search

mullvad / mullvadvpn-app

The Mullvad VPN client app for desktop and mobile
https://mullvad.net/
GNU General Public License v3.0
4.89k stars 335 forks source link

[Feature request] nftables hook/config for mullvad vpn linux app? #6638

Open FeryET opened 3 weeks ago

FeryET commented 3 weeks ago

I have checked if others have suggested this already

Feature description

Currently the advanced split tunneling feature in Mullvad requires writing a custom nftables ruleset that should be manually applied.

It will be very helpful if mullvad can provide a post connection nftables hook, that calls the splittunneling script provided by the user.

Alternative solutions

I am run, and then connect to mullvad. Using a cronjob I check if it's connected, and if so, apply the splittunneling nft ruleset that I have written.

This can be done much cleaner.

Type of feature

Operating System

Serock3 commented 2 weeks ago

Hi.

Just in case it wasn't clear from the advanced split tunneling guide, the nftables ruleset you write only needs to be applied once, and can be left in place whether connected or not. It shouldn't be more work than writing a script that we call for you after connecting. Could you elaborate on why the solution doesn't work for you?

It's also unclear how a custom ruleset applied after connecting would be cleaned up of afterwards. How does your current setup handle that?

FeryET commented 1 week ago

@Serock3

Hi.

I currently have an nftables script that I source inside my nftables startup script (/etc/nftables.conf), but after running Mullvad, the rules are not respected. The file is located at /etc/nftables.d/mullvad.conf.

I have the following table (This table is being sourced in /etc/nftables.conf via this line: include "/etc/nftables.d/*.conf")

#!/usr/sbin/nft -f

define EXCLUDED_IPS = {  <my_server_ip>,  <company_server_ip> }

table inet excludeTraffic {
  chain excludeOutgoing {
    type filter hook output priority -10; policy accept;
    ip daddr $EXCLUDED_IPS ct mark set 0x00000f41 mark set 0x00000f41 meta mark set 0x6d6f6c65;
  }
  chain excludeIncoming {
    type filter hook input priority -10; policy accept;
    ip saddr $EXCLUDED_IPS ct mark set 0x00000f41 mark set 0x00000f41 meta mark set 0x6d6f6c65;
  }
}

And when I list the ruleset using sudo nft list ruleset command this output will be generated even when I'm connected to mullvad:

table inet excludeTraffic {
        chain excludeOutgoing {
                type filter hook output priority filter - 10; policy accept;
                ip daddr { <my_server_ip>,  <company_server_ip> } ct mark set 0x00000f41 meta mark set 0x00000f41 meta mark set 0x6d6f6c65
        }

        chain excludeIncoming {
                type filter hook input priority filter - 10; policy accept;
                ip saddr { <my_server_ip>,  <company_server_ip> } ct mark set 0x00000f41 meta mark set 0x00000f41 meta mark set 0x6d6f6c65
        }
}

But I cannot ssh into my servers anymore. But when I source the nftables manually using nft -f /etc/nftables.d/mullvad.conf, I can.

Or if I don't do that or use mullvad-exclude ssh <my_server> I can ssh into that.

Either I have configured my nftables script badly, or mullvad cannot respect a pre-configured nftables script after connecting. I'm not well versed in the configuration of nftables, but according to the guide on Mullvad's website everything should work.