Split Tunneled Apps has no Internet access

[anon97945]

Issue report

Operating system: Windows 10 64 Bit

App version: 2021.4

Issue description

Sometimes the Split tunneled apps have no access to the internet. This appears when i boot the PC and Mullvad is starting on boot. Like when i then start Teamspeak AFTER Mullvad is connected... To fix the "no internet" issue i simply need to open the Mullvad App and press reconnect... then everything is working fine again. Till the next restart. But its not 100% on every start.

[mvd-ows]

Thanks for reporting this issue. I'm unable to reproduce it on my end. Can you confirm that these exact steps can be used to reproduce the issue?

1. Install Mullvad app, version 2021.4
2. Enable Settings -> Preferences -> "Auto-connect" as well as the sibling setting "Launch app on start-up"
3. Add TeamSpeak as an excluded app in Settings -> Advanced -> Split tunneling
4. Reboot machine
5. Wait for green lock to appear in the tray area
6. Launch TeamSpeak and observe that its unable to connect

The final step fails in my testing, i.e. TeamSpeak is always able to connect.

However, I was able to use the following steps to reproduce what is probably the same issue:

1. Ensure TeamSpeak is not excluded in Mullvad app
2. Launch TeamSpeak and connect to a server
3. Exclude TeamSpeak in Mullvad app
4. Wait for existing TeamSpeak connection to time out (15 seconds or thereabout)
5. Observe that all automatic attempts to reconnect are failing

The reason this is failing is because TeamSpeak stubbornly tries to keep using the now-blocked tunneled connection it was previously using. This is a security feature of our implementation that prevents excluded apps from leaking data inside the tunnel.

What TeamSpeak should be doing is throw away any existing sockets it has and establish a new connection starting from zero. As you already noticed, reconnecting the tunnel forces TeamSpeak's socket to break, and the appropriate logic inside TeamSpeak does recreate the socket in this case. But a much better solution is to just restart TeamSpeak itself.

[anon97945]

Unfortunately, I can't reproduce it every time, it just happens sometimes that apps that I have excluded simply cannot set up the internet until I "reconnect" mullvad, I don't even have to restart the app (Teamspeak).

[faern]

Can you name some more software that exhibits this behavior? Or does it happen to all your excluded software from time to time? Can you give an estimate on approximately how often any given software is unable to use the internet after boot?

[anon97945]

Can you name some more software that exhibits this behavior? Or does it happen to all your excluded software from time to time? Can you give an estimate on approximately how often any given software is unable to use the internet after boot?

After boot: Steam, all the time. Heroes of Newerth 64bit as Game, all the time. MicroSIP, all the time.

[Phrown420]

Can confirm with Steam, I can't seem to get it to gain internet access when excluded from the VPN

[anon97945]

Is there anyone working on? I mean not to have it at startup isnt that nice... and connecting on startup to not have a connection isnt either...

[dlon]

@anon97945 Are you connected to a relay when this happens, or is the app stuck in a blocking state?

[anon97945]

Hello,

what do you mean with relay? The VPN is established without any problem, other apps working fine, just some are telling me they go no internet connection... so remain in blocked... i think it has something todo with the split tunnel driver thing.

[magicprograms]

Same problem windows 10!

[anon97945]

Still not fixed? Well..

[TheRealDadbeard]

Same issue here. After restart with auto connect split tunneled apps have no internet connection. I need to reconnect the whle vpn so they have access again.

Windows 11

[anon97945]

Its a known bug, still have it in the latest beta. When does this gets fixed? This is actually a security bug and no minor thing to have no internet on startup.... im paying for the service and its now reported 3 month ago...?

[Adamlb]

I can't get split tunnel to work at all. Any app I add to the exclusion list just can't access the internet. No amount of rebooting or reconnecting works. If they are on the list they don't have internet until I remove them from the list. Seems to be any and all apps, Firefox, steam, any individual game I've tried.

"Always Require VPN" is off

Version: 2021.5 Windows 10

[mvd-ows]

@Adamlb If it's consistently failing, you may have stumbled upon a different bug.

Could you please submit a problem report from within the app? The bundle that's then being uploaded will provide us with all the various log files. Also include your e-mail address if you feel comfortable doing so.

