portmaster
portmaster copied to clipboard
safing
Portmaster is compatible with Mullvad when setting custom DNS
Mullvad VPN On windows 10, running Mullvad-gui along with portmaster does not work out of the box. Currently trying to find a workaround, but so far I have not found a working method yet. Need someone else to confirm if the issue is the same on their device, or whether the issue is specific to my setup.
What worked? Nothing so far
What did not work? The Mullvad gui states it is connected in OpenVPN mode, yet nothing connects and pages do not load. In wireguard mode, the Mullvad gui keeps trying to connect, but never finds a connection.
Tweaking settings in portmaster did not yield any results changing setup in Mullvad (different country, protocol, multihop, ports) did not yield any results.
Debug Information: Work in progress
210523 olver-mdns:096 > WARN 048 intel(mdns): failed to create udp6 listen multicast socket: listen udp6 [ff02::fb]:5353: setsockopt: not supported by windows
210523 dates/main:311 > WARN 200 updates: failed to update indexes: failed to download index stable.json: failed to make request to "https://updates.safing.io/stable.json": Get "https://updates.safing.io/stable.json": dial tcp: lookup updates.safing.io: no such host
210523 all/master:384 > WARN 376 filter: failed to get eTLD+1: publicsuffix: cannot derive eTLD+1 for domain "s3.amazonaws.com"
210523 le/profile:473 > WARN 040 profile: error while getting binary name for C:\Windows\System32\DriverStore\FileRepository\nvmdi.inf_amd64_b5c7e9f1cc7d29c6\Display.NvContainer\NVDisplay.Container.exe: failed to get file properties of C:\Windows\System32\DriverStore\FileRepository\nvmdi.inf_amd64_b5c7e9f1cc7d29c6\Display.NvContainer\NVDisplay.Container.exe: command succeeded with empty output
210523 CURRENT TIME
Hey @R1123345, thanks for the report.
Can you provide the full Debug Information for the Mullvad App, as well as OpenVPN and Wireguard, should they show up separately in the monitor? I know Mullvad does stuff with their own DNS, so it would great to see whether there were any DNS queries and if there were problems there.
I tested Mullvad with OpenVPN some time ago and it worked great. This is to mean the OpenVPN software with a Mullvad config, not the Mullvad app in OpenVPN mode. You could try that as a workaround until this is fixed.
Another thing that could be case is that there is an interference with Mullvad's split tunnel system that also uses the Windows Filtering Platform to provide firewall-like functionality. We are investigating this.
I will update this issue if there is something new.
Hey @R1123345,
Mullvad was so nice to provide us with a test account, and I was able to get it to work. You just have to configure Mullvad to use the Portmaster as the DNS server:
- Open the Mullvad App from the Tray
- Click the cog icon to enter the settings
- Click "Advanced"
- Scroll to the bottom and enable the switch "Use custom DNS server".
- Enter
127.0.0.1. - Exit the app.
Please report back if that works for you.
For the record, I also tested the OpenVPN and Wireguard protocol (within Mullvad) on Windows 10 and both worked flawlessly!
Changing the DNS in mullvad worked (still no connection without changing it though). While the experience is not optimal yet (connectivity is slow, sometimes cuts out), i am fairly certain that's due to the way i have windows set up. I do not have a windows machine avail;able with a more "default" installation, so you'll probably have to wait for others to report back. At least it is up and running for now.
Any way to still use mullvad's DNS?
Changing the DNS in mullvad worked
Great!
Any way to still use mullvad's DNS?
If you find out the IP they are using, you could just configure that in the Portmaster. Though I am not sure what the benefit of that would be. Encrypting your DNS is definitely the better way to go IMHO. Also, be careful, as the IP address might be different per tunnel / location.
Closing as Mullvad is compatible with configuration and the fix was confirmed.
Someone reported having issues on Windows again.
Is this still working for you, @R1123345?
I checked this again with Mullvad versions 2021.3 and 2021.6. Both worked flawlessly - even with the "Always require VPN" feature.
Hi Guys,
I am a happy PortMaster user! I also use Mullvad with custom DNS set to: 127.0.0.1.
For me this results in a DNS leak. Screenshots.
OS: Windows 10 Browser: Brave w/ secure DNS feature turned off
Perhaps the below has something to do with it.
