Bug: Mullvad M247 server changes - Canada/London/Paris

[harrytheeskimo]

Hi there, it looks like Mullvad have changed their M247 server list in Canada, London and Paris. Have seen connection issues to Canada and discovered the update on the Mullvad Server page today, so changed over to Sweden which is working fine.

The Mullvad Servers page has the following banners:

M247 - Montreal : ca1,ca3.ca5.ca6.ca8.ca9-wireguard and ca.mtr-0 will be replaced, and will be terminated within 24h. M247 - London : gb1,gb6-wireguard, and gb-lon-20 will be terminated in a couple of days. Aug 4, 2020, 09:33 UTC

M247 Paris - fr1,-wireguardfr2-wireguard,fr3-wireguard,fr-par-1 have been replaced with new servers(fr10-fr14-wireguard and fr-par-20 . Please use the new servers. Aug 3, 2020, 11:03 UTC

Seems really odd that Mullvad don't have any obvious updates outside their Server page - nothing on their Twitter feed / RSS / blog for example. Wondering if there's an API of theirs that people can check for this kind of thing, or do they expect their customers to continually scrape their Servers page?

Thanks for your continued efforts on this awesome project!!

1. Is this urgent?

   • [X] Yes
   • [x] No

2. What VPN service provider are you using?

   • [ ] PIA
   • [X] Mullvad
   • [ ] Windscribe
   • [ ] Surfshark
   • [ ] Cyberghost

3. What's the version of the program?

   Running version latest built on 2020-08-08T16:28:15Z (commit 78323f0)

4. What are you using to run the container?

   • [ ] Docker run
   • [x] Docker Compose
   • [ ] Kubernetes
   • [ ] Docker stack
   • [ ] Docker swarm
   • [ ] Podman
   • [ ] Other:

[qdm12]

Unfortunately I don't remember how I built the list of servers for Mullvad, maybe manually (what a pain).

While we're at it, as they seem to change even more servers

M247 Milan: it1,it2,it3-wireguard and it-mil-0 , M247 Singapore: sg1,sg2,sg3-wireguard and sg-sin-00 , M247 Japan: jp1 to jp5-wireguard and jp-tyo-0* . All those servers will be terminated within 24 hours, please switch to the replacement servers.

It would be nice to automate the process! Would you mind asking Mullvad if they have a way to obtain the server list dynamically (i.e. in JSON or some machine readable format)? I can dig further in the ugly minified React compiled javascript code of their website but I would prefer to avoid that.

Thanks!!

[harrytheeskimo]

No problem - I've emailed their support. While I'm waiting on their email response, I was able to found these API endpoints in another Github project (https://github.com/UnnoTed/mullvad-ping-list):

https://api.mullvad.net/www/relays/all/ https://api.mullvad.net/www/relays/openvpn/ https://api.mullvad.net/www/relays/wireguard/

Hopefully that does the trick, it comes back with a JSON formatted list of server info (which seem to be updated matching their Servers web page).

I'm not sure how well the API is maintained though, it would certainly be nice if they documented it! I'll ask them on that when they respond to my email.

[qdm12]

That should fit it, nice! I'll do it over the weekend 👍

[harrytheeskimo]

Thanks, that's awesome.

I've found the Mullvad app source for updating their 'relay list' also: https://github.com/mullvad/mullvadvpn-app/blob/master/mullvad-rpc/src/relay_list.rs

This is using the following endpoint, which may be more sustainable considering it's in their official apps: https://api.mullvad.net/v1/relays

Looks like the public version of this needs the following: https://api.mullvad.net/public/relays/v1/

[qdm12]

Perfect, thanks for digging this out.

I'll use https://api.mullvad.net/public/relays/v1/ should be done today.

I can't believe I did all these servers manually, what an idiot I was a few months ago 😄

[qdm12]

Actually it seems it's missing for each server their default port and the ISP 😢

Did you get a reply for your enquiry? I'll dig further on their Github maybe I can find something.

On the other hand, I remember now I wasn't that silly back then, I used https://mullvad.net/en/account/#/openvpn-config/?platform=linux to download a zip file with all their openvpn configurations. Although less 'sexy', I can extend a program I wrote for 2-3 other providers to download the zip file, extract it and parse it out, all in memory as well 👍 But obviously the http api would be better.

[harrytheeskimo]

Ah that's a shame, I guess their own apps aren't showing the providers in the server list so it's not something they care too much about.

