mullvadvpn-app
mullvadvpn-app copied to clipboard
mullvad
[Mac] Bookmark and iCloud sync not working with VPN on
Hello,
I have noticed that a sync between Safari bookmarks on Mac (10.14.6) and iPhone (14.3) stopped to work some time ago. I did a deep dive and it turned out that switching the VPN (both latest Mullvad apps) off on both devices makes the bookmarks to sync again.
Have you heard about this before?
Thanks, m
Thank you for the report. Yes we recently started getting reports about this and have started investigating a little bit. Let's keep this issue as a tracker for when we have it resolved.
These Apple services probably use some protocol/ip range that we are blocking for security reasons. If we find out what IPs/ports it's using we can consider if unblocking them would be safe or not.
Does this syncing stop working if the app is running on only one of the devices, or does our VPN have to run on both for the syncing to break? If only running it on one of them stops the syncing, which one? Only the mac or only the iPhone?
I spent considerable time diagnosing this way back at the beginning of January, I had hoped this information would have been passed onto you.
- It's the Mullvad macOS app. The iOS app does not block syncing in any way.
- It's definitely the Mullvad macOS app. The Wireguard macOS app does not block syncing in any way.
Thanks for the extra info! Yeah I suspected so. Because the macOS app does pretty strict firewalling. I suppose it's using some multicast protocol that we block. We have an internal task to look at iPhone syncing.
Any news on this please? I'd like to go back to using the Mullvad app, but can't considering how important it is to sync this data.
@faern Looking at the changelog for version 2021.3 it doesn't appear that this has been addressed. Has somebody been assigned to this yet? Have they looked at it?
Thanks.
Interesting observation:
I had the exact same problem with Cloudflare's VPN (WARP). But with the new update, they have introduced a new 'local proxy mode'.
Using the local proxy fixes the problem and bookmarks now sync perfectly with iOS devices. Connecting using the standard mode still has the issue.
Any word on this issue? Mullvad is still blocking bookmark syncing for Safari on MacOS (not sure about iOS).
Thanks!
@faern How is this going? I have read the latest beta notes and it looks like it still hasn't been fixed. https://www.reddit.com/r/mullvadvpn/comments/q7eaak/mullvad_20215beta1/
If that's the case it's a poor showing. This issue has now been ongoing for 11 months and your paying customers deserve better.
This is the issue that prevents me to switch to mullvad, as it's essential to my workflow.
Another release and still not fixed. Unbelievable.
https://github.com/mullvad/mullvadvpn-app/releases/tag/2021.6
I just discovered this thread when searching for a solution to the same problem. I guess I'll have to switch VPN providers. I was hoping there would be a straightforward solution.
I just discovered this thread when searching for a solution to the same problem. I guess I'll have to switch VPN providers. I was hoping there would be a straightforward solution.
The official Wireguard app works. But don’t expect Mullvad to ever fix their own app.
It is a pity Mac users are not so important :( I have been waiting for this feature for a very long time!
There seems to be an issue with the syncing of tab groups as well. It could be related to the bookmark syncing issue. As soon as Mullvad is disconnected, bookmarks and tab groups behave normally again.
If anyone can traffic dump this bookmark synchronization with tcpdump or Wireshark or similar and help us figure out what kind of traffic it is that's needed to allow this, we can probably fix it way faster.
It's probably using some kind of local *casting-somethingsomething address/port combination that is currently blocked in the firewall. If we figure out what and then determine that allowing it is not against our security policies, then we can just unblock it in the firewall.
I've done a Wireshark capture just now. Is there something I should look or filter for?
I did one too, and, when excluding 17.0.0.0/8 (apple's subnet), I saw no traffic. Probably an error on my end. Is there a deterministic way of making the synchronization take place? Does any iCloud syncing work when the app is connected?
Other things do sync, like notes, iCloud Drive, photos, etc. Even AirDrop works. If it helps, I believe the process that's doing the sync job for Safari is SafariBookmarksSyncAgent.
As for a deterministic test, making any change to the bookmarks should trigger a sync. You can add/remove bookmarks, drag a bookmark to change its order in the list, or you can move a bookmark in or out of a folder. These actions will produce a nearly instant change on other devices when bookmark syncing is working.
@faern Please advise what to filter for in a Wireshark dump, I'm happy to share what I find but unfamiliar with Wireshark.
@paulrudy Anything going to some local multicast address. Might even be IPv6 for all I know. I'm not sure what to filter for. But if you try to exit all other programs so that the computer is not so chatty and repeat the experiment a few times. Maybe you'll see some packets going out or coming in around the time when the sync happens that are similar every time the sync happens?
@faern I ran three tests, one after the next, where I started Wireshark and immediately either created or deleted a Safari bookmark. In each test there's a lot of chat between my local ip and 17.248.188.xxx (the last 3 digits were different in each test). Looking those ip's up show that they belong to Apple. Is that useful or do I need to dig deeper?
Yes, the entire 17.x.x.x net is Apple's. But that has nothing to do with the LAN, that's on the internet. Our VPN app does not prevent communication with that IP range. So if their bookmark sync is not performed locally, but rather via their internet servers, then I don't see how we would be blocking it.
I don't know if you saw this earlier comment, but I've also confirmed that connecting to Mullvad tunnels via the WireGuard official app does not interfere with iCloud Safari bookmark sync. So it's something about the Mullvad app. Disabling "black ads" and "block trackers" does not seem to make a difference.
In case it's useful, the IVPN app also breaks iCloud Safari bookmark sync
This might help. When trying to sync bookmarks over Mullvad, the console shows this message:
502:com.apple.SafariBookmarksSyncAgent.XPC.BookmarkSyncNetworkConnectivity:2A144B:[
{name: NetworkQualityPolicy, policyWeight: 8.400, response: {Decision: Must Not Proceed, Score: 0.00, Rationale: [{[wiredQuality]: Required:20.00, Observed:0.00},{[wifiQuality]: Required:50.00, Observed:0.00},{[networkPathAvailability]: Required:1.00, Observed:1.00},]}}
], FinalDecision: Must Not Proceed}
When the VPN is disconnected, you get this:
502:com.apple.SafariBookmarksSyncAgent.XPC.BookmarkSyncNetworkConnectivity:FB9C66:[
{name: DeviceActivityPolicy, policyWeight: 2.000, response: {Decision: Can Proceed, Score: 0.65}}
] sumScores:38.210000, denominator:38.910000, FinalDecision: Can Proceed FinalScore: 0.982010}
Could this issue have something to do with this NetworkQualityPolicy / DeviceActivityPolicy stuff?
Seems like this will require the app to use Apple's VPN API instead of just using unixy APIs to create a tunnel device to circumvent these issues. Or maybe there's a better way to inform the system that the routes we've added are legitimate and do work.
@pinkisemils Does Wireguard's app use Apple's VPN API? Because, as mentioned, these problems don't occur when connecting through the Wireguard app (to mullvad servers)
Can confirm that the Mullvad app breaks iCloud sync in several places (Bookmarks, iMessages). Official wireguard app from the Mac App Store works fine.