Could you make the first line in the report include "{4001D24E-C6F9-422B-9CC0-E3913E2B1FDF}"?

[dlon]

A bug was fixed in 2021.6-beta1 that matches the description, but it could be unrelated. Please send a problem report if you still have the same issue with that version.

[anon97945]

A bug was fixed in 2021.6-beta1 that matches the description, but it could be unrelated. Please send a problem report if you still have the same issue with that version.

Bug is still there.

[dlon]

A bug was fixed in 2021.6-beta1 that matches the description, but it could be unrelated. Please send a problem report if you still have the same issue with that version.

Bug is still there.

Can't reproduce this. Could you check C:\ProgramData\Mullvad VPN\daemon.log when this happens, and see if the interfaces passed to the driver make sense? The log entry containing "register IPs", in the connected state, should include the IP addresses of the Mullvad adapter and the network adapter that's connected to the internet. Also check if anything else looks off.

[Adamlb]

Something was up with my windows install. Other things started going wrong and I wound up reformatting. Split tunnel works great now. Thank you for your help, and sorry for wasting your time haha.

I was on windows insider just shy of windows 11, as my computer does not have TPM2.0. I'm thinking the attempted update to windows 11, or something in windows insider was causing this issue for me

[anon97945]

Hello, I can't test it further, since my subscription run out. 😐

[TheRealDadbeard]

Seems that issue is back again for me at least.

After windows is booted I have to manually reconnect mullvad or my split tunneled apps will not have any internet connection.

I am on Windows 11.

[dlon]

@TheRealDadbeard

The log entry containing "register IPs", in the connected state, should include the IP addresses of the Mullvad adapter and the network adapter that's connected to the internet.

Could you check if this is the case? Also submit a problem report if you don't mind. Make the first line "{5001D24E-C6F9-422B-9CC0-E3913E2B1FDF}".

[TheRealDadbeard]

Mullvad IPs show in the tunnel IP part but never in the internet part for me in the log.

[dlon]

In other words, the non-tunnel IPs are always None for the most recent log entry when it does not work? That is very useful information. Thanks. :)

[TheRealDadbeard]

In other words, the non-tunnel IPs are always None for the most recent log entry when it does not work? That is very useful information. Thanks. :)

Just a heads up this is still an issue even in the newest beta that just released. Split tunneled apps don't have internet access until I reload the VPN connection.

[dlon]

@TheRealDadbeard Just to clarify, when you say that you never see Mullvad IPs "in the internet part" before reconnecting, do you mean that you see None instead?

Also, do you see the following warning in daemon.log? (Probably not, but it would be good to know.)

Failed to obtain default route interface address

If you're up for it, I can give you a test build with some extra logging that will help rule out or identify some possible causes.

[cHJlaXpoZXI]

Just to add some weight to this issue : I cannot use the split tunneling. When I put a program inside the split tunneling, the app have no connection at all.

I tried the restart the connection and it doesn't worked either.

If you need some logs I can give it to you.

[dlon]

@cHJlaXpoZXI

Logs would be appreciated!

It might help us if you enable more verbose logging first. You can do so by running this from an elevated command prompt:

sc config mullvadvpn binpath="\"C:\Program Files\Mullvad VPN\resources\mullvad-daemon.exe\" --run-as-service -vvvv"
sc stop mullvadvpn
sc start mullvadvpn

[cHJlaXpoZXI]

Hi,

You can find daemon log attached. Here is all manipulations I have done after verbose mode was activated :

• Put brave in the split tunneling mode
• Try to use Brave (failed - no connection)
• Reconnect the server
• Try to use Brave (failed)

daemon.log

Regards,

[dlon]

@cHJlaXpoZXI Thank you!

I'm able to exclude Brave from the tunnel just fine. Can you tell us what Windows build you're running (i.e., the exact build number)? Have you checked if software other than Brave is affected by the bug?

If you're hosting any web servers on your LAN (such as the web interface of your router), can you reach them in Brave? Can you do so with local network sharing disabled in Mullvad?

