Open FeryET opened 1 year ago
This would be easier with rootless docker or podman, where mullvad-exclude podman run ...
would just work.
As forthe nftables rule, your current rule matches traffic that's destined for 10.10.5.0/24
, but it doesn't mark traffic originating there. So, instead, you may want to change the ip daddr $EXCLUDED_IPS
to ip saddr $EXCLUDED_IPS
. However, I have not tested whether this would be the only thing you should change to make it work.
I can recommend adding a counter to each of the rules you're trying to add, this helps immensely with debugging these things.
I had tried saddr
before, but I think generally the routing/forwarding thing that is happening in the network bridge in the container is not working for whatever reason.
Looking for a solution for a similar problem. Mullvad is always enabled (Wireguard only) and I also have a second Wireguard work tunnel, which provides access to.. things.
If Mullvad is enabled, I can't reach the public IPs in the AllowedIPs list in the work WG VPN. If it's disabled, no issues connecting. I tried adding an nft
rule to the mullvad
table's input
and output
chains to allow in/outgoing traffic to the certain IPs, but started getting timeouts instead of refused connections.
Ok, please disregard the above... I was able to find exactly what I was looking for in the Advanced Linux docs.
https://mullvad.net/en/help/split-tunneling-with-linux-advanced/#allow-ip
@FeryET I’m a bit late to this, but to answer the original question, I was trying to figure out how to do the same thing, and it looks like a mark-based accept rule was to the forward chain (which is used by the container stuff) added back in August in https://github.com/mullvad/mullvadvpn-app/commit/3e86de27b220371ca8e10d22f46b86862b731739! This allows you to exclude forwarded/routed traffic from the firewall with a rule that looks like this:
table inet excludeTraffic {
chain excludeOutgoing {
type route hook output priority -150; policy accept;
ip daddr 10.10.5.0/24 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
}
chain excludeForwarding {
type filter hook prerouting priority -150; policy accept;
ip saddr 10.10.5.0/24 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
}
}
Does that work for you?
@FeryET I’m a bit late to this, but to answer the original question, I was trying to figure out how to do the same thing, and it looks like a mark-based accept rule was to the forward chain (which is used by the container stuff) added back in August in https://github.com/mullvad/mullvadvpn-app/commit/3e86de27b220371ca8e10d22f46b86862b731739! This allows you to exclude forwarded/routed traffic from the firewall with a rule that looks like this:
table inet excludeTraffic { chain excludeOutgoing { type route hook output priority -150; policy accept; ip daddr 10.10.5.0/24 ct mark set 0x00000f41 meta mark set 0x6d6f6c65; } chain excludeForwarding { type filter hook prerouting priority -150; policy accept; ip saddr 10.10.5.0/24 ct mark set 0x00000f41 meta mark set 0x6d6f6c65; } }
Does that work for you?
Thanks. I will give this a try and will ping you.
Issue report
Operating system: Ubuntu 23.04, 64bit.
App version:
Issue description
I am trying to exclude a specific local ip from the tunneled traffic. This ip is bound to a container (via a virtual bridge network created by docker with gateway of 10.10.5.1) which is acting as a
non-tunneled proxy
for websites that are only accessible without VPN. (country specific issue)I've tried using this guide and this is my nftables config at the moment:
I want to use the ip
10.10.5.1
as my proxy IP (the ip of the gateway of the network), without Mullvad routing its outgoing traffic via its tunnel.I am confused by nftables configuration, thought about asking it here.