Portmaster website says: 'Enforce DNS-over-TLS'
Mullvad Websitesays: 'if you are using DNS over HTTPS (DoH) or DNS over TLS (DoT) the app canβt prevent those DNS leaks'. Link.
I am not really technical so probably I am misunderstanding something. Any help is appreciated, the product is very nice.
One other piece of info that may/may not be helpful. The leaked IP address is not my personal IP address rather it is a cloudflare IP address. Not sure what that means, but figured best to share just in case.
Thank you! Jay
Hey there, relevant passage from the docs (quite hidden, so no problem you did not find it):
DNS Leak Detection
Please note that pretty much all the DNS leak detection tests by the VPN providers will be a false positive, as the only thing they check is if you are using their DNS servers. Rest assured that your DNS queries are well protected by the Portmaster and there is no need to be concerned.
thanks for your kind words - glad you enjoy Portmaster!
Very fast response, thank you! Great to hear this was a false positive.
The original red flag generated today when I signed up for mailchimp. During this process there is a location/address form and they populated it with my real location(city).
There is no autofill or storage of my real location anywhere in the browser or even this particular computer. I saw that I failed the DNS leak test and assumed that was the issue.
So I fixed the DNS leak >created a new mailchimp account > found the issue was gone, only fake location data appeared.
Perhaps my VPN failed me but I don't know how. MailChimp also stores the location data it grabs from your initial IP address so I know I didn't hallucinate because when I log back in with the DNS leak fixed it is still there.
Anyhow, not your problem to fix. Thank you very much for your help and amazing product!
I haven't been able to successfully use Mullvad VPN in Windows 11 via Wireguard (haven't tested OpenVPN) with Mullvad release 2022.2, 2022.3, or 2022.4 (latest). Each time I update, I have to revert to the last version working with Portmaster, which is Mullvad 2022.1.
I'm using a custom DNS server set to 127.0.0.1 in Mullvad.
I'm unable to get this working using Mullvad 2022.4 but I am with 2022.1, thanks @ninjaeon
unfortunately this will only be a suitable solution for so long, I'm wary of not keeping mullavad up to date.
Just to confirm the behavior here, with 2022.2 and newer versions, Portmaster doesn't work when connected but does work when it is connected?
The mullvad client was changed to not apply any DNS config to any interface other than the tunnel interface and if the custom DNS settings consist of solely private IP addresses, then the config isn't applied at all. So, the expected behavior here is that if Portmaster works when the tunnel is disconnected, it should also work when the client connects.
I didn't try 2022.2 or 2022.3, only 2022.4 and 2022.1
Using a custom DNS server in Mullavad 2022.4 with 127.0.0.1 as the DNS server, with portmaster running, no internet connections were possible (I tried openvpn, wireguard, and toggling split tunneling, among other options)
with Mullavad 2022.1 it worked with the same DNS server, portmaster running, and with both OpenVPN and Wireguard and split tunneling
When mullavad was disconnected portmaster worked correctly. When portmaster was disconnected and mullavad was using its own DNS servers rather than localhost, mullavad worked correctly.
This is on Windows
The issue mentioned above by multiple people started appearing in version 2022.3-beta1 (upwards to the latest 2022.5-beta1) of the Mullvad desktop app after they made some changes to DNS management. See commits on Jun 14, 2022 in this comparison between 2022.3-beta1 and the previous tag.
In the changelog they mention something about having to "ensure non-tunnel interfaces are configured correctly to use local custom DNS".
Fix issue where local name resolution fails. This requires users to ensure that non-tunnel interfaces are configured correctly to use local custom DNS.
Also, there is this new warning that appears when trying to add 127.0.0.1 as a custom DNS server in Mullvad as instructed above.
From what I understand, you are supposed you configure your default network interface to also use the custom DNS server (127.0.0.1). I tried that and everything worked fine again β but the Windows network state would always stay at "No internet connection". This is a pretty big issue, since some apps, like Spotify, seem to exclusively rely on this state to determine if you are online, which in this case leads to Spotify permanently being in offline mode.
Would be great if this issue could be reopened (@dhaavi) and someone in the development team could have a look at it.
