mullvadvpn-app
mullvadvpn-app copied to clipboard
Torrenting does not work between two peers on the same LAN that are both running Mullvad with local network sharing enabled
Issue report
Operating system: Arch Linux App version: 2022.2
Issue description
Torrenting does not work between two peers on the sam LAN which are both running MulvadVPN with local network sharing enabled. If one peer disables local network sharing, then the torrent works properly. I would imagine that torrents should work on the same LAN if local network sharing is enabled on both peers.
If a peer has local network sharing disabled, the firewall should prevent all traffic to private IP ranges. Either we have a leak in our firewall rules, or you misinterpret that they are able to communicate over the LAN. Are you sure the torrent traffic is going directly between the peers on the LAN, and not via the tunnel and internet? How do you determine that's the case?
What IP ranges do you run on your LAN? I sit one of the ranges listed here under 4. If the "Allow LAN" setting is enabled, the following is also allowed:
If a peer has local network sharing disabled, the firewall should prevent all traffic to private IP ranges.
The point that I was trying to make was that local network sharing seemed to not allow two different peers to communicate on the same local network.
I suppose the issue here is the same one as in #3827. Probably a missing route. Your LAN is probably not correctly configured, but currently working by accident since all traffic goes via the router anyway without Mullvad
No. This issue is completely unrelated to that one. This one was found with devices connected on the same LAN.
Local Peer Discovery works with messages on UDP Multicast group 239.192.152.143:6771, which I suppose will be broken by mullvad whether in LAN sharing mode or not.
Yes. Currently the 239.192.152.143
IP is not in the range of allowed LAN IPs in our code. See our security documentation. However, I see that 239.192.0.0/14
is supposed to be restricted to the local network, and is not valid on the public internet. So maybe we can add this network to the list of allowed outgoing IP ranges.. We'll discuss it.
We'll consider maybe allowing all of 239.0.0.0/8
as it's defined as administratively scoped, all of it.