search

mullvad / mullvadvpn-app

The Mullvad VPN client app for desktop and mobile
https://mullvad.net/
GNU General Public License v3.0
4.87k stars 336 forks source link

Custom routing rules #3870

Closed lessneek closed 2 years ago

lessneek commented 2 years ago

There is the always-on kill-switch which block all packets to interfaces other than mullvad-wg. Also when the 'Local network sharing' switch is on, then packets to local network are allowed. There is a custom virtual network 'yggdrasil' which uses the 200::/7 addresses space. I need to allow traffic routing to that space via its tun interface. How can I do it?

pinkisemils commented 2 years ago

You can have a look here - https://mullvad.net/en/help/split-tunneling-with-linux-advanced/. Basically, you'll want a ruleset that's a simpler version of the custom DNS one - without any ports and with a single subnet instead of a set of IP addresses.

lessneek commented 2 years ago

at last, ygg network now works with mullvad with this simple exclude_traffic.rules:

table inet excludeTraffic {
  chain excludeOutgoing {
    type route hook output priority 0; policy accept;
    ip6 daddr 200::/7 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
  }
}

you just need to run sudo nft -f exclude_traffic.rules once on system startup.

Thank you @pinkisemils

lessneek commented 2 years ago

@pinkisemils, can you simplify this by adding to the app a custom field for excluded traffic alongside with the allow local network, or just add: IpNetwork::V6(Ipv6Network::new(Ipv6Addr::new(0x200, 0, 0, 0, 0, 0, 0, 0), 7).unwrap()), to the talpid-core/src/firewall/mod.rs?

Or may be you just kill-switch only the global unicast subnet 2000::/3. What do you think?

faern commented 2 years ago

Or may be you just kill-switch only the global unicast subnet 2000::/3. What do you think?

This is not going to fly sadly. The kill-switch is allowlist not blocklist based. We prefer to block too much and slowly unlocking things that we deem safe instead of the other way around.

can you simplify this by adding to the app a custom field for excluded traffic alongside with the allow local network, or just add: IpNetwork::V6(Ipv6Network::new(Ipv6Addr::new(0x200, 0, 0, 0, 0, 0, 0, 0), 7).unwrap()), to the talpid-core/src/firewall/mod.rs?

What makes this IP range OK to "leak" and why should it be classified as a local network address? I can't find too much information on the definition of the 200::/7 range. But Wikipedia says:

The address block 200::/7 was defined as an OSI NSAP-mapped prefix set in August 1996,[51][52] but was deprecated in December 2004.[53]

I'm not too comfortable just allowing a not well defined range