Mullvad VPN App 4.2 setup guide

solene · April 7, 2024, 9:10am

did you reboot the qube after the change?

darkgh05t · April 7, 2024, 9:42am

yes,

could it be something with the MTU issues ?

solene · April 7, 2024, 10:13am

No, you clearly face a DNS issue here, the MTU isn’t related.

I’m not sure what to do next to help you debug this… If you know how to use tcpdump/wireshark, it could be interesting to see what happens in the mullvad vpn when an AppVM make a DNS request.

apparatus · April 7, 2024, 10:20am

What’s the output of this command in your VPN qube?

sudo nft list table ip qubes

darkgh05t · April 7, 2024, 11:05am

table ip qubes {
set downstream {
type ipv4_addr
elements = { 10.137.0.10 }
}

set allowed {
	type ifname . ipv4_addr
	elements = { "vif8.0" . 10.137.0.10 }
}

chain prerouting {
	type filter hook prerouting priority raw; policy accept;
	iifgroup 2 goto antispoof
	ip saddr @downstream counter packets 0 bytes 0 drop
}

chain antispoof {
	iifname . ip saddr @allowed accept
	counter packets 0 bytes 0 drop
}

chain postrouting {
	type nat hook postrouting priority srcnat; policy accept;
	oifgroup 2 accept
	oif "lo" accept
	masquerade
}

chain input {
	type filter hook input priority filter; policy drop;
	jump custom-input
	ct state invalid counter packets 0 bytes 0 drop
	iifgroup 2 udp dport 68 counter packets 0 bytes 0 drop
	ct state established,related accept
	iifgroup 2 meta l4proto icmp accept
	iif "lo" accept
	iifgroup 2 counter packets 0 bytes 0 reject with icmp host-prohibited
	counter packets 0 bytes 0
}

chain forward {
	type filter hook forward priority filter; policy accept;
	jump custom-forward
	ct state invalid counter packets 0 bytes 0 drop
	ct state established,related accept
	oifgroup 2 counter packets 0 bytes 0 drop
}

chain custom-input {
}

chain custom-forward {
	tcp flags syn / syn,rst tcp option maxseg size set rt mtu
	oifname "eth0" counter packets 0 bytes 0 drop
}

chain nat {
	type nat hook prerouting priority dstnat; policy accept;
	iifname "vif*" tcp dport 53 dnat to 10.64.0.1
	iifname "vif*" udp dport 53 dnat to 10.64.0.1
}

chain dnat-dns {
	type nat hook prerouting priority dstnat; policy accept;
	ip daddr 10.139.1.1 udp dport 53 dnat to 10.139.1.1
	ip daddr 10.139.1.1 tcp dport 53 dnat to 10.139.1.1
	ip daddr 10.139.1.2 udp dport 53 dnat to 10.139.1.2
	ip daddr 10.139.1.2 tcp dport 53 dnat to 10.139.1.2
}

}

apparatus · April 7, 2024, 11:10am

darkgh05t:

chain nat {
	type nat hook prerouting priority dstnat; policy accept;
	iifname "vif*" tcp dport 53 dnat to 10.64.0.1
	iifname "vif*" udp dport 53 dnat to 10.64.0.1
}

chain dnat-dns {
	type nat hook prerouting priority dstnat; policy accept;
	ip daddr 10.139.1.1 udp dport 53 dnat to 10.139.1.1
	ip daddr 10.139.1.1 tcp dport 53 dnat to 10.139.1.1
	ip daddr 10.139.1.2 udp dport 53 dnat to 10.139.1.2
	ip daddr 10.139.1.2 tcp dport 53 dnat to 10.139.1.2
}

I’m not sure which rules will take priority here.

Can you change:

nft add chain qubes nat { type nat hook prerouting priority dstnat\; }

to

nft add chain qubes nat { type nat hook prerouting priority dstnat -1\; }

In your /rw/config/qubes-firewall-user-script and restart VPN qube?

darkgh05t · April 7, 2024, 11:25am

just changed it and restarted qube, still no change.

apparatus · April 7, 2024, 11:31am

What if you replace 10.64.0.1 with 9.9.9.9?
You can run these commands for a test in your VPN qube:

sudo nft flush chain ip qubes nat
sudo nft add rule qubes nat iifname == "vif*" tcp dport 53 dnat 9.9.9.9
sudo nft add rule qubes nat iifname == "vif*" udp dport 53 dnat 9.9.9.9

darkgh05t · April 7, 2024, 11:43am

just ran these commands and still no connection on the appvm,

apparatus · April 7, 2024, 12:06pm

Can you check if curl with IP address will work in AppVM?

