The original post: /r/mullvadvpn by /u/MullvadNew on 2025-03-26 10:31:51.

Link: https[://]mullvad[.]net/en/blog/why-we-still-dont-use-includeallnetworks

Our users often ask why we do not use the includeAllNetworks to fix all possible leaks on iOS. This blog post aims to explain why this currently is not possible.

As per Apple's documentation and several vulnerability reports (e.g. TunnelCrack) , setting includeAllNetworks to true (and possibly excludeLocalNetworks too) will prevent traffic from leaking from the tunnel. These flags tell iOS that the VPN app expects all traffic to be routed through it. On other platforms, this would normally be achieved by using the system firewall and, to improve UX, by changing the routing table - superficially setting just one flag seems like a great improvement to the developer experience. The documentation for this flag explains what type of traffic will and will not be excluded, but lacks any further detail.

The reason as to why have we not set this flag in our iOS app is because it does not quite work. It breaks various behaviors the app was relying upon - for some things we have found workarounds, but there is an especially bad one that we cannot work around. 

What follows is a deeply technical walkthrough of our challenges with the includeAllNetworks flag. If you care not for the technical details, the short answer is - if we were to enable the flag today, the app would work fine until it would be updated via the AppStore, at which point the system would lose all network connectivity. The most intuitive way of fixing this is to restart the device. As far as we know, there is no way for our app to detect and in any way help work around this behavior.

The beginnings of includeAllNetworks

Our iOS app, much like all of our other VPN client applications, uses ICMP packets to establish whether a given tunnel configuration is working or not. When using DAITA or quantum-resistant tunnels, the app will also need to establish a TCP connection to a host only reachable through the tunnel. Both of these two network connections are done by the tunnel process - on iOS the VPN connection is managed by a separate process from the one that users interact with. In the ICMP case, we use a regular socket() syscall to create an ICMP socket to our gateway at 10.64.0.1. For the TCP connection, we initially used a now deprecated NWTCPConnection. To not leak this traffic outside of the tunnel, we attempt to bind these sockets to the tunnel interface. These work as expected when includeAllNetworks is not in use, but when we set the flag, they just stopped working. No errors were reported from sendmsg, the best feedback we got was that the NWTCPConnection's state never updated away from waiting.  When experiencing misbehavior like this, it is almost always a sure bet to assume that we are misusing whatever interface we are trying to use. Apple is not guaranteeing that regular BSD sockets will just work, and since we're trying to reach 10.64.0.1 via the in tunnel TCP connection, maybe it has some weird behavior if it's a 10/8 address?

Could we do without ICMP and TCP traffic from the tunnel process?

Yes, we can change our code to not rely on ICMP and TCP, even if it just to run our experiments. So, when we choose to just not send ICMP traffic and assume that the tunnel is always working, the VPN connection just works. You can open up Safari and browse the internet, watch videos, browse social media, send pings to 10.64.0.1 via a terminal emulator. Hold that thought - when connected via our app, the device is capable of sending ICMP traffic to our gateway via other applications. But our own app is not able to do so.

Holding it harder

We have established that we cannot send ICMP traffic the usual way from the packet tunnel process, and we cannot use the NWTCPConnection from the Network Extension framework to send TCP traffic from the tunnel, a class specifically created to facilitate VPN processes to send traffic inside their own tunnels. We could feasibly come up with a different strategy of inferring whether a given WireGuard relay is working without ICMP, but we do need TCP for negotiating ephemeral peers for DAITA and quantum-resistance. In iOS 18, one can construct a NWConnection with NWParameters with requiredInterface set to the virtualInterface of the packet tunnel - this should create a working connection from within the tunnel process. It does as long as includeAllNetworks flag is set to false. Otherwise, we are observing the exact same behavior as before. This would only make the app work on iOS 18, so it is not an entirely viable solution to our woes, at the time of writing, we are trying to support iOS 15.

What even is a packet tunnel?

There are various different Network Extensions that an iOS app can provide - the one we are using is a Packet Tunnel provider. It provides a way for a developer to read all user traffic to then encrypt it and send it off, and conversely, to write back packets received from the tunnel. To start one, the main app has to create a VPN profile - the profile contains the configuration object where includeAllNetworks can be set. The configuration can be updated with a tunnel running, but the tunnel needs to be shut down and restarted for changes to take effect. Once the VPN process is started, it must signal to the system that it is up and then, to actually move traffic, it should start reading user traffic via packetFlow or, as most VPN applications using WireGuard in the wild do, directly from the utun file descriptor.

In practice, when an app on the device tries sending something on the network, an app implementing a Packet Tunnel provider will end up reading the traffic. When our VPN process is trying to send traffic inside the tunnel, it is essentially trying to write some data into one pipe (NWConnection) and expecting to see it come out of the packet tunnel. We configure our packet tunnel provider with includeAllNetworks = true we are not seeing that traffic coming through. We can see that other processes are able to send traffic to those same hosts. We have to conclude that something is preventing our VPN process from reading traffic that it itself is trying to send.

