Open Cimbali opened 9 months ago
This is not directly supported and likely never will be. In our solution, an application lives on either side of the tunnel, never on both sides.
However, there are a couple different workarounds that might be applicable in your case.
What exactly is it that you're trying to do?
On Linux this would be possible with some special firewall rules. But not currently on Windows. https://mullvad.net/en/help/split-tunneling-with-linux-advanced/
What exactly is it that you're trying to do?
Essentially trying to extend split-tunnelling to Firefox containers*.
Currently, the browser can use different exit points on different containers using proxies. However there’s currently no way to have a non-tunnelled container, or non-tunnelled traffic by default and only some containers tunnelled.
This causes issues with some websites that work poorly with (or explicitly block) proxy’d access (mainly streaming services like Netflix, HBO, RTÉ, etc).
there are a couple different workarounds that might be applicable in your case.
I would be interested in some pointers I could look at, if you don’t mind.
All I can think at the moment is having 2 different instances of the browser running with different profiles (that can sync over the internet), one split-tunnelled and the other tunnelled. This seems quite impractical, and even then it’s the same binary so I’m not sure it would work.
On Linux this would be possible with some special firewall rules. But not currently on Windows. https://mullvad.net/en/help/split-tunneling-with-linux-advanced/
I have already achieved this on Linux, indeed. Essentially the setup is:
10.124.0.0/20
and 10.64.0.1/32
ranges from the split-tunnelled browser through the tunnel10.64.0.1
as container proxy to exit with currently-selected exit point* Containers, aka contextual identities, are separate in-browser environments for tabs or sets of tabs. Each environment has separate cookie stores, (limited) preferences, including proxy which allows for separate exit points thanks to mullvad VPN, and more. This allows to connect to a website with different accounts, for example.
Somewhat unrelated, but I think the correct ranges to use would be 10.124.0.0/20
and 10.64.0.1/32
.
Back to your main question. I understand your question as wanting to use split tunneling with Firefox and having selected Firefox containers exit through the tunnel.
An application that's being split is allowed to establish connections to localhost, so you could try bouncing the traffic. Something like this:
127.0.0.1:45067
and have it bounce traffic to e.g. 10.64.0.1:1080
.127.0.0.1:45067
.This would probably work but doesn't really make sense unless you direct traffic towards one of the proxies in the 10.124.x.x
range, in order to get multihop.
If you want to exit through the primary relay you might as well run a regular SOCKS5 proxy that you bind to e.g. 127.0.0.1:45067
.
I think the correct ranges to use would be 10.124.0.0/20 and 10.64.0.1/32.
Indeed. I edited my messages accordingly.
you could try bouncing the traffic
I think that would require opening 1 local port per allowable output server? That means opening 4k ports to cover the range, which is a bit much. Or abusing another mechanism to specify an output port, e.g. proxy login, to specify which node to use.
Worth thinking about. Both need running a proxy locally and changing the VPN socks configuration scheme.
Perhaps you could limit yourself to using a handful of exits concurrently, use a set-and-forget config for containers, and manage the exit selection in bouncer configs?
Hi -- this is more a question than an issue.
Is it possible to setup a Windows application as split-tunnelled (I mean its “normal” traffic not going through the tunnel), except for its traffic in the
10.124.0.0/20
range, which would go through the tunnel to allow access to the various SOCKS proxies?Would that be achievable with routing, or would it require changes to the split tunnel driver?