search

mullvad / mullvadvpn-app

The Mullvad VPN client app for desktop and mobile
https://mullvad.net/
GNU General Public License v3.0
4.93k stars 335 forks source link

[Feature request] Use DNS-over-HTTPS/TLS configuration profiles (iOS, iPadOS, macOS) #6203

Open aniqueta opened 5 months ago

aniqueta commented 5 months ago

I have checked if others have suggested this already

Feature description

This is similar to, but not quite, the same as https://github.com/mullvad/mullvadvpn-app/issues/3689

While Mullvad offers its own ad and tracker blocking DNS, users may want greater customization of what to block and/or custom DNS resolution to use for private resources. In those cases, users may setup their own DNS using DNS-over-HTTPS or -TLS.

On macOS and iOS/iPadOS, one can use both a VPN and a DNS configuration profile for DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) if one configures the VPN application to use the OS DNS resolver, per the following:

  1. Set 0.0.0.0/32 and ::/128 as the DNS server in the VPN application
  2. Disallow those IPs from the VPN, which would make the following the allowed IPs 
    0.0.0.1/32, 0.0.0.2/31, 0.0.0.4/30, 0.0.0.8/29, 0.0.0.16/28, 0.0.0.32/27, 0.0.0.64/26, 0.0.0.128/25, 0.0.1.0/24, 0.0.2.0/23, 0.0.4.0/22, 0.0.8.0/21, 0.0.16.0/20, 0.0.32.0/19, 0.0.64.0/18, 0.0.128.0/17, 0.1.0.0/16, 0.2.0.0/15, 0.4.0.0/14, 0.8.0.0/13, 0.16.0.0/12, 0.32.0.0/11, 0.64.0.0/10, 0.128.0.0/9, 1.0.0.0/8, 2.0.0.0/7, 4.0.0.0/6, 8.0.0.0/5, 16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/1, ::1/128, ::2/127, ::4/126, ::8/125, ::10/124, ::20/123, ::40/122, ::80/121, ::100/120, ::200/119, ::400/118, ::800/117, ::1000/116, ::2000/115, ::4000/114, ::8000/113, ::0.1.0.0/112, ::0.2.0.0/111, ::0.4.0.0/110, ::0.8.0.0/109, ::0.16.0.0/108, ::0.32.0.0/107, ::0.64.0.0/106, ::0.128.0.0/105, ::1.0.0.0/104, ::2.0.0.0/103, ::4.0.0.0/102, ::8.0.0.0/101, ::16.0.0.0/100, ::32.0.0.0/99, ::64.0.0.0/98, ::128.0.0.0/97, ::1:0:0/96, ::2:0:0/95, ::4:0:0/94, ::8:0:0/93, ::10:0:0/92, ::20:0:0/91, ::40:0:0/90, ::80:0:0/89, ::100:0:0/88, ::200:0:0/87, ::400:0:0/86, ::800:0:0/85, ::1000:0:0/84, ::2000:0:0/83, ::4000:0:0/82, ::8000:0:0/81, ::1:0:0:0/80, ::2:0:0:0/79, ::4:0:0:0/78, ::8:0:0:0/77, ::10:0:0:0/76, ::20:0:0:0/75, ::40:0:0:0/74, ::80:0:0:0/73, ::100:0:0:0/72, ::200:0:0:0/71, ::400:0:0:0/70, ::800:0:0:0/69, ::1000:0:0:0/68, ::2000:0:0:0/67, ::4000:0:0:0/66, ::8000:0:0:0/65, 0:0:0:1::/64, 0:0:0:2::/63, 0:0:0:4::/62, 0:0:0:8::/61, 0:0:0:10::/60, 0:0:0:20::/59, 0:0:0:40::/58, 0:0:0:80::/57, 0:0:0:100::/56, 0:0:0:200::/55, 0:0:0:400::/54, 0:0:0:800::/53, 0:0:0:1000::/52, 0:0:0:2000::/51, 0:0:0:4000::/50, 0:0:0:8000::/49, 0:0:1::/48, 0:0:2::/47, 0:0:4::/46, 0:0:8::/45, 0:0:10::/44, 0:0:20::/43, 0:0:40::/42, 0:0:80::/41, 0:0:100::/40, 0:0:200::/39, 0:0:400::/38, 0:0:800::/37, 0:0:1000::/36, 0:0:2000::/35, 0:0:4000::/34, 0:0:8000::/33, 0:1::/32, 0:2::/31, 0:4::/30, 0:8::/29, 0:10::/28, 0:20::/27, 0:40::/26, 0:80::/25, 0:100::/24, 0:200::/23, 0:400::/22, 0:800::/21, 0:1000::/20, 0:2000::/19, 0:4000::/18, 0:8000::/17, 1::/16, 2::/15, 4::/14, 8::/13, 10::/12, 20::/11, 40::/10, 80::/9, 100::/8, 200::/7, 400::/6, 800::/5, 1000::/4, 2000::/3, 4000::/2, 8000::/1

    This approach works using the stock Wireguard app on both macOS and iOS/iPadOS.

I have tried Step 1 in the Mullvad app, and it does not appear to work, since there is no way to do Step 2.

Alternative solutions

Naturally, since this works using the Wireguard application, one can manually configure Mullvad VPNs in the Wireguard using this approach. However, this makes things less user friendly. For example, one cannot change Mullvad servers and locations very easily. It also takes up one of the five clients that Mullvad allows, limiting the use of the official Mullvad app in other situations.

Type of feature

Operating System

fritz-fritz commented 3 months ago

Really want this, have been using the WireGuard app to accomplish this but now that quantum tunnels and obfuscation are available in the Mullvad App it is tempting to switch. Occasionally I have need to join networks that are hostile to VPNs but work with obfuscation.

Please let me control the allowed/disallowed IP ranges! Even if it’s buried as an advanced feature, it is extremely useful!

drpoutine commented 2 months ago

Please let me control the allowed/disallowed IP ranges! Even if it’s buried as an advanced feature, it is extremely useful!

would like to +1 this as well. sometimes in airplanes you have to disable to disable mullvad entirely in order to allow the captive portal to load. would be awesome to see if we can whitelist a domain/ip range in the app for both ios/macos

love the mullvad app thou. wouldnt even mind if its buried in advanced features