Closed jjpinom closed 2 years ago
Are you suggesting the client should set up routes for these subnets? If so, what's the best way to determine which interface the traffic should be routed to, if there's multiple of them?
The app already has an option to not block traffic to various subnets when Allow LAN traffic is enabled. Setting up any extra routing, especially for network interfaces that our client isn't responsible for, is left as an exercise to the user, there's no way our client will know how to reach these destinations, unless the routes already exist in the routing table.
Hello!.
The scenario is as follows:
1) Suppose we have a Laptop connected to a local subnet with IP address 192.168.1.100/24 2) Also, suppose the default gateway for the local subnet is 192.168.1.1/24 3) Also, suppose there is a subnet dedicated to printers, let's say 192.168.2.0/24, and a printer with IP 192.168.2.10/24 4) There is a Router connecting 192.168.1.0/24 <-> 192.168.2.0/24
In this scenario, when the laptop has mullvad VPN tunnel activated (192.168.1.100), it looses connectivity with the printer (192.168.2.10), even tough "Local network sharing" is activated, and even tough the default gateway (192.168.1.1) is accessible.
This scenario is just like the one I have. In order for me to print, I must deactivate mullvad tunnel.
I hope this helps :-)
In this scenario, you must either configure your router to advertise these routes or configure the the hosts in the 192.168.1.1/24
network to have a route to 192.168.2.0/24
.
You do not need to deactivate the mullvad tunnel to print, you must allow LAN traffic in the app (can be done via mullvad lan set allow
) and have routes configured (ip route add 192.168.2.0/24 via 192.168.1.1
) in the routing table and you'll be able to print.
Our client has no way of knowing that your router is able to provide routes to other local subnets, and there's no blocking it explicitly does to disallow traffic from reaching these subnets. Instead, it's the OS that's attempting to route traffic to our tunnel interface instead of your physical network interface, since it too doesn't know about these extra routes.
This is to suggest implementing a IP-based split tunneling default rule so that the special purpose IP address space are not routed through the tunnel.
I suggest to route outside the tunnel all traffic with destination address in these groups:
10.0.0.0/8 100.64.0.0/10 169.254.0.0/16 172.16.0.0/12 192.0.0.0/24 192.168.0.0/16 224.0.0.0/24 240.0.0.0/4 fe80::/10 fd00::/8 ff01::/16 ff02::/16 ff03::/16 ff04::/16 ff05::/16