mullvadvpn-app
mullvadvpn-app copied to clipboard
mullvad
[Feature Request] Inverse split tunneling
The recent beta release that added split tunneling to windows is great, but its sadly not perfect for my use case since trying to add almost everything to the splitt tunneling list basically becomes unsustainable.
so i would really like a inverse split tunneling feature that only routes selected programs or ip's and leave rest unaffected.
a use case for this could be when performance and latency is very important for the majority of programs and games you run.
This might go against mullvads philosophy regarding privacy, but i feel it would be a great option to have!
You should be able to exclude Steam and have all games launched by Steam to be excluded. Same goes for specific shells. But we'll consider this feature too.
I would also like to see this feature added. The Mullvad app doesn't pick up a lot of my app installs, and hunting down every game and professional program I need to exclude is a gargantuan task.
It would be a big boost to usability if I could choose to only tunnel a few crucial programs, like web browsers, while leaving everything else untouched.
I would also like to voice my support for this if it will help.
I want the best performance and least latency for the majority of programs I use. There are only a handful that I'm concerned with securing with a VPN.
I'd suggest an option for each program in the split tunneling list as to whether or not it will travel through the VPN, and then an option for whether all programs that are not in the list will go through the VPN or not.
This would offer a good level of control for all kinds of users.
We will likely not implement this on Windows at least. Because we have looked at what would be needed and it's more work than a simple negation of some firewall rules. All these rules are pretty critical to the security of the apps and any extra logic introduces new risks of having bugs causing leaks that could be critical. We don't feel like the current need for this is large enough to justify such a risk. After all, the app is privacy oriented and the intended use case is that it tunnels all your traffic.
Since we currently can't make DNS on Windows go outside the tunnel for an excluded process it would be strange to exclude most processes and only tunnel a few. Because the DNS requests for all excluded processes would still go in the tunnel. And that's likely not what you would expect/want as a user only tunneling a few applications. All the applications outside the tunnel will get DNS responses as if they were in the tunnel, which could affect their behavior and functionality.
That's a shame. Having a whitelist would be most useful as I only really want to use Mullvad for IP masking for my torrent clients. I tried setting up OpenVPN with Mullvad using route-nopull and trying to get only my torrent client to tunnel through, but I just couldn't get it to operate properly, through any combination of port forwarding with MV, running the SOCKS5 proxy or not, and changing my settings, some trackers just wouldn't connect, UDP seemed to be all jacked, I got overwhelmed and gave up. Tunneling through the Mullvad App seemed to work fine though (and was much simpler; i admit to my lack of experience), so I opted to just use it and whitelist every other program I could think of, although I know there's lots still that aren't in the list that I'd have to add and manually browse for their executables.
Even though you can't implement a way for excluded applications to route DNS information outside of the tunnel, I don't really mind if all of my DNS traffic goes through the VPN tunnel anyway, as I only am really using Mullvad servers in my own geographical location, since I only want my IP to be masked, I don't really want to show up as a different country.
It would be a nice-to-have, but if it's far too much trouble to implement, I suppose the wants of a select handful of us users aren't that high on the development docket haha
Will inverse split tunneling be implemented for LINUX?
I've tried to implement this with the namespace technique but have not managed to get it to work with Mullvad. If there is a way to do it manually, with the namespace trick, then that would be good enough for me, but would love to have formal validated instructions from Mullvad on how to do it properly ensuring that DNS goes to the right tunnel/gateway and everything stays nicely segregated.
I was able to do this (with openvpn) before systemd-resolved took over DNS in Ubuntu. Now it's quite difficult to figure out what that resolver is doing and I rely on dnsleaktest.com to tell me!
This is a real shame since certain competitors offer much more flexible settings - whitelist/blacklist and separate DNS for direct/VPN connections. The (apparent) superiority and configuration flexibility is one of the reasons why I haven't switched to Mullvad yet.
Their VPN client is open source. Why cannot Mullvad offer such a flexible configuration - is it due to security (if their implementation is inherently insecure, I think this fact should be made known) or not enough resources allocated/not seeing this as an important feature?
@cooky-cook That PIA tunneling feature seems quite overwhelming and I know Mullvad is good for simplicity and less cluttered. So, I hope they can make it more simple.
This is something I'd love to see implemented for Windows too eventually. In addition to PIA, I believe ProtonVPN also has both normal and inverse split tunnel, their apps are open source too.
Chiming in for support of this feature. I really only use Mullvad for one or two programs so having to manually split tunnel everything as I install new programs is becoming a headache.
Adding another comment to the pool of people who want this feature.
Adding another for someone who would like to see this implemented. This is the biggest feature I miss from ProtonVPN that Mullvad doesn't have. The way it is setup now is quite an annoyance to go through and find every program and is almost impossible for some games and anti-cheat etc.
For a linux implementation, vopono would be a good reference implementation as doing split tunneling this way can be very useful.
