[Feature request] nftables hook/config for mullvad vpn linux app?

[FeryET]

I have checked if others have suggested this already

• I have checked this issue tracker to see if others have reported similar issues.

Feature description

Currently the advanced split tunneling feature in Mullvad requires writing a custom nftables ruleset that should be manually applied.

It will be very helpful if mullvad can provide a post connection nftables hook, that calls the splittunneling script provided by the user.

Alternative solutions

I am run, and then connect to mullvad. Using a cronjob I check if it's connected, and if so, apply the splittunneling nft ruleset that I have written.

This can be done much cleaner.

Type of feature

• Better privacy/anonymity
• Better at circumventing censorship
• Easier to use
• Other

Operating System

• Android
• iOS
• Windows
• macOS
• Linux

[Serock3]

Hi.

Just in case it wasn't clear from the advanced split tunneling guide, the nftables ruleset you write only needs to be applied once, and can be left in place whether connected or not. It shouldn't be more work than writing a script that we call for you after connecting. Could you elaborate on why the solution doesn't work for you?

It's also unclear how a custom ruleset applied after connecting would be cleaned up of afterwards. How does your current setup handle that?

[FeryET]

@Serock3

Hi.

I currently have an nftables script that I source inside my nftables startup script (/etc/nftables.conf), but after running Mullvad, the rules are not respected. The file is located at /etc/nftables.d/mullvad.conf.

I have the following table (This table is being sourced in /etc/nftables.conf via this line: include "/etc/nftables.d/*.conf")

#!/usr/sbin/nft -f


define EXCLUDED_IPS = {  <my_server_ip>,  <company_server_ip> }



table inet excludeTraffic {
  chain excludeOutgoing {
    type filter hook output priority -10; policy accept;
    ip daddr $EXCLUDED_IPS ct mark set 0x00000f41 mark set 0x00000f41 meta mark set 0x6d6f6c65;
  }
  chain excludeIncoming {
    type filter hook input priority -10; policy accept;
    ip saddr $EXCLUDED_IPS ct mark set 0x00000f41 mark set 0x00000f41 meta mark set 0x6d6f6c65;
  }
}

And when I list the ruleset using sudo nft list ruleset command this output will be generated even when I'm connected to mullvad:

table inet excludeTraffic {
        chain excludeOutgoing {
                type filter hook output priority filter - 10; policy accept;
                ip daddr { <my_server_ip>,  <company_server_ip> } ct mark set 0x00000f41 meta mark set 0x00000f41 meta mark set 0x6d6f6c65
        }

        chain excludeIncoming {
                type filter hook input priority filter - 10; policy accept;
                ip saddr { <my_server_ip>,  <company_server_ip> } ct mark set 0x00000f41 meta mark set 0x00000f41 meta mark set 0x6d6f6c65
        }
}

But I cannot ssh into my servers anymore. But when I source the nftables manually using nft -f /etc/nftables.d/mullvad.conf, I can.

Or if I don't do that or use mullvad-exclude ssh <my_server> I can ssh into that.

Either I have configured my nftables script badly, or mullvad cannot respect a pre-configured nftables script after connecting. I'm not well versed in the configuration of nftables, but according to the guide on Mullvad's website everything should work.

[Serock3]

Hello again, sorry for the late reply. I tested your nftables config setup and I cannot reproduce the issue, unfortunately. There seems to be a small error though, you don't need meta mark set 0x00000f41. You could try removing that part, though I would be surprised if it fixes the issue for you.

You say that when you source the firewall rules after connecting it works as expected, which is peculiar. It's a bit far fetched, but maybe it could be an issue with nftables loading after your ssh server. Could you try restarting the ssh server (e.g sudo systemctl restart sshd depending on what service you are using), and see if the problem still remains?