search

mozilla-mobile / mozilla-vpn-client

A fast, secure and easy to use VPN. Built by the makers of Firefox.
https://vpn.mozilla.org
Other
461 stars 113 forks source link

Captive portal detection fails when IPv6 is enabled and local network access disabled #1225

Closed oskirby closed 3 years ago

oskirby commented 3 years ago

There seems to be an issue when the VPN is on that prevents network access to the addresses excluded from the tunnel (such as the captive portal and the VPN server's public IP address). This results in a bunch of error messages in the log like this:

[22.06.2021 07:56:55.729] (captiveportal - CaptivePortalRequest) request: http://34.107.221.82/success.txt
[22.06.2021 07:56:55.729] (networking - NetworkRequest) Network request created
[22.06.2021 07:56:55.769] (networking - NetworkRequest) Network reply received - status: 0 - expected: 0
[22.06.2021 07:56:55.769] (networking - NetworkRequest) Network error: Permission denied status code: 0 - body:
[22.06.2021 07:56:55.769] (captiveportal - CaptivePortalRequest) Captive portal request failed: 99
[22.06.2021 07:56:55.769] (captiveportal - CaptivePortalMultiRequest) Captive portal detection: 2
[22.06.2021 07:56:55.769] (captiveportal - CaptivePortalMultiRequest) Captive portal detect failed, retry!

We can confirm that a problem exists by attempting to ping the captive portal and the VPN server. In my case, they were 34.107.221.82 and 89.44.10.162 respectively, both of which report a general failure.

pingfail

mozillavpn-captive-portal-failure.txt

┆Issue is synchronized with this Jira Task

oskirby commented 3 years ago

I think I have narrowed the problem down a bit. The packets are being dropped by the windows firewall, which is being enabled by Wireguard whenever a default route is found in the allowedIPs (see: https://github.com/WireGuard/wireguard-windows/blob/ba4edc55c4712016921bea54dbd7c0408a69ae7b/tunnel/addressconfig.go#L177). This can occur when IPv6 is enabled and local network access is disabled.

This could possibly be explained as a wireguard bug, since an IPv6 setting is causing IPv4 traffic to get blocked... but we ought to be able to program something in the firewall to permit this traffic.

oskirby commented 3 years ago

There are two ways that we can approach this issue:

  1. Hack it in the route generation for IPv6 to ensure that we never supply a default route (eg: break a ::/0 route into 8000::/1 and ::/1), so that wireguard never tries to program the firewall.
  2. Update to wireguard-windows v0.3.15 or later, which adds an option to disable routing and firewalls, then re-implement the routing table in the daemon instead of the wireguard DLL.

I'm inclined to prefer the 2nd option since that also helps pave the way for multihop tunneling, even though it is probably more work.

data-sync-user commented 3 years ago

➤ Valentina Virlics commented:

Verified this on the last VPN 2.5.0 (2.202109080337) build while using Windows 10. The Captive Portal notification is not displayed no mater what is checked/unchecked in Network Settings.