[iOS/iPadOS] Mullvad can't access the local network (for custom DNS)

[TheFrenchGhosty]

Is it a bug?

• [X] I know this is an issue with the app, and contacting Mullvad support is not relevant.

I have checked if others have reported this already

• [X] I have checked the issue tracker to see if others have reported similar issues.

Current Behavior

Currently Mullvad doesn't request "Local Network" permission, meaning it can't access the Local Network.

This is especially a problem because I want to have my DNS set to my local Adguard Home, which is on my local network.

Expected Behavior

The app should ask for Local Network permission (maybe when users click a button in the DNS settings?)

Steps to Reproduce

N/A

Failure Logs

No response

iOS version

No response

Mullvad VPN app version

No response

Additional Information

No response

[dminca]

I'm facing the same issue with my PiHole.

I know Mullvad already has the capability to block some ads by means of a toggle, but want to rely solely on my PiHole installation

[buggmagnet]

Hi @TheFrenchGhosty and @dminca ! Indeed, as long as we don't need to access local networks, we don't need to ask said permission. However, there is a way to trigger that permission. Open the settings page (The gear icon on the top right corner of the app), tap on "Api access", and tap on the "Add" button.

This should trigger the prompt to request local access network (which you then have to accept). If the prompt does not appear, open the settings of your device, search for "Mullvad VPN", and check whether there is a setting named "Local Network" with a toggle next to it, and if there is, make sure it's toggled to the ON position.

If nothing else above works, log out from your account (make sure to remember your account number), delete and reinstall the app.

Here's a video of what the process looks like

https://github.com/user-attachments/assets/1b85dfc7-991e-4dfd-bf8f-e0a6dcba5304

And here's how it should look like in the settings of the app once you have enabled the permissions

Please let me know if that fixed your problem, and if it did, feel free to close this issue. Thank you for your support, we appreciate it !

[TheFrenchGhosty]

@buggmagnet Alright, so opening API did work to make it request local network access (weird UX by the way).... so now new issue: even with local network access allowed in the OS setting a custom DNS to a local IP doesn't work, and no requests seems to be sent to the local DNS server.

(to be clear, I did reset the WiFi network configuration (I also tried forgetting the network) so that it doesn't conflict)

[buggmagnet]

@TheFrenchGhosty

(weird UX by the way)

Unfortunately, this is a quirk of how iOS triggers that request. There is no official API to request local network access, and we didn't feel like asking the permission for no good reason. So instead, when the user wants to actually add an API access method, we assume that they might want to use a local proxy, and thus trigger some network code that would trigger the alert. (There is a longer explanation for why we do it this way, but it's irrelevant here).

even with local network access allowed in the OS setting a custom DNS to a local IP doesn't work

I'm a bit confused, are you saying the Custom DNS feature doesn't work ?

Let's take an example, I've set my location to the UK, and connected to the relay named gb-lon-wg-201 Then I set my Custom DNS to 1.1.1.1 (see screenshot below)

After that, I went to mullvad.net/check and it correctly detected that I was using Cloudflare's DNS server.

Can you confirm the following things:

• You have an account with time on it
• You are connected to one of our relays
• You have setup a Custom DNS server (presumably something on your local network)
• You have made sure that the Custom DNS toggle is ON (As a reminder, it cannot be used in conjunction with our own DNS servers)

[TheFrenchGhosty]

@buggmagnet

I'm a bit confused, are you saying the Custom DNS feature doesn't work ?

Yes, it doesn't with a local network IP (I just tried with 1.1.1.1 and it works perfectly, and this DNS is reflected on mullvad.net/check )

I can confirm all 4 points.

[buggmagnet]

@TheFrenchGhosty

Ok, thanks for letting me know. I'll try to reproduce this issue further, and I will keep you up to date with the results of my findings.

[buggmagnet]

@TheFrenchGhosty I'm afraid I have some bad news. I cannot reproduce the issue you're having. I have setup a DNS server on my local router (192.168.1.1, a local IP), and it resolved just fine.

Just to make sure, I did run a dig google.com command as well, and got a valid result. Out of curiosity, I tried to use AdGuard's DNS resolver, and looking at some posts on reddit, users are complaining that it's sometimes down.

You can check yourself whether AdGuard's DNS server (well, one of them at least) is up with the following test

% dig @94.140.14.14 google.com

; <<>> DiG 9.10.6 <<>> @94.140.14.14 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17296
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 0
;; QUESTION SECTION:
;google.com.            IN  A

;; ANSWER SECTION:
google.com.     216 IN  A   142.250.74.78

;; Query time: 30 msec
;; SERVER: 94.140.14.14#53(94.140.14.14)
;; WHEN: Fri Aug 30 14:50:46 CEST 2024
;; MSG SIZE  rcvd: 55

If you manually set your DNS resolver to AdGuard's public DNS resolver, you should be able to use it just fine. I believe you are having a problem with your local network setup, which I cannot help you with unfortunately. Try to make the following tests :

• See if you can ping your local AdGuard Home service from your phone (without turning on Mullvad)
• Try to manually configure the DNS options of your wifi connection to use your AdGuard Home service and see if it works properly

[TheFrenchGhosty]

@buggmagnet

So:

My Adguard Home has been setup for weeks and is used on multiples devices, 3/4 of them running Mullvad (so the DNS is configured in the Mullvad app), eg: the linux laptop I'm currently writing this on. It works perfectly on all of my devices... except for that iPad (when connected to Mullvad).

The iPad can connect to the Adguard Home directly if it's not through Mullvad.

The problem is somewhere in the Mullvad iPadOS app (and iOS if it's the same code)

(I also just tried to reinstall it so that I'm running it with the default settings - then just made it ask for local network and setup the DNS, and the problem is still here).

(also, no I am not interested in using the public Adguard DNS resolver, I want Adguard Home (which is basicaly a PiHole but better)

[buggmagnet]

@TheFrenchGhosty

The problem is somewhere in the Mullvad iPadOS app (and iOS if it's the same code)

The iPad and iOS version are running exactly the same code.

Interestingly, after trying a bit harder, I managed to get into the same situation. I'm not sure what exactly is the problem at the moment, but I'm gonna file a bug report on our internal tracker, and whilst I can't give an ETA on when we will fix the issue, I can say with confidence that we will not ignore it.

Thank you once again for filing the bug report, I hope to come back with good news in the future.

EDIT : After further searching, it seems that it's a long standing issue we've had

We've decided to revisit this issue when we implement using the includeAllNetworks api provided by Apple.

[TheFrenchGhosty]

@buggmagnet Amazing! Glad to know I was able to help! (and I guess it's good to know that it was an old bug)

Thank you for spending time on this and not giving up when you couldn't reproduce it. Really appreciated!