search

mullvad / mullvadvpn-app

The Mullvad VPN client app for desktop and mobile
https://mullvad.net/
GNU General Public License v3.0
4.67k stars 331 forks source link

Can't connect to any forwarded ports #3794

Closed EXtremeExploit closed 1 year ago

EXtremeExploit commented 2 years ago

Issue report

Operating system: Arch linux, 5.18.12-zen1-1-zen

App version: 2022.2

Issue description

I host a minecraft server with ports forwarded to my machine, with Local Network Sharing option enabled i can access my router control panel page, but when connected the outside internet can't access the server, i have to disconnect to let people connect to it. Its not just minecraft, its any open port, i can't host anything when connected through mullvad

faern commented 2 years ago

Yeah, It's not currently possible to host services on the LAN when connected. At least not on Linux. There is an issue for it somewhere on this tracker, but I can't find it currently. It basically boils down to local network sharing allowing all outgoing traffic on the LAN and allowing associated incoming traffic. But a brand new connection coming in, is not associated with anything, so it is denied.

The only/best workaround I can suggest to you is to set up a custom firewall rule to allow the incoming traffic on the port(s) you want to host stuff on. See this guide for help: https://mullvad.net/en/help/split-tunneling-with-linux-advanced/#allow-incoming

EXtremeExploit commented 1 year ago

setted up the nftable, list output:

~ on  master [✘!] 
❯ sudo nft list ruleset
table inet excludeTraffic {
    chain allowIncoming {
        type filter hook input priority -100; policy accept;
        tcp dport 2010 ct mark set 0x00000f41 meta mark set 0x6d6f6c65
    }

    chain allowOutgoing {
        type route hook output priority -100; policy accept;
        tcp sport 2010 ct mark set 0x00000f41 meta mark set 0x6d6f6c65
    }
}

And i still can't forward ports, do i have to restart the system or am i missing some configuration?, i am using ethernet with name eno1

EDIT: my bad, i didn't notice i have to specifiy port, i have to forward multiple ports, how can i do that without cluttering the rules?

EXtremeExploit commented 1 year ago 
table inet excludeTraffic {
    chain allowIncoming {
        type filter hook input priority -100; policy accept;
        tcp dport 2010 ct mark set 0x00000f41 meta mark set 0x6d6f6c65
        tcp dport { 22, 25, 80, 110, 143, 443, 587, 993, 995, 25565 } ct mark set 0x00000f41 meta mark set 0x6d6f6c65
    }

    chain allowOutgoing {
        type route hook output priority -100; policy accept;
        tcp sport 2010 ct mark set 0x00000f41 meta mark set 0x6d6f6c65
        tcp sport { 22, 25, 80, 110, 143, 443, 587, 993, 995, 25565 } ct mark set 0x00000f41 meta mark set 0x6d6f6c65
    }
}

this works, thanks for help