Open FeryET opened 3 weeks ago
Hi.
Just in case it wasn't clear from the advanced split tunneling guide, the nftables ruleset you write only needs to be applied once, and can be left in place whether connected or not. It shouldn't be more work than writing a script that we call for you after connecting. Could you elaborate on why the solution doesn't work for you?
It's also unclear how a custom ruleset applied after connecting would be cleaned up of afterwards. How does your current setup handle that?
@Serock3
Hi.
I currently have an nftables script that I source inside my nftables startup script (/etc/nftables.conf
), but after running Mullvad, the rules are not respected. The file is located at /etc/nftables.d/mullvad.conf
.
I have the following table (This table is being sourced in /etc/nftables.conf
via this line: include "/etc/nftables.d/*.conf"
)
#!/usr/sbin/nft -f
define EXCLUDED_IPS = { <my_server_ip>, <company_server_ip> }
table inet excludeTraffic {
chain excludeOutgoing {
type filter hook output priority -10; policy accept;
ip daddr $EXCLUDED_IPS ct mark set 0x00000f41 mark set 0x00000f41 meta mark set 0x6d6f6c65;
}
chain excludeIncoming {
type filter hook input priority -10; policy accept;
ip saddr $EXCLUDED_IPS ct mark set 0x00000f41 mark set 0x00000f41 meta mark set 0x6d6f6c65;
}
}
And when I list the ruleset using sudo nft list ruleset
command this output will be generated even when I'm connected to mullvad:
table inet excludeTraffic {
chain excludeOutgoing {
type filter hook output priority filter - 10; policy accept;
ip daddr { <my_server_ip>, <company_server_ip> } ct mark set 0x00000f41 meta mark set 0x00000f41 meta mark set 0x6d6f6c65
}
chain excludeIncoming {
type filter hook input priority filter - 10; policy accept;
ip saddr { <my_server_ip>, <company_server_ip> } ct mark set 0x00000f41 meta mark set 0x00000f41 meta mark set 0x6d6f6c65
}
}
But I cannot ssh into my servers anymore. But when I source the nftables manually using nft -f /etc/nftables.d/mullvad.conf
, I can.
Or if I don't do that or use mullvad-exclude ssh <my_server>
I can ssh into that.
Either I have configured my nftables script badly, or mullvad cannot respect a pre-configured nftables script after connecting. I'm not well versed in the configuration of nftables, but according to the guide on Mullvad's website everything should work.
I have checked if others have suggested this already
Feature description
Currently the advanced split tunneling feature in Mullvad requires writing a custom nftables ruleset that should be manually applied.
It will be very helpful if mullvad can provide a post connection nftables hook, that calls the splittunneling script provided by the user.
Alternative solutions
I am run, and then connect to mullvad. Using a cronjob I check if it's connected, and if so, apply the splittunneling nft ruleset that I have written.
This can be done much cleaner.
Type of feature
Operating System