Can someone explain why I need to enable VPN Settings > Local network sharing?
For reference, here is the quote:
Open the Mullvad VPN app. Go to
Settings→VPN settingsand toggleLocal network sharing. Due to some strange interaction between qubes services and Mullvad VPN, certain apps will get internet connections while others do not if this toggle is not enabled. This toggle will not actually allow AppVMs connected to the ProxyVM to connect to the local network.
Another reference here in forum.
That “some strange interaction” makes me slightly uncomfortable 
.
I don’t understand it …
1. nft list table inet mullvad in proxyVM shows, that basically all private IP ranges are added with accept to output, input, and forward. Why would that be needed for AppVM → ProxyVM → sys-firewall > sys-net > Inet, given that my destination is some site on the internet?
2. I am also not sure of
This toggle will not actually allow AppVMs connected to the ProxyVM to connect to the local network.
Typing ip route show table all shows, there is a new, top-most wg0-mullvad default route with enabled WG, which is used for all destination IPs. You can confirm by ip route get 192.168.1.1, which outputs wg0-mullvad .
But this actually does not block access via firewall rules to your LAN from appVMs using Mullvad netVM (rather routes private IP to WG). With some Mullvad app route misconfiguration in worst case, a compromised VPN app would be able to have have LAN network access, I guess? Hence IMO it definitely makes sense to block forwarding to eth0 in every case, or better block private IP ranges in Mullvad proxyVM settings via qvm-firewall.
It also would be nice to get rid of this “Local network sharing” setting at all which clutters firewall rules and in theory globally accepts LAN.
Any clarification appreciated!