search

mullvad / mullvadvpn-app

The Mullvad VPN client app for desktop and mobile
https://mullvad.net/
GNU General Public License v3.0
4.93k stars 335 forks source link

Local network sharing does not work across subnets when Mullvad is connected #6219

Open deadmeu opened 4 months ago

deadmeu commented 4 months ago

Is it a bug?

I have checked if others have reported this already

Current Behavior

Local network sharing does not allow my computer (10.0.0.2) to ping my phone (10.0.2.2) across subnets when the Mullvad desktop app is connected to Mullvad's server.

I am connected exclusively using WireGuard with Lockdown mode enabled. The two devices are on separate VLANs but have the appropriate firewall rules set up so that they may communicate with each other. My phone also has the Mullvad app connected, with Local network sharing enabled too. My phone is always connected, and I don't think this issue has anything to do with the Mullvad Android app or my phone using Mullvad.

I have another computer (10.0.0.3) which is NOT connected to Mullvad and does not have the app installed, which CAN ping my phone, and my phone can also ping that computer just fine.

When I disconnect my computer from Mullvad everything works as expected. I am able to ping my phone, and my phone can ping my computer. It's only when I am connected that I cannot reach my phone (or any other device that is not also on 10.0.0.0/24).

Expected Behavior

My computer should be able to continue to reach my phone when I am connected.

Steps to Reproduce

  1. Have a primary machine on one subnet (e.g. 10.0.0.0/24) with the Mullvad app installed with the Local network sharing setting enabled.
  2. Have a secondary machine on another subnet (e.g. 10.0.2.0/24). In my case, this is my phone.
  3. While Mullvad is disconnected, ping the secondary machine. You should successfully receive a response from this machine.
  4. Select Connect in the Mullvad app to connect the primary machine to Mullvad.
  5. On the primary machine, attempt to ping the secondary machine.
  6. You should not receive a response from the secondary machine.

Failure Logs

No response

Operating system version

Arch Linux

Mullvad VPN app version

2024.1

Additional Information

I believe this has been an issue for a long while (several years) and I only recently figured out that the desktop app is the cause.

4289 and #5326 may be related, but I'm not sure.

deadmeu commented 2 months ago

Any chance this could get looked at? It's a huge issue when you can't communicate with all the devices on your network just because they are on another subnet.

JexxaJ commented 2 months ago

2nd this, in a multi network environment mullvad is blocking communications to local subnets even though local sharing is enabled.

deadmeu commented 2 months ago

It seems like this might be a known issue as posted on https://mullvad.net/en/help

"While using the Mullvad VPN app, I can't access local shares, printers or services. What do I do? Open the Mullvad app settings, then click on Preferences and turn on "Local network sharing". In some cases you have to use the IP address to connect instead of the hostname. If the device is on a different subnet (IP address range) then add a static route to that in the operating system. In Android this will not work if you have enabled "Block connections without VPN" in the Android network settings."

JexxaJ commented 2 months ago

Thanks makes sense, but not ideal if you need to touch each machine and add a route. Had a quick look to see if you could run something like RIP but seems it is not a standard thing on windows machines not sure about other OSs.

If you do go down that path make sure you make the route persistent otherwise you will loose it on every re-boot.

mattdale77 commented 1 month ago

I have come across this too. When I am moving physically between subnets I would have to create the relevant static routes each time. While this certainly works I feel the the app should know the static routes which are already defined in the default gateway. There may be a reason why this isn't desirable but no reason that springs to mind for my usage

nicolaipre commented 2 weeks ago

I have come across this too. When I am moving physically between subnets I would have to create the relevant static routes each time. While this certainly works I feel the the app should know the static routes which are already defined in the default gateway. There may be a reason why this isn't desirable but no reason that springs to mind for my usage

Got an example of how you created the static routes successfully?

mattdale77 commented 2 weeks ago

I have come across this too. When I am moving physically between subnets I would have to create the relevant static routes each time. While this certainly works I feel the the app should know the static routes which are already defined in the default gateway. There may be a reason why this isn't desirable but no reason that springs to mind for my usage

Got an example of how you created the static routes successfully?

Have a look here https://www.linuxtechi.com/add-delete-static-route-linux-ip-command/

I used the command

ip route add (route) via gateway

While I have not yet tried it I believe if you adjust your netmask to open up your subnets then mullvad will recognise them as local and exempt them from the VPN. So use 255.255.248.0 as an example that would for me expose 192.168.0-7.0 and everything that I would need