@yfunk can please explain the steps to follow to configure the network interface to also use the custom DNS server (127.0.0.1) on windows?
can please explain the steps to follow to configure the network interface to also use the custom DNS server (127.0.0.1) on windows?
Just like you would configure it to use any other non-default DNS server. Here's a tutorial.
I set the preferred DNS server to 127.0.0.1 and left the alternate DNS server empty (but iirc one of the developers mentioned you could also use 127.0.0.12 in another issue). Mullvad was already configured to use the custom DNS server as described above.
Although, the network state (as seen in the tray) would always stay at "No internet connection" for me with this configuration, which can lead to some problems. Please report if this is different for you, maybe it is just another issue on my end.
Can confirm that Portmaster V.1.0.0 with Mullvard V2022.4 DNS set to 127.0.0.1 and the same setting on the netwerk controller both can life together. Thanks for youre good support here!
Can confirm that Portmaster V.1.0.0 with Mullvard V2022.4 DNS set to 127.0.0.1 and the same setting on the netwerk controller both can life together.
I just tried again with Portmaster 1.0.0 and Mullvad 2022.5 (also 2022.4) but my network state is still "No internet connection" after changing the DNS server to 127.0.0.1 in the system settings. Is this the same for you?
It remains kind of fiddly, things to look at if you're having trouble:
- It seems the order of startup is sometimes important: try starting one or the other first if it doesn't work.
- Windows forgot the DNS setting on the Mullvad adapter (after a reboot?)
- The network status only seems to become 'online' after I made the first succesful connection, e.g. browse to a website
- I also set the preferred DNS to 127.0.0.1 on the Ethernet adapter, dunno if this actually does anything
In the 2022.05 version, if Force Block LAN is turned on in System DNS Client and Other Connections through Portmaster, it must be turned off. (Omit if Force Block LAN is off.)
Then you need to allow the ip shown as 224.0.0.251 and 224.0.0.252 in Outgoing Rules.
(EDIT: Testing has shown that appending to 244.0.0.0/32 does not work correctly, so it is recommended to allow 244.0.0.251 and 244.0.0.252.)
Finally add .mullvad.net. in global Outgoing Rules settings. (If using SOCKS5 or Mullvad DoH DNS)
After exiting Portmaster and Mullvad, run Mullvad VPN first, then Portmaster. (Before turn off Mulvad, change the DNS setting to 127.0.0.1 as usual.)
Done.
Is there any way to validate that DNS over TLS is working with this setup?
Edit: Apparently this tells you: https://mullvad.net/en/check/ -- which is saying leaked for me. Does anyone have any instructions on how I'm supposed to get DoH working with Portmaster+Mullvad?
Is there any way to validate that DNS over TLS is working with this setup?
I'm using DNS over TLS via NextDNS in Portmaster and Mullvad 2022.05 version. Followed the instructions listed above by Noir16 and everything works. After reboot, I have to go back to the Mullvad ethernet adapter and set the preferred DNS to 127.0.0.1 on IPv4 if internet stops working (creating a shortcut to the adapter makes this quick).
Is there any way to validate that DNS over TLS is working with this setup?
I'm using DNS over TLS via NextDNS in Portmaster and Mullvad 2022.05 version. Followed the instructions listed above by Noir16 and everything works. After reboot, I have to go back to the Mullvad ethernet adapter and set the preferred DNS to 127.0.0.1 on IPv4 if internet stops working (creating a shortcut to the adapter makes this quick).
You're not getting a leak report for the link I pasted? I followed the instructions as well and it doesn't seem to do anything for me.
How have you got your ethernet adapter configured? I have:
IPV4: On Preferred DNS: 127.0.0.1 DNS over HTTPS: Off Alternative DNS: Blank IPV6: Off
And then in Mulvad I have Automatic for tunnel protocol, and 127.0.0.1 added as a Custom DNS.
Is there any way to validate that DNS over TLS is working with this setup?
I'm using DNS over TLS via NextDNS in Portmaster and Mullvad 2022.05 version. Followed the instructions listed above by Noir16 and everything works. After reboot, I have to go back to the Mullvad ethernet adapter and set the preferred DNS to 127.0.0.1 on IPv4 if internet stops working (creating a shortcut to the adapter makes this quick).
