search

mullvad / mullvadvpn-app

The Mullvad VPN client app for desktop and mobile
https://mullvad.net/
GNU General Public License v3.0
4.89k stars 335 forks source link

[feature] Split-tunneling for linux version, restrict ct and fwmark values to specific bytes #4194

Closed ziggie1984 closed 1 year ago

ziggie1984 commented 1 year ago

Issue report

Operating system: linux

App version: 2022.5

Issue description

For the linux version you are using the ctmark (0x00000f41) and the fwmark 0x6d6f6c65, I suggest restricting those values to specific bytes, for example the first 2 bytes, by doing so one could run several tunnels in parallel without interfering with each other. Running tailscale, tunnelsats + mullvad

Example:

Tailscale already uses byte 3 for the fwmark, so Mullvad could use Byte 1-2.

We from tunnelsats.com are now using byte 4 and would like to allow our users to run Mullvad without any interference with our services.

In additon to that, the ct mark could also be restricted to the byte doing something like this:

ct mark and 0x00000fff == 0x00000f41 accept

faern commented 1 year ago

That type of solution does not sound like it scales at all. If our three organizations "occupy" all four bytes of "the mark", what is other software to do? What you write assumes every firewall rule checking marks always has a & {MARK_MASK} applied to it. I don't think this makes any sense.

You can do what you want currently, by just adding more specific firewall rules instead of treating the marks as bitmasks.

ziggie1984 commented 1 year ago

Ok yes you are right I agree, maybe you have a suggestion how I prevent dealing with the startup order of appllications regarding the routing table entries. Currently when I want to run more than one tunnel besides mullvad, I need to make sure that I install the rule before the hammer rule of the mullvad app:

  not from all fwmark 0x6d6f6c65 lookup 1836018789

in case I work with marking my traffic for my other tunnels, but maybe you have a more clever solution

this is how my setup looks like (having a startup dependency in my systemd file):


32761:  from all fwmark 0xdeadbeef lookup 51820
32762:  not from all fwmark 0x6d6f6c65 lookup 1836018789
faern commented 1 year ago

Sorry, I don't have a ready made solution for your setup (which I don't understand to 100%). But I'm sure you can make it work with some firewall rules, marks and routing tables. Everything our app does to the firewall can be overridden by just having firewall rules with higher priority. You set the priority of an nftables chain to control the order of execution among them.