there but this is not the direction we decided to take to allow a selective bypass - there is currently in flight work to provide a localhost proxy only firefox can access, which will provide a non vpn route (on both windows and linux) .

See: https://github.com/mozilla-mobile/mozilla-vpn-client/tree/main/extension/socks5proxy/

Plan is to get that out either v2.25 or v2.26 - at which point mac out also be able to access that :)

strseb avatar Nov 11 '24 16:11 strseb

Thanks, I’ll keep an eye out for when that’s merged

Cimbali avatar Nov 11 '24 17:11 Cimbali