search

mullvad / mullvadvpn-app

The Mullvad VPN client app for desktop and mobile
https://mullvad.net/
GNU General Public License v3.0
4.62k stars 329 forks source link

100.64.0.0/10 is not included in allowed LAN ranges #6086

Open nothingmuch opened 2 months ago

nothingmuch commented 2 months ago

Is it a bug?

I have checked if others have reported this already

Current Behavior

Although 100.64.0.0/100 is part of the IPv4 reserved address blocks used for internal networks, it is not included in the list of allowed addresses when LAN access is unblocked.

Strictly speaking that range is for carrier-grade NAT, so it's debatable whether or not that should be considered LAN.

However, not adding this manually to to nftables means I can't use tailscale and mullvad concurrently.

I'm aware of tailscale's mullvad integration, but unfortunately since I use headscale and not the tailscale service, I can't yet utilize this functionality.

Expected Behavior

With tailscale enabled and connected, mullvad lan set allow, when connecting to mullvad traffic on the tailscale interface should not be blocked.

I can work around this using the following firewall rule:

    table inet mullvadExclusions {
      chain mullvadAllowTailsacle {
        type route hook output priority -1; policy accept;
        ip daddr 100.64.0.0/10 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
      }

but it would be less brittle and more secure if I would not have to do that statically, since that would still be allowed if mullvad lan set block is configured.

Steps to Reproduce

  1. tailscale up
  2. mullvad lan set allow
  3. tailscale ping ... (works)
  4. mullvad connect
  5. tailscale ping ... (no response)
  6. mullvad disconnect
  7. tailscale ping ... (works)

Failure Logs

No response

Operating system version

NixOS unstable (pre release 24.05)

Mullvad VPN app version

2023.6

Additional Information

No response

harbor6688 commented 2 months ago

You could for now manually add it towards talpid-core/src/firewall/mod.rs in the sourcecode at https://github.com/mullvad/mullvadvpn-app/blob/6868d3c3336a8289c56fdd978ad61ef8a19a7155/talpid-core/src/firewall/mod.rs and modify ALLOWED_LAN_NETS while rust code can be a bit scary i feel that this part is pretty self explanatory. and then manually compiling from said modified source preferably with build.sh --optimized so you get a release build now i cannot guarantee this to work since i have yet to test it myself but it could be a stopgap solution for now. Now only issue with this would be that you would not run the release version but the latest git commit unless you can figure out what commit they used to compile the latest release version.

harbor6688 commented 2 months ago

nvm i think this should be the commit of the latest release https://github.com/mullvad/mullvadvpn-app/commit/b261238598f0237aaf420354445797a12a45d907

nothingmuch commented 2 months ago

Sure i'm comfortable making that change, nixpkgs uses a binary release so it might take me a bit to test it first, but happy to make the effort if this change is likely to get accepted. I'll follow up soon.