Holding it even harder

When the VPN process is trying to send traffic to a host within the tunnel, it feels redundant to put something into a pipe to then turn around and read it back out. Could we not just construct the packets ourselves and handle them the same way we would handle them if they were read out from the packet tunnel? Yes we can, we already do this for UDP traffic for multihop, and we can trivially do this for ICMP too. Supporting TCP is a lot more complicated than just adding a header to a payload, but, we already are using WireGuard and the canonical WireGuard implementation on iOS is wireguard-go, which, for testing, already pulls in a userspace networking stack. Since we need at most 2 TCP connections per tunnel connection, performance is not a concern, we can rely on gvisor's gonet package to give us a lovely Go interface for creating TCP connections in userspace. We can then mux between the real tunnel device and our virtual networking stack. After all of that, we can reach a TCP service hosted inside our tunnel from our own tunnel process. This works, and we have tested this for quite some while. We are already using this mechanism in our released app, the TCP and ICMP traffic is already sent via the userspace networking stack. Yet we still are not using the includeAllNetworks flag. Why not?

Locking in an app version

When regular applications use NWConnections, they should wait until their NWConnection's state is set to ready. When a VPN profile is active and it has been configured with includeAllNetworks = true, the connections will only become ready when the VPN process signals to the system that it is up. When a user clicks the connect button in our application to, we start our VPN tunnel, but we also configure it to be started on-demand so that if the device reboots or if the packet tunnel crashes for whatever reason, it should be started up again as soon as any traffic is trying to reach the internet. 

The behavior described above intersects horribly with app updates. We have not done a deep investigation to understand the details of an update process, but superficially we can observe the following. When includeAllNetworks = false, the process goes like this: 

• Update is initiated (by user or automatically, Xcode or App Store)
• Old packet tunnel process is sent a SIGTERM
• New app is downloaded
• New app is installed
• New pac...

Content cut off. Read original on https://old.reddit.com/r/mullvadvpn/comments/1jk8nfo/why_we_still_dont_use_includeallnetworks_blog/

The original post: /r/mullvadvpn by /u/StayJuicePriv on 2025-03-26 06:42:52.

Is there a way to use multi hop on a ooenwrt router with Mullvad?

The original post: /r/mullvadvpn by /u/BetterArcher5115 on 2025-03-25 23:50:11.

hey everyone Europe have any xray protocol vpn ? No Chinese (they sell user data , even sell to police ,really ) , and like mullvad VPN no log

The original post: /r/mullvadvpn by /u/Sudden_Relation2356 on 2025-03-25 17:59:12.

Been trying to get beyond account setup email and phone buet each time get locked out.

Spoke to people using nord and express, but ours will get locked...found put a little late. Now I don't even know if their nonexistent support will ever get back to me.

The original post: /r/mullvadvpn by /u/PoundKitchen on 2025-03-25 15:21:36.

Using base.dns.mullvad.net for my DoH I'm now seeing dnsleaktest.com is getting blocked/dropped. Getting...

This site can’t be reached

www.dnsleaktest.com’s DNS address could not be found. Diagnosing the problem.

DNS_PROBE_POSSIBLE

Legit? Why?

The original post: /r/mullvadvpn by /u/MullvadNew on 2025-03-25 12:52:48.

Link: https[://]mullvad[.]net/en/blog/help-test-mullvad-browser-alpha

https://preview.redd.it/0z3o2syg1uqe1.png?width=1200&format=png&auto=webp&s=19b126da06d809c31bf9bc776abc26256c4a2ea0

Before releasing a stable version of Mullvad Browser, we create alpha releases for testing purposes. These early versions contain the latest features and updates, allowing us to gather feedback and identify issues before wider release.

To become an early adopter and help us test, you can install Mullvad Browser Alpha from either:

• Our download page (https[://]mullvad[.]net/download/browser)
• For Debian/Ubuntu/Fedora, from our repository servers (https[://]mullvad[.]net/help/install-mullvad-browser#linux-install) (package name: mullvad-browser-alpha)

Important information

• Alpha versions may occasionally be broken
• These builds don't offer the same level of privacy and security guarantees as stable releases
• They can be installed alongside the stable version without conflicts

Feedback can be sent either by email to support@mullvadvpn[.]net or directly in our browser issue tracker.

The original post: /r/mullvadvpn by /u/Enowki on 2025-03-24 19:07:46.

So, i turned option always on and it still disconnect sometimes and cant let that happen, any fixes?

The original post: /r/mullvadvpn by /u/wait-Whoami on 2025-03-24 19:02:22.

Hey r/mullvadvpn, I’m a big fan of Mullvad VPN—love their no-logs policy and how they keep things simple and private. I was trying to learn more about the folks who started it, Daniel Berntsson and Fredrik Strömberg, since they founded Amagicom AB back in 2009. Daniel seems super low-key online, and Fredrik might be the same guy who’s into Swedish comics (which is cool!), but I couldn’t find much tying his comics work to Mullvad—like on his blog (fredrikstromberg.com), it’s all comics, no VPN stuff.

I saw a 2013 Freedom Hacker interview where a Fredrik Strömberg talks about co-founding Mullvad, but I’m wondering if anyone’s got a clearer link, like something from Fredrik himself or Mullvad that confirms it’s the same person. Not digging for secrets, just curious about the people behind a service I really admire! Anyone know more or seen something I missed? Thanks!

The original post: /r/mullvadvpn by /u/77slevin on 2025-03-24 17:25:24.

I'm on a Belgian server if it matters.

The original post: /r/mullvadvpn by /u/