multi-account-containers
multi-account-containers copied to clipboard
mozilla
Per container split-tunneling support with the new Mozilla VPN integration
- Multi-Account Containers Version: 8.0.4
- Operating System + Version: Fedora 35
- Firefox Version: Nightly (Currently 97)
- Other installed Add-ons + Version + Enabled/Disabled-Status: N/A
Actual behavior
The integration with Mozilla VPN doesn't let you disable it in a specific container
Expected behavior
It'd be useful to disable the VPN (split-tunneling) in a specific container. This feautre would be useful for websites like Amazon Prime that prevent a user to watch video while using a VPN.
Mozilla VPN does support split-tunneling. However, it is a per application configuration. This means that you would have to create two different Firefox install so that one of them can be excluded via the Mozilla VPN split-tunneling option.
As you can see, this isn't user-friendly nor very practical and so implementing it in MAC would remove the need of having 2 Firefox install and makes the user experience more enjoyable by 1) remove the need for context switching 2) preventing site "breakage" that prevent the user from using some functionality while connected to the VPN.
Steps to reproduce
N/A
Notes
See Reddit thread between me and @groovecoder https://www.reddit.com/r/firefox/comments/rtekfk/comment/hquvskh/
Since other issues are being closed as duplicates of this one, I would add to the split-tunneling support wishlist the (related) option to only enable the VPN in some containers, i.e.:
- have the container-less tabs not go through the VPN
- have non-Firefox applications not go though the VPN
Currently at the top of the Firefox subreddit is a post expressing disappointment because they thought they'd be able to integrate it with the browser so there were "no VPN" tabs and VPN tabs https://www.reddit.com/r/firefox/comments/11vknng/was_kind_of_disappointed_with_mozilla_vpn/
I share some of this disappointment and am also concerned because it's likely hurting adoption.
I think enabling VPN per-container is easy with the socks proxy. Therefore a way to implement this could be:
- split-tunnel Firefox out of the VPN (either as a single application or globally by only allowing proxy support)
- use proxy
socks://10.64.0.1:1080on containers that need default tunnel- note that the add-on doesn’t allow setting the proxy of the containerless tabs currently
- specific-location containers work as they do currently
The main alternative would be to run a socks proxy on the localhost that bypasses the VPN, and route traffic that is not to be tunnelled through there. This could be done either by having a socks app setup and whitelisted through the Mozilla VPN split-tunnelling, or by having Mozilla VPN itself run a socks proxy.
However I have no idea what effect a locally hosted proxy could have on websites that require “no VPN“.
On Linux it’s as easy as installing the python3 module siosocks and creating a desktop file file:
> python3 -m pip install --user siosocks # preferably through your system’s package manager instead
> mkdir -p ~/.local/share/applications/
> cat > ~/.local/share/applications/un-vpn.desktop <<EOF
[Desktop Entry]
Encoding=UTF-8
Version=1.0
Type=Application
Category=Network
Terminal=false
Exec=python3 -m siosocks --host localhost --port 1080 --socks 5
Name=Un-VPN
Icon=network-vpn-disabled
EOF
Then:
- Restart MozillaVPN,
- Select
Un-VPNthe list of split-tunnelled applications, - Start Un-VPN from your usual launcher
- Set the containers that you want to split-tunnel to use
socks://localhost:1080as their proxy.
Unfortunately AFAICT MozillaVPN does not currently support autostarted applications.
Once they do, copy the un-vpn.desktop to ~/.config/autostart/ or use your DE to select it as an autostart application (which should have the same effect). It should appear in the systemctl list:
> systemctl --user daemon-reload
> systemctl --user list-dependencies xdg-desktop-autostart.target
xdg-desktop-autostart.target
● ├─[email protected]
○ ├─[email protected]
○ ├─app-mozillavpn\[email protected]
● ├─[email protected]
○ ├─[email protected]
● └─app-un\[email protected]
You can then select it in the split-tunnelled applications, and if needed check it or start it manually with:
> systemctl --user status app-un\\[email protected]
> systemctl --user start app-un\\[email protected]
This is a crucial feature, there are certain sensitive and/or work things that I absolutely do not want (or can't) push through a third party connection. It forces me to turn everything off which kind of defeats the purpose of the container feature for the most part.
I opened an "Ideas" on Mozilla Connect to get more visibility. If it gets enough traction (votes, comments), the VPN team will be notified of it. https://connect.mozilla.org/t5/ideas/disable-enable-mozilla-vpn-per-container-in-multi-account/idi-p/34269#M19899
This is a deal breaker for me. Lack of ability to enable VPN only for Firefox, and only for certain tabs, makes this solution unusable. Mozilla does not provide SOCKS proxy either.
@swistak I don't use Mozilla VPN, but SOCKS proxy using dynamic port forwarding over SSH works great for me in cases similar to your one - tabs of some container should go through VPN/Proxy. Probably it is an issue of configuration. My container configured like this:
And it works like a charm. Additionally it provide additional security - if SOCKS proxy is turned off then browser will not load pages (no exposing my real IP to services I contact in tabs of this container).
I hope it helps.
This is a deal breaker for me. Lack of ability to enable VPN only for Firefox, and only for certain tabs, makes this solution unusable. Mozilla does not provide SOCKS proxy either.
I was kind of expecting this behavior when I bought Mozilla VPN, which is to be able to have no VPN for all apps but only activated for certain containers in Firefox. Then when I tried to do that, it didn't work and eventually I found out this issue. =/
