mlvd doesn't work with Mullvad's killswitch rules

[emk2203]

When trying to use Mullvad's killswitch rules, a ssh connection to the computer is lost (gobbled up by the killswitch rules). In the status, the invocation of the preup is the last thing before the connection freezes.

The rules are

PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

The %i variable gets successfully replaced my mlvd, so this part works.

[phirecc]

mlvd uses wg-quick to set up the tunnel. It writes /etc/wireguard/mlvd.conf by filling out template.conf and then runs wg-quick up mlvd. So this is out of scope for the project.

What is this killswitch supposed to do? By default all internet traffic is routed through the vpn interface.

[emk2203]

The kill switch is supposed to prevent outgoing, non-internal traffic in case the VPN connection breaks down for whatever reason.

And good to know the workings of mlvd under the hood.

That's why your earlier shell script version had advantages. I can't look into the rust version, but it's easy to do so with the shell code.

[phirecc]

With the way wg-quick does its routing, traffic won't escape the VPN even if the connection breaks down. At least I haven't experienced anything like that yet. The mechanism is described in their docs.

The shell script is probably easier to read for most people, but it gets ugly when it comes to error handling, etc. The rust code is not very complex either, I think you should for example be able to get the gist of how the tunnel is set up by looking at src/wireguard.rs without knowing the language.