Mullvad DNS issue

[Rubber-Duckie]

Can you check, this still seems unresolved .

Steps;

1. Connect to Mullvad and select a server in a different country.
2. Make sure all DNS sec in the browser is turned off.
3. Verify that the DNS check is green. https://mullvad.net/en/check
4. Now note the location reported by the Mullvad DNS check, it matches your exit country.

The fact the DNS server is showing in the same country as the VPN server your connected to is normal in this configuration, because the VPN is relaying the DNS query to a server in the exit jurisdiction.

Now start Portmaster with these settings.

At this point, DNS is broken - there is no connectivity to the internet. It appears that Portmaster is not respecting the Mullvad VPN’s gateway - despite the documentation stating it should be forwarding DNS to the system assigned DNS server - which is available from the TAP adapter interface that was created by the VPN.

Suggestion previous was to manually set a DNS server in Portmaster to a public server i.e.

dot://extended.dns.mullvad.net?ip=194.242.2.5&name=mullvad&blockedif=empty

But this is not what we want. The DNS requests should be passed to a Mullvad VPN Relay (via the client) not sent direct to a public server.

See here why bypassing a VPN Relay using a public facing DNS server is not a good idea; https://www.privacyguides.org/en/advanced/dns-overview/#why-shouldnt-i-use-encrypted-dns

Lets try to redirect DNS to the Mullvad local listener IP that is designed to Relay DNS...

dns://10.64.0.1?name=Mullvad&blockedif=zeroip

This is specified as a valid resolver here ; https://mullvad.net/en/help/running-wireguard-router

This results in incredibly unstable DNS resolution. It works for a moment, then fails and packs in all together - possibly some cache reminants. As soon as I disable Portmaster, everything works as normal.

The Portmaster documentation states that it only intercepts and forwards DNS queries through two possible paths:

1. Any configured DNS servers within the section shown above, bypassing the system network-configured DNS entirely.
2. If there are no entries configured in the Portmaster DNS server list, it reverts to using the network-configured DNS server.

Given # 2 is the chosen path since no DNS servers have been configured within Portmaster, Portmaster remains oblivious to the VPN local service that inserted its IP in the IP tables configuration.

I simply cannot get Portmaster to connect using Mullvad VPN and Mullvad DNS Relay.

[Internot3]

Happy to have found Portmaster, but sad to realize I cannot get Mullvard to work with it.

Has anyone been able to successfully pass the DNS requests through the Mullvad VPN Relay?

The following links generated zero success: https://github.com/safing/portmaster/issues/313#issuecomment-2339077939 https://wiki.safing.io/en/Portmaster/App/Compatibility/Software/MullvadVPN

Mullvard just says to uninstall Portmaster: https://mullvad.net/en/help/dns-leaks

What is going on here? The best VPN isn't compatible with the best Firewall?

Update: I forgot all about $PN, now it all makes sense why these programs don't work together. It's kind of a bummer being strong armed into the service. I was considering to switch to SPN before I realized the incompatibility, then I noticed it's double the price of Mullvard.

[Rubber-Duckie]

It seems the Portmaster team isn't focused on ensuring proper DNS functionality. The complexity at the lower layers demands highly skilled individuals to overhaul the current defective dependencies and essentially rewrite from scratch. While I wish them luck, there are already superior alternatives out there. Don't lose sleep over this; the project is on shaky ground.