Hey, I would like to ask a few questions about traffic I have observed using sniffnet on sys-vpn and especially sys-net.
I have 2 different network chain setups, each for a certain threat model.
- sys-net → sys-firewall → sys-vpn
- sys-net → sys-firewall → sys-vpn-whonix
sys-vpn is configured to only connect to swedish mullvad servers, and has a outbound connection whitelist set to those server’s ips.
Now, my first question would be: why do I see incoming connections on sys-net? Some come from seemingly random ipv6 addresses and some come from the hostname of my router. Is this something i should be worried about in terms of privacy? Could i stop this behavior without getting problems with routing?
The ipv6 addresses are labelled with the service “zeroconf” (UDP) and only transmit small amounts of data.
Also, there are packets sent from and to “_gateway”.
The only other thing i can see are outgoing/incoming connections to/from a Swedish IP, hinting at the usage from sys-vpn, so that is fine i guess.
When opening sys-vpn in sniffnet, things get even weirder.
eth0 only show outgoing and incoming connections to the Swedish ip, labelled with openvpn, so that is super fine and acceptable.
But inspecting tun0 & vif7.0 on sys-net shows all kinds of ips and outgoing and incoming traffic from russia, poland, the netherlands etc etc. I assume this is the tor traffic? but why is it not going through the vpn first? why is it appearing there? it should be routed through openvpn before going any further.
I’m a bit confused and just worried about my privacy. maybe this is just a normal flow, but something seems off to me…
Appreciate any help!