Do you mind sharing your routing table, i.e. the output of route print (in cmd)? I'm mostly interested in what interface(s) is used for the destination 0.0.0.0.

[cHJlaXpoZXI]

Hi,

For the Windows version : Windows 11 Version 21H2 build 22000.556. I cannot use any apps when there are in split tunneling mode. There are no connectivity at all.

I can access the admin page of my router with split tunneling enable. I disable local share and it's worked same. So basically it's an issue with WAN access with split tunneling activated.

This is the route print with only selected element :

          0.0.0.0          0.0.0.0      172.21.16.1     172.21.16.21     25
          0.0.0.0        128.0.0.0        10.64.0.1   10.114.115.204      1

Regards,

[dlon]

Unfortunately, everything looks normal, and the app works as intended for me on 22000.556. So it's not caused by the known regression found in the older preview build. This is also very likely a different bug from the one that can be "fixed" by reconnecting.

It's a long shot, but are you able to reach a web server without involving any DNS resolution? If not, the connection redirection probably isn't working. This could be verified but I doubt that doing so would tell us why it's not working.

[cHJlaXpoZXI]

So I tried to access to https://1.1.1.1/ with split tunneling activated but it doesn't work. I tried to access to another website with your DNS instead of my internal DNS but it doesn't work either. So it's not a DNS issue on my side.

I tested a connection on my VPS via IP address with split tunneling activated : It doesn't work.

Any idea where this issue come from ? It's really annoying and make OPSEC impossible in that manner.

[xerta555]

I have the same issue on Windows 21H2 with last Mullvad app with Vivaldi app (wich i have exlude from VPN connexion in the Mullvad app). I had the exactly same issue with Mozilla VPN (wich use the same VPN network as Mullvad), and this issue was fixed some days after i reported the issue to the dev team of Mozilla VPN. If it can help the Mullvad dev team.

I specity that i always use Mullvad VPN client in WireGuard protocol with custom DNS IP address.

Arround 1 or 2 months ago i reported this issue through the Mullvad app, answer of the dev team:

Logfile of today: d827b6f9-b87d-483e-8e88-39d26d137ed6.log

[dlon]

@xerta555 Interesting. I will have a closer look at their fix.

Here's a dev build for you and everyone else: https://releases.mullvad.net/builds/2022.1-dev-4d1784/MullvadVPN-2022.1-dev-4d1784.exe. It does contain some changes to the interface monitor, but they're perhaps unlikely to fix the problem. I'm mainly interested in logs. If you do run into the issue again, they would be valuable to us.

Note that this build is pretty experimental/unstable. It contains many unrelated changes and features. It also logs a lot of information about network interfaces, etc. It should not be very sensitive, but be aware of that. Also, do send C:\ProgramData\Mullvad VPN\daemon.log directly instead of the log generated in the problem report view, if you don't mind including unredacted info. It is likely to be useful.

[xerta555]

It does contain some changes to the interface monitor, but they're perhaps unlikely to fix the problem. I'm mainly interested in logs. If you do run into the issue again, they would be valuable to us.

It happen to me at each startup, so if old logfiles are keeped, i can send them here. Or i will send one tomorrow (11h pm for me).

It should not be very sensitive, but be aware of that. Also, do send C:\ProgramData\Mullvad VPN\daemon.log directly instead of the log generated in the problem report view, if you don't mind including unredacted info. It is likely to be useful.

Ok there is my one: daemon.log

[xerta555]

@dlon dlon There is my logfile of today with the Vivaldy connexion issue fb1aa466-df7f-4bc6-8113-79fb2bb0e53a.log Hoping that the error is listed in it

[cHJlaXpoZXI]

Hi you will find my daemon.log generated with the dev version you provide. The only info redacted is my private address network,

daemon.log

Regards,

[xerta555]

Another log with last stable version if it can help to debug: 9666879b-5c4b-40bc-a04c-032d8a84713e.log

[xerta555]

@dlon I notice that when i wait arround 40 seconds - 1 minute after bootstart (session opened), and i open Vivaldi, the app get internet access, so i think it happen because of an issue in the protocol setup maybe, there is my log with last stable: e81e708f-2440-4483-ab5b-fcbec89431f0.log

[xerta555]

@dlon I just test the last build of today: https://releases.mullvad.net/builds/2022.1-dev-3640e7/ and i don't have the key panel anymore to check my WireGuard key with Mullvad website. I will test the reboot for the Split-tunelling function in some minutes.

