I decided to create a new browser template with mullvad-browser and i got all this connections when started the dispvm:
this was the steps:
I see you are testing this in sys-net-wifi. Are there any other running qubes (except your disposable running the browser) at the time of testing? Have you checked which (if any) connections show up before starting the disposable?
Aside from the obvious DNS entries, this traffic could be generated by uBlock Origin updating the default filters. This add-on requires an active connection, but I’ve never seen it activated before a Mullvad tunnel is established. It would be concerning if the traffic upstream from the vpn qube is not tunneled. Here is what I see in my uBlock log after start-up:
10:07:36 Reloading all filter lists: start
10:07:35 xxxx.moz-extension-scheme 0,3 get xhr https://cdn.jsdelivr.net.cdn.cloudflare.net/
10:07:35 xxxx.moz-extension-scheme 0,3 get xhr https://cdn.jsdelivr.net/gh/gorhill/uBlock@master/assets/assets.json
10:07:34 Invalid filter (ublock-filters): watchserieshd.stream>>##+js(nowoif)
10:07:34 Invalid filter (ublock-filters): bflix.*>>,~cloudflare.com,~disqus.com,~google.com##+js(nowoif)
10:07:34 Invalid filter (ublock-filters): filemoon.*>>,96ar.com>>,iqksisgw.xyz>>,u6lyxl0w.skin>>##+js(nowoif)
10:07:34 Invalid filter (ublock-filters): livecamrips.su>>,~cloudflare.com,~disqus.com,~google.com,~mixdrop.*##+js(nowoif)
10:07:34 xxxx.moz-extension-scheme 0,3 get xhr https://ublockorigin.pages.dev/filters/filters.min.txt
10:07:33 xxxx.moz-extension-scheme 0,3 get xhr https://cdn.jsdelivr.net.cdn.cloudflare.net/
10:07:33 xxxx.moz-extension-scheme 0,3 get xhr https://cdn.jsdelivr.net/gh/uBlockOrigin/uAssetsCDN@main/filters/badware.min.txt
10:07:31 xxxx.moz-extension-scheme 0,3 get xhr https://statically.map.fastly.net/
10:07:31 xxxx.moz-extension-scheme 0,3 get xhr https://cdn.statically.io/gh/uBlockOrigin/uAssetsCDN/main/filters/privacy.min.txt
10:07:30 xxxx.moz-extension-scheme 0,3 get xhr https://ublockorigin.github.io/uAssetsCDN/filters/unbreak.min.txt
10:07:29 xxxx.moz-extension-scheme 0,3 get xhr https://ublockorigin.github.io/uAssetsCDN/filters/quick-fixes.min.txt
10:07:28 Invalid filter (easylist): redtube.com,tube8.com,tube8.es,tube8.fr,xvideos.com,youjizz.com,youporn.com,youporngay.com#?#:-abp-properties(image/)
10:07:28 Invalid filter (easylist): redtube.com,tube8.com,tube8.es,tube8.fr,xvideos.com,youjizz.com,youporn.com,youporngay.com#?#:-abp-properties(data:)
10:07:28 Invalid filter (easylist): redtube.com,tube8.com,tube8.es,tube8.fr,xvideos.com,youjizz.com,youporn.com,youporngay.com#?#:-abp-properties(base64)
10:07:28 Invalid filter (easylist): redtube.com,tube8.com,tube8.es,tube8.fr,xvideos.com,youjizz.com,youporn.com,youporngay.com#?#:-abp-properties(*data:image*)
10:07:28 Invalid filter (easylist): pornhub.com,youporn.com#?#:-abp-properties(float: right; margin-top: 30px; width: 50%;)
10:07:28 Invalid filter (easylist): pornhub.com#?#:-abp-properties(height: 300px; width: 315px;)
10:07:28 Invalid filter (easylist): $webrtc,domain=ack.net|allthetests.com|champion.gg|clicknupload.link|colourlovers.com|csgolounge.com|dispatch.com|go4up.com|janjua.tv|jpost.com|megaup.net|netdna-storage.com|ouo.io|ouo.press|sourceforge.net|spanishdict.com|telegram.com|torlock2.com|uptobox.com|uptobox.eu|uptobox.fr|uptobox.link|vidtodo.com|yts.gs|yts.mx
10:07:28 Invalid filter (easylist): $webrtc,websocket,xmlhttprequest,domain=pirateproxy.live|thehiddenbay.com|thepiratebay.org|thepiratebay10.org
10:07:27 xxxx.moz-extension-scheme 0,3 get xhr https://ublockorigin.pages.dev/thirdparties/easylist.txt
10:07:25 xxxx.moz-extension-scheme 0,3 get xhr https://statically.map.fastly.net/
10:07:25 xxxx.moz-extension-scheme 0,3 get xhr https://cdn.statically.io/gh/uBlockOrigin/uAssetsCDN/main/thirdparties/easyprivacy.txt
10:07:24 xxxx.moz-extension-scheme 0,3 get xhr https://malware-filter.pages.dev/urlhaus-filter-ag-online.txt
10:07:21 xxxx.moz-extension-scheme 0,3 get xhr https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=1&mimetype=plaintext
10:07:19 Reloading all filter lists: done, took 3798 ms
It would be concerning but this is from the browser, not in a VPN.
It’s not unexpected that the browser will check for presence of Mullvad
VPN, and extensions will update at browser start. I wouldn’t describe
this as telemetry.
I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.
@ephile @qubist @unman I use the Mudi (GL-E750, connected via mobile with a 4G SIM card. The Ethernet output provides a connection to sys-net, and the Wi-Fi signal is connected through sys-net-wifi. I tested both connections (wls/eth), and both show the same traffic. The test was conducted with only the notebook connected to the modem.
yes i made that and i hadnt any other vms openned, only the netvm providing networking to dispposable vm with mullvad installed, i tried to record it but i dont know how to screenrecord in qubesos.
I see, didn’t occur to me to use Mullvad Browser without a VPN…
A quick check suggests to me that most of these IPs map to CDNs (fastly, cloudflare, akamai, and google), while only two are owned by Mullvad (45.149.104.1 and 194.242.2.2). With a little legwork you should be able to map the CDN IPs to uBlock Origin filters. You should ask Mullvad about the other two IPs and verify that they are being used to check for VPN presence as @unman mentioned.