You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2023-07-17 15:36:18
- lostinarch
- Member
- Registered: 2023-07-17
- Posts: 4
delete this
-
Last edited by lostinarch (2023-08-06 21:18:16)
Offline
#2 2023-07-18 08:49:30
- Koatao
- Member
- Registered: 2018-08-30
- Posts: 96
Re: delete this
Hello,
Reading a bit about mullvad and split tunneling tells me that the mullvad client has configuration options to block apps from using the VPN. I don't know if it is a feature in the Linux client though.
Anyway, the wiki on mullvad https://wiki.archlinux.org/title/Mullvad indicates you can use WireGuard or OpenVPN client to connect to mullvad VPN. With both, you can do split tunneling.
Now, that does not completely answer your question as it exclude the whole server from the VPN, not only port 45000 for SSH.
Could you show us the exludeTraffic.rule you tried with nftables? I guess it is a bit tricky to bypass the VPN like that with nftables.
Offline
#3 2023-07-18 11:51:23
- lostinarch
- Member
- Registered: 2023-07-17
- Posts: 4
Re: delete this
@Koatao
https://mullvad.net/en/help/split-tunne … -advanced/
table inet excludeTraffic {
chain allowIncoming {
type filter hook input priority -100; policy accept;
tcp dport 45000 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
}
chain allowOutgoing {
type route hook output priority -100; policy accept;
tcp sport 45000 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
}
}
Offline
#4 2023-07-18 14:36:28
- lostinarch
- Member
- Registered: 2023-07-17
- Posts: 4
Re: delete this
Hello,
Now, that does not completely answer your question as it exclude the whole server from the VPN, not only port 45000 for SSH.
(Just found out how to quote a reply).
I think what you're describing is Scenario 4 of my whiteboard diagram.
Can ssh to vps despite vpn being active though ip tests return non-vpn ip.
Offline
#5 2023-07-19 08:17:20
- Koatao
- Member
- Registered: 2018-08-30
- Posts: 96
Re: delete this
TBH, I understood your situation wrong, I thought you wanted to do split tunneling from the host corresponding to the SSH client (and not the server).
@Koatao
https://mullvad.net/en/help/split-tunne … -advanced/table inet excludeTraffic {
chain allowIncoming {
type filter hook input priority -100; policy accept;
tcp dport 45000 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
}chain allowOutgoing {
type route hook output priority -100; policy accept;
tcp sport 45000 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
}
}
Tricky indeed!
So, if this is supposed to be the official way of split tunneling with the Linux client, I guess we should start from here and try to debug it.
What you could try, at first, is to add a counter a get make sure the rule is correctly hitted when it is supposed to (wiki.nftables.org).
Is it possible to have an overview of nftables rules with and without the VPN enabled?
Offline
#6 2023-07-19 10:40:05
- -thc
- Member
- Registered: 2017-03-15
- Posts: 527
Re: delete this
The fact alone that the Mullvad VPN doesn't seem to work when the nftables exception is active (scenario 4) is suspicious.
Does the VPN work again when you delete the nft tables?
Offline
#7 2023-07-20 22:00:48
- lostinarch
- Member
- Registered: 2023-07-17
- Posts: 4
Re: delete this
The fact alone that the Mullvad VPN doesn't seem to work when the nftables exception is active (scenario 4) is suspicious.
Does the VPN work again when you delete the nft tables?
No scenario 4 is when Mullvad split-tunneling is enabled. nftables didn't work at all.
Offline
Pages: 1