I for one would really like to see this on android, though. OpenVPN already supports this (you can switch between a white- and a blacklist for apps that should be connected to the VPN) and I don't think this would be hard to implement.
I like the mullvad app, but this feature missing just made me go back to the horrible openvpn solution.
This feature is absolutely necessary because many origin games don't work while split tunneling even if you exclude the origin launcher + exe files manually. Maybe I am missing an important exe file which I need to exclude too but if we had an "inversed split tunnel" the problem would be solved easily.
Because official app for Windows and Android lacks this feature I used official WireGuard app and SOCKS proxies. This is possible, but hard to configure, and needs regular maintenance (because mullvad server changes). Also, Mullvad SOCKS proxies are slow compared to pure wireguard protocol. So in the end I switched to app, but need to exclude tons of programs, because I really need Mullvad only for 1-2 apps.
Adding to everyone who has already voiced their want for this, I would also like if this were added and able to be configured through the linux CLI.
I would really like this feature. Split tunnelling in it's current implementation is backwards in my opinion. I'd find it more useful and feel more secure with a small list of apps that go through my Wireguard tunnel, knowing everything else is normal ISP traffic. The current implementation is so close to fitting my use case, just needs to be inverted.
Maybe this can help you guys meanwhile : https://asheroto.medium.com/split-tunneling-in-wireguard-on-windows-e2dfd86d5982
I would like this feature as well, primarily because it seems impossible to actually add Windows Store apps/Xbox games to split tunneling because of the hyper-locked-down file security. I can't seem to modify permissions to allow Mullvad to see those programs without breaking them. Inverse split tunneling would work around that problem by letting me opt-in instead of opt-out.
Many other products allow you choose between opt-in and opt-out, so I know it can be done.
Another voice for support of this feature. Would help UWP apps as well: https://github.com/mullvad/mullvadvpn-app/issues/2822
My usage of a VPN most definitely is the opposite of the default; only want it routing torrent clients.. but instead have to blacklist every single other damn program I use and game I play, which is incredibly annoying. Ontop of that, certain things (some game connections) just don't seem to work properly when added to the tunnel and I can't figure out why.
Also, outside of the scope of this issue, but the default list of programs is.. very strange. It seems like it's only pulling a list from the start menu programs, and there's no way to change it. There's a lot of irrelevant things in there, especially if you have a lot of GOG games installed:
And lastly, when manually choosing an exe, it always defaults to the user folder instead of the last selected location. Minor gripe in comparison.
i also agree. An inverse split tunnelling feature would be an absolute game changer. Being able to choose what applications you want to be in the vpn would be a life saver. It's just too hard and takes way too much time and effort to add every single program i dont want to be connected to the vpn.
I would also like this to be implemented.
Currently I am using wiresocks as a workaround, with wireguard config files downloaded from https://mullvad.net/account . It's a decent solution for applications that support socks5 proxies.
Just adding my voice to the pool. I can't seem to get minecraft excluded no matter what exes I select.
Just adding my voice to the pool. I can't seem to get minecraft excluded no matter what exes I select.
You can try using something like NetLimiter to monitor which processes Minecraft uses to send and receive data
Hi, I would also love to see this added to the Windows build. When I'm trying to only run my browser through a VPN it's a pain to add every application and then manually remove them all when I want to run everything through a VPN again.
Commenting to add my voice to this request as well. My primary use-case for the VPN is getting alternative routing for specific applications when there's a problematic node between me and the server I'm connected to. I rarely want more than a single application to use the VPN.
FOR ANYONE THAT IS TRYING TO GET INCLUSIVE IS EASY, DOWNLOAD THE OPENVPN AND WIREGAURD CONFIG FROM THE SITE, AND THEN DOWNLOAD Windscribe_2.6.14.exe AND AFTER THAT JUST CREATE A FREE ACCOUNT AND UPLOAD YOUR CONFIG FILE TO THEIR PLATFORM, THEN CONNECT, AFTER THAT GO IN SETTINGS AND THEN TURN ON THE SPLIT. AFTER THAT YOU CAN CHOOSE IF YOU WANT IT INCLUSIVE OR EXCLUSIVE,
GOOD LUCK
hello, thanks, sorry if i lack the technique skills to follow this topic.
for years, this worked great -> mullvad over openvpn and this helpful guide, https://mullvad.net/en/help/split-tunneling-mullvad-vpn. just need access to the socks5 proxy servers, to use with firefox and mullvad browser with mullvad browser extension.
basically, all that is needed is route-nopull in the .ovpn config file.
do not want vpn to change the default route, do not want vpn to change the routing table, do not want all traffic to flow over vpn.
i spent days, tried Table = off and various attempts at AllowedIPs
just want to use socks5 proxy servers without forcing all traffic thru vpn. as i upload a lot of large files to internet, no reason or want to force that thru slow vpn connections
please, help, thanks so much, david
