Possibility to configure exclusion with socks access?

[Cimbali]

Hi -- this is more a question than an issue.

Is it possible to setup a Windows application as split-tunnelled (I mean its “normal” traffic not going through the tunnel), except for its traffic in the 10.124.0.0/20 range, which would go through the tunnel to allow access to the various SOCKS proxies?

Would that be achievable with routing, or would it require changes to the split tunnel driver?

[mvd-ows]

This is not directly supported and likely never will be. In our solution, an application lives on either side of the tunnel, never on both sides.

However, there are a couple different workarounds that might be applicable in your case.

What exactly is it that you're trying to do?

[faern]

On Linux this would be possible with some special firewall rules. But not currently on Windows. https://mullvad.net/en/help/split-tunneling-with-linux-advanced/

[Cimbali]

What exactly is it that you're trying to do?

Essentially trying to extend split-tunnelling to Firefox containers*.

Currently, the browser can use different exit points on different containers using proxies. However there’s currently no way to have a non-tunnelled container, or non-tunnelled traffic by default and only some containers tunnelled.

This causes issues with some websites that work poorly with (or explicitly block) proxy’d access (mainly streaming services like Netflix, HBO, RTÉ, etc).

there are a couple different workarounds that might be applicable in your case.

I would be interested in some pointers I could look at, if you don’t mind.

All I can think at the moment is having 2 different instances of the browser running with different profiles (that can sync over the internet), one split-tunnelled and the other tunnelled. This seems quite impractical, and even then it’s the same binary so I’m not sure it would work.

On Linux this would be possible with some special firewall rules. But not currently on Windows. https://mullvad.net/en/help/split-tunneling-with-linux-advanced/

I have already achieved this on Linux, indeed. Essentially the setup is:

• split-tunnel the browser
• allow the 10.124.0.0/20 and 10.64.0.1/32 ranges from the split-tunnelled browser through the tunnel
• use 10.64.0.1 as container proxy to exit with currently-selected exit point
• use usual proxies to exit at other points
• do not specify a proxy to have traffic not go through tunnel

---

* Containers, aka contextual identities, are separate in-browser environments for tabs or sets of tabs. Each environment has separate cookie stores, (limited) preferences, including proxy which allows for separate exit points thanks to mullvad VPN, and more. This allows to connect to a website with different accounts, for example.

[mvd-ows]

Somewhat unrelated, but I think the correct ranges to use would be 10.124.0.0/20 and 10.64.0.1/32.

Back to your main question. I understand your question as wanting to use split tunneling with Firefox and having selected Firefox containers exit through the tunnel.

An application that's being split is allowed to establish connections to localhost, so you could try bouncing the traffic. Something like this:

1. Establish VPN tunnel.
2. In the Mullvad app, configure Firefox to use split tunneling.
3. Launch a bouncer on e.g. 127.0.0.1:45067 and have it bounce traffic to e.g. 10.64.0.1:1080.
4. Configure your container to use the SOCKS5 proxy at 127.0.0.1:45067.

This would probably work but doesn't really make sense unless you direct traffic towards one of the proxies in the 10.124.x.x range, in order to get multihop.

If you want to exit through the primary relay you might as well run a regular SOCKS5 proxy that you bind to e.g. 127.0.0.1:45067.

[Cimbali]

I think the correct ranges to use would be 10.124.0.0/20 and 10.64.0.1/32.

Indeed. I edited my messages accordingly.

you could try bouncing the traffic

I think that would require opening 1 local port per allowable output server? That means opening 4k ports to cover the range, which is a bit much. Or abusing another mechanism to specify an output port, e.g. proxy login, to specify which node to use.

Worth thinking about. Both need running a proxy locally and changing the VPN socks configuration scheme.

[mvd-ows]

Perhaps you could limit yourself to using a handful of exits concurrently, use a set-and-forget config for containers, and manage the exit selection in bouncer configs?