mullvadvpn-app icon indicating copy to clipboard operation
mullvadvpn-app copied to clipboard
verified publisher icon mullvad

On new versions, all internet traffic escapes VPN when 10.0.0.0/8 is excluded with netfilter (Linux)

Open termermc opened this issue 1 year ago • 2 comments

Is it a bug?

  • [X] I know this is an issue with the app, and contacting Mullvad support is not relevant.

I have checked if others have reported this already

  • [X] I have checked the issue tracker to see if others have reported similar issues.

Current Behavior

When excluding traffic to and from 10.0.0.0/8 by setting ctmark 0x00000f41 and fwmark 0x6d6f6c65 on outgoing and incoming traffic to and from 10.0.0.0/8, all internet traffic is excluded and sent over the host's internet connection, rather than being tunneled.

Expected Behavior

When excluding traffic to and from 10.0.0.0/8 by setting ctmark 0x00000f41 and fwmark 0x6d6f6c65 on outgoing and incoming traffic to and from 10.0.0.0/8, only that traffic should be excluded.

Steps to Reproduce

  1. Update to app 2024.4
  2. Apply the following netfilter ruleset:
define EXCLUDED_IPS_V4 = {
    10.0.0.0/8,
}

table inet excludeTraffic {
    chain excludeOutgoing1 {
        type route hook output priority 0; policy accept;
        ip daddr $EXCLUDED_IPS_V4 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
    }

    chain allowIncoming {
        type filter hook input priority -100; policy accept;
        ip daddr $EXCLUDED_IPS_V4 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
    }

    chain allowOutgoing2 {
        type route hook output priority -100; policy accept;
        ip saddr $EXCLUDED_IPS_V4 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
    }
}
  1. Check your external IP address

Failure Logs

No response

Operating system version

Linux 6.8.9-arch1-2

Mullvad VPN app version

Broke in 2024.2. Worked fine on 2024.1.

Additional Information

This was not the result of a kernel upgrade because it started happening immediately after updating Mullvad without restarting my system.

termermc avatar May 11 '24 01:05 termermc

Please dev team verify if this issue happen also in other platforms. A your satisfied subscriber.

serrq avatar Jun 18 '24 14:06 serrq

Please dev team verify if this issue happen also in other platforms. A your satisfied subscriber.

I'm pretty sure this is a Linux-specific issue because it has to do with excluding traffic on 10.0.0.0/8 using netfilter, which is a Linux kernel feature. Android is also a Linux-based OS, but I never heard of anyone fooling with netfilter on Android.

If there are methods to exclude that subnet on other platforms, it may affect them, too, though.

termermc avatar Jun 18 '24 15:06 termermc