curl https://9.9.9.9

darkgh05t · April 7, 2024, 12:12pm

[user@work ~]$ curl https://9.9.9.9
not found[user@work ~]$

apparatus · April 7, 2024, 12:14pm

Ok, seems to really be a problem with DNS.
Does DNS work in VPN qube itself?

solene · April 7, 2024, 12:19pm

Could you try to modify the fix DNS part by adding the keyword counter at the end, do some DNS requests in an appvm and then use nft list ruleset (this will show all rules in the mullvad vpn qube, if you added firewall rules in an appvm, it will be displayed, this may leak information you don’t want to)

this should look like this

DNS=10.64.0.1
nft add chain qubes nat { type nat hook prerouting priority dstnat\; }
nft add rule qubes nat iifname == "vif*" tcp dport 53 dnat "$DNS" counter
nft add rule qubes nat iifname == "vif*" udp dport 53 dnat "$DNS" counter

we will be able to figure if the rules is actually used

darkgh05t · April 7, 2024, 12:20pm

yeah it works fine in the VPN qube, for some reason i just cant get the appvm to connect to it, the browsers wont connect.

apparatus · April 7, 2024, 12:24pm

What’s the content of /etc/resolv.conf in AppVM?

solene · April 7, 2024, 1:32pm

this shouldn’t matter because the mullvad qube intercept it and redirect using nftables

apparatus · April 7, 2024, 1:34pm

It could be empty.

darkgh05t · April 8, 2024, 4:19am

[user@work ~]$ sudo nft list ruleset
table ip qubes {
set downstream {
type ipv4_addr
}

set allowed {
	type ifname . ipv4_addr
}

chain prerouting {
	type filter hook prerouting priority raw; policy accept;
	iifgroup 2 goto antispoof
	ip saddr @downstream counter packets 0 bytes 0 drop
}

chain antispoof {
	iifname . ip saddr @allowed accept
	counter packets 0 bytes 0 drop
}

chain postrouting {
	type nat hook postrouting priority srcnat; policy accept;
	oifgroup 2 accept
	oif "lo" accept
	masquerade
}

chain input {
	type filter hook input priority filter; policy drop;
	jump custom-input
	ct state invalid counter packets 0 bytes 0 drop
	iifgroup 2 udp dport 68 counter packets 0 bytes 0 drop
	ct state established,related accept
	iifgroup 2 meta l4proto icmp accept
	iif "lo" accept
	iifgroup 2 counter packets 0 bytes 0 reject with icmp host-prohibited
	counter packets 0 bytes 0
}

chain forward {
	type filter hook forward priority filter; policy accept;
	jump custom-forward
	ct state invalid counter packets 0 bytes 0 drop
	ct state established,related accept
	oifgroup 2 counter packets 0 bytes 0 drop
}

chain custom-input {
}

chain custom-forward {
}

}
table ip6 qubes {
set downstream {
type ipv6_addr
}

set allowed {
	type ifname . ipv6_addr
}

chain antispoof {
	iifname . ip6 saddr @allowed accept
	counter packets 0 bytes 0 drop
}

chain prerouting {
	type filter hook prerouting priority raw; policy accept;
	iifgroup 2 goto antispoof
	ip6 saddr @downstream counter packets 0 bytes 0 drop
}

chain postrouting {
	type nat hook postrouting priority srcnat; policy accept;
	oifgroup 2 accept
	oif "lo" accept
	masquerade
}

chain _icmpv6 {
	meta l4proto != ipv6-icmp counter packets 0 bytes 0 reject with icmpv6 admin-prohibited
	icmpv6 type { nd-router-advert, nd-redirect } counter packets 0 bytes 0 drop
	accept
}

chain input {
	type filter hook input priority filter; policy drop;
	jump custom-input
	ct state invalid counter packets 0 bytes 0 drop
	ct state established,related accept
	iifgroup 2 goto _icmpv6
	iif "lo" accept
	ip6 saddr fe80::/64 ip6 daddr fe80::/64 udp dport 546 accept
	meta l4proto ipv6-icmp accept
	counter packets 0 bytes 0
}

chain forward {
	type filter hook forward priority filter; policy accept;
	jump custom-forward
	ct state invalid counter packets 0 bytes 0 drop
	ct state established,related accept
	oifgroup 2 counter packets 0 bytes 0 drop
}

chain custom-input {
}

chain custom-forward {
}

}
[user@work ~]$

darkgh05t · April 8, 2024, 4:21am

nameserver 10.139.1.1
nameserver 10.139.1.2

apparatus · April 8, 2024, 4:26am

Do some DNS requests in an appvm and then use sudo nft list chain ip qubes nat in your VPN qube to check the counter.