You're not getting a leak report for the link I pasted? I followed the instructions as well and it doesn't seem to do anything for me.
How have you got your ethernet adapter configured? I have:
IPV4: On Preferred DNS: 127.0.0.1 DNS over HTTPS: Off Alternative DNS: Blank IPV6: Off
And then in Mulvad I have Automatic for tunnel protocol, and 127.0.0.1 added as a Custom DNS.
Since I use NextDNS DoT (configured in Portmaster), Mullvad's connection check shows that I'm "leaking DNS servers" and shows NextDNS's IP. This is expected behavior.
My Mullvad ethernet adapter is configured the same way as yours. For tunnel protocol, I use "Wireguard" for performance reasons. Also 127.0.0.1 added as custom DNS (make sure to update the ethernet adapter AFTER setting this since it seems to reset it).
Something else you can try if you're still having problems, per this thread:
https://github.com/mullvad/mullvadvpn-app/issues/4033#issuecomment-1279136368
...you could override all of the interface-specific DNS servers by adding an NRPT rule instead. To do so, run the following in PowerShell as admin:
Add-DnsClientNrptRule -Namespace "." -NameServers "127.0.0.1"
edit: this may be fixed in the next version of Mullvad, per https://github.com/mullvad/mullvadvpn-app/pull/4047
Thanks @ninjaeon - I think it's still not working for me though. Using a Singapore location in Mullvad and that Mullvad leak check is showing my DNS requests originate from a Singapore IP (not my assigned VPN IP, a different Singapore IP, I guess they're Mullvad DNS servers or VPN hops?).
Not sure exactly what result I'm expecting in that check website, but I assume it's not that. My Portmaster is just all default config (DNS Servers set to two dot cloudflare servers in Portmaster, by default). Then in Outgoing rules I added 224.0.0.251 and 224.0.0.252.
Mullvad network adapter settings are blank. My real eth network adapter has DNS set to 127.0.0.1. Mullvad desktop app has 127.0.0.1 as custom DNS. I ran that powershell command as well. Does it sound like I'm missing anything? I feel like I've followed all instructions mentioned thus far from various GH issues.
Thanks @ninjaeon - I think it's still not working for me though. Using a Singapore location in Mullvad and that Mullvad leak check is showing my DNS requests originate from a Singapore IP (not my assigned VPN IP, a different Singapore IP, I guess they're Mullvad DNS servers or VPN hops?).
The Mullvad leak check will always show that you are "leaking DNS servers" if the DNS server is not set to use Mullvad's own DNS servers. When using Mullvad + Portmaster, you can ignore this "leaking DNS server" warning. Run https://www.dnsleaktest.com and if it is showing you as using Cloudflare (or whatever DNS service you have set in Portmaster), then you are good to go.
The Mullvad network adapter is the one that you need to set DNS to 127.0.0.1, not your real ethernet network adapter.
Is there any way to validate that DNS over TLS is working with this setup?
@nullbio Portmaster controls all DNS options, so if you want to use DoT through Portmaster's settings, set it as follows: dot://194.242.2.2:853?verify=doh.mullvad.net&name=Mullvad&blockedif=empty dot://193.19.108.2:853?verify=doh.mullvad.net&name=Mullvad&blockedif=empty
The Mullvad leak check will always show that you are "leaking DNS servers" if the DNS server is not set to use Mullvad's own DNS servers. When using Mullvad + Portmaster, you can ignore this "leaking DNS server" warning. Run https://www.dnsleaktest.com and if it is showing you as using Cloudflare (or whatever DNS service you have set in Portmaster), then you are good to go.
The Mullvad network adapter is the one that you need to set DNS to 127.0.0.1, not your real ethernet network adapter.
@ninjaeon Everything works without the 127.0.0.1 setting in my network settings. (Only the manual DNS setting of the Mulvad client was set to 127.0.0.1.) Retrying anyway makes no sense as the Wireguard driver initializes and overrides everything. If it only works through that setting, you may need to set it up again from scratch.
And there is a part missing, so I write more.
Be sure to turn off all blocking options including Force Block Incoming Connections in the mullvad-daemon app.
ps. It is likely that this issue will be fixed in the next version. | https://github.com/mullvad/mullvadvpn-app/pull/4047