EDIT: I just reboot and i directly opened Vivaldi at the startup and it get instantly internet access through my ISP IP address, so apparently the dev version of Mullvad works very well with split tunneling function through WireGuard protocol on CEF based browsers.

[cHJlaXpoZXI]

Hi,

I tested the 2022.1-dev-3640e7 version but it doesn't work for me. I give you some log again. Can you give us some details about a fix ?

daemon.log

[dlon]

@xerta555 Great! Do ping me if the bug resurfaces. The key panel has indeed been removed. You should still be able to reach the site from the app via the account view.

@cHJlaXpoZXI This deserves its own issue, but we haven't had much time to look into it yet. Do you happen to have any security software installed?

[xerta555]

@xerta555 Great! Do ping me if the bug resurfaces. The key panel has indeed been removed. You should still be able to reach the site from the app via the account view.

Ok, effectivly i just re-open new ports without checking the key i use with my account. The next stable version will include the fix ?

[UtilFunction]

Issue report

Operating system: Windows 10 64 Bit

App version: 2021.4

Issue description

Sometimes the Split tunneled apps have no access to the internet. This appears when i boot the PC and Mullvad is starting on boot. Like when i then start Teamspeak AFTER Mullvad is connected... To fix the "no internet" issue i simply need to open the Mullvad App and press reconnect... then everything is working fine again. Till the next restart. But its not 100% on every start.

Do you by any chance have a Killer Wi-Fi card? I used to have the same problem until I found out that disabling the Killer Network service solved the problem.

[cHJlaXpoZXI]

Issue report

Operating system: Windows 10 64 Bit App version: 2021.4

Issue description

Sometimes the Split tunneled apps have no access to the internet. This appears when i boot the PC and Mullvad is starting on boot. Like when i then start Teamspeak AFTER Mullvad is connected... To fix the "no internet" issue i simply need to open the Mullvad App and press reconnect... then everything is working fine again. Till the next restart. But its not 100% on every start.

Do you by any chance have a Killer Wi-Fi card? I used to have the same problem until I found out that disabling the Killer Network service solved the problem.

I have tested ! It's worked for me !

[dlon]

@UtilFunction Nice find! Just to be clear, that service causes split tunneling to never work? My best guess is that it prevents connections from being redirected. Probably because they're being redirected to that service instead.

[LinuxOnTheDesktop]

I still have this issue - on Windows and using version 2022.3 of the app. I think the problem might owe to this:

More specifically: it is not the disabling of the Ethernet-via-monitor that is the problem, but the very existence of that adaptor. For, before I switched to the monitor - the one with an Ethernet port - I never had the problem. (I could test that supposition but I do not propose to. For, so doing would involve much fiddling about with large monitors and with their stands. If someone at Mullvad could make that test, or a similar one, then I would be grateful.)

[xerta555]

I get same issue with Spotify Windows app client. When the system boot, Mullvad auto-start on boot and auto-connect to a server through WireGuard protocole, auto IP version, Spotify is set in split-tunneled settings, but it don't get internet access.

I have to disconnect/reconnect to same VPN server to make my Spotify connected to internet. Logfile: 0e3f715b-57e6-40f8-9b14-3ac0d7a47c0d.log

Mullvad 2022.3.

[LinuxOnTheDesktop]

It is perhaps worth my adding that, unlike xerta555, reconnecting does not give my split-tunnelled apps Internet access. [EDITED.]

I attach my log: mullvad-log.txt

[faern]

@LinuxOnTheDesktop Interesting find! But I think your issue is something else than what this thread is about. You say that your tunneled apps does not have internet access? This thread is about excluded (split tunneling) apps not having any internet access. Can you describe your setup and problem more clearly? If it's not about excluded apps lacking connectivity you can create a new issue instead of writing here :pray:.

Thanks for the logs! We don't have any monitors with ethernet in them to test with. But we'll look at your logs and see what we come up with.