The OpenVPN link above (https://api.mullvad.net/www/relays/openvpn/) does have all the providers, but the ports are still missing - I had no idea that the 'default' udp port was one of 1300/1301/1302/1194/1195/1196/1197, that's just annoying! FWIW their Windows app has all 7x of those ports listed as options for UDP, and 80/443 for TCP. I'd assume all would work for all servers but who knows - will see if I can find anything else in their app source.

But I'll also email them again asking if there are actually consistent ports between all servers or if some don't accept all of those 7x udp ports above. Although the previous response from their support was super weak - asking about the API - "We do not have any API docs or support for this as it's not meant to be used publicly. If you can figure out how to use them then we won't stop you though.".

[harrytheeskimo]

Might be safe to assume that all ports are consistent (but I'll still email them to confirm), as these are the constants from their app:

const MIN_MSSFIX_VALUE = 1000; const MAX_MSSFIX_VALUE = 1450; const MIN_WIREGUARD_MTU_VALUE = 1280; const MAX_WIREGUARD_MTU_VALUE = 1420; const UDP_PORTS = [1194, 1195, 1196, 1197, 1300, 1301, 1302]; const TCP_PORTS = [80, 443]; const WIREUGARD_UDP_PORTS = [53];

From: https://github.com/mullvad/mullvadvpn-app/blob/master/gui/src/renderer/components/AdvancedSettings.tsx

[harrytheeskimo]

Some good news - got the following response from Mullvad support:

_It is the same ports for all the OpenVPN servers.

We also have 2 ports where we don't hijack DNS queries. 1400 UDP and 1401 TCP.

Which ports should I open in my firewall for OpenVPN ? #

TCP: 80, 443, 1401 UDP: 53, 1194, 1195, 1196, 1197, 1300, 1301, 1302, 1303, 1400 (Ports 1400 UDP and 1401 TCP do not have DNS hijacking enabled, which might work better for pfSense users)_

[qdm12]

Oh ok, it's strange the openvpn config files have a default port changing from one server to another. Anyway, fabulous, I will get to work tonight (got work / sorry for the delay).

On a side note, I'm also planning on having a way to persist IP addresses and regions for vpn providers out of the image and be able to update it locally with the container, so that older docker image tags will still work in the future and I don't need to update IPs monthly 😄 (have a json file per provider with some funky docker volume manipulation haha)

[harrytheeskimo]

Yeah it's pretty strange, no idea why they've chosen different default ports per region. Glad they support all of them at least!

Thanks for jumping on this so quickly, appreciate it! Btw realised I'd checked the Urgent box for this... it's not a blocker personally - Sweden is still working just fine - so I've changed that. 😃

Decoupling the server pools sounds awesome, especially when providers like Mullvad blow up a whole region with no notice! Not something you want to have to push a new image for!

[qdm12]

Alright, finally done! You can try pulling :latest it should have all the latest servers and IPs from Mullvad, including a 'new feature' which is still undocumented (only supports pia and mullvad for now) but here we go:

1. Bind mount /gluetun
2. In /gluetun, there is a servers.json which contains all the servers information
3. The container will create this file when running the first time. You can manually modify it and the information with the most recent unix timestamp (see in servers.json) takes precedence (so either the file information or the information hardcoded in the program).

Now the cool things is that you can now update the servers yourself (well update servers.json) using

docker run -it --rm -v /yourpath/gluetun:/gluetun qmcgaw/private-internet-access update -file -mullvad

And when running the container, it should use the more recent servers from that file (unless the Docker image has more recent ones). That way if I'm crushed by a bus, you can still upgrade your server information 😉 😆 Let me know if you encounter any problem.

[harrytheeskimo]

Just tested it out, including the /gluetun bind mount - it's all working perfectly and with the newer servers now, thanks very much!! The decoupled server updating is an awesome idea - I just need to figure out where best to work that command into a cron job 😆

[qdm12]

1. First, thanks for the sponsorship 🤑!
2. If you can wait a few days, don't do the cronjob 😉 I'm working on having it updated periodically once the tunnel is up. It's better as it hides from your ISP/government that you reach i.e. mullvad's api to get their server information. The CLI would be a last resort if you can't tunnel anywhere at all 😄 I'll also add a route to the built-in HTTP control server to trigger the update.
3. Another advantage to this persistent server information is that the next Docker image tag should be working for a long time as it's decoupled from the server information (more or less, until they change their API endpoints!). Because I'm sure older Docker image tags are not working well because of outdated information.

Enjoy 🎉

[qdm12]

Since you're using Mullvad, see #565 since you should now be able to use (or test hehe) Wireguard with it 😉

[harrytheeskimo]

Since you're using Mullvad, see #565 since you should now be able to use (or test hehe) Wireguard with it 😉

Thanks @qdm12 - keen to check it out!