Mullvad VPN cannot connect (IPv6)

[mattfbacon]

Mullvad VPN cannot connect as described in mullvad/mullvadvpn-app#7412

If I disable Opensnitch with the Pause button Mullvad works instantly. No deny events are logged in Opensnitch, but when I enable "Debug invalid connections" I instantly get these "Unknown process" dialogs, correlated with Mullvad trying to connect.

Reproduction

1. Activate Opensnitch with GUI with "Debug invalid connections" enabled
2. Try to connect with Mullvad. The "Unknown process" dialogs will appear.
3. Disable Opensnitch. Mullvad connects successfully.

Environment

• OpenSnitch version: 1.6.6 (checked 1.6.6..1.6.7 changelog, nothing relevant?)
• OS: Arch Linux
• WM: Sway
• Kernel version: Linux framework 6.12.7-arch1-1.1 #1 SMP PREEMPT_DYNAMIC Sat, 28 Dec 2024 03:18:00 +0000 x86_64 GNU/Linux

[gustavo-iniguez-goya]

hi @mattfbacon ,

This is more or less the expected behaviour. For connections initiated from kernel space to establish the tunnel, you need to have the 'ebpf' process monitor method working.

Verify that you have the kprobe iptunnel_xmit added correctly: ~ # grep iptunnel_xmit /sys/kernel/debug/tracing/kprobe_events

When it's working you should see pop-ups like this one:

But in any case, there will not be a connection from "mullvad".

[mattfbacon]

I just need something I can allow with a rule. If there was a way to allow connections from within the kernel, I would do that, but as it is "Unknown process" is not helpful and doesn't seem to allow creating rules based on it at all.

# grep iptunnel_xmit /sys/kernel/debug/tracing/kprobe_events
p:kprobes/piptunnel_xmit iptunnel_xmit

opensnitch-ebpf-module is installed. How can I verify if it is used?

[gustavo-iniguez-goya]

I think that we're not intercepting ipv6 tunnels correctly.

Go to the Mullvad preferences -> VPN settings -> Wireguard settings , and select IPv4. and see if a popup similar to this one shows up:

You could also force the VPN port on the Wireguard settings -> Port, and allow connections to that port.

[gustavo-iniguez-goya]

Another option would be to exclude the vpn connection from being intercepted.

Using a fixed VPN port (51820), you can go to the Rules tab -> System rules -> mangle-inet -> output-output, and enable the predefined rule "Exclude Wireguard". It'll add a rule to allow direct connection to the port 51820

[mattfbacon]

Correct, with ipv4 it works (because I had already allowed "Kernel connection").

[gustavo-iniguez-goya]

thank you @mattfbacon for confirming it. I'll try to fix it.

[gustavo-iniguez-goya]

ok, the thing is that we hook iptunnel_xmit() to intercept IPv4 tunnel connections. The IPv6 equivalent function is ip6tunnel_xmit(), but it's not exported as available to monitor: grep ^ip6tunnel /sys/kernel/debug/tracing/available_* (tested on 6.x and 5.x kernels)

So we have to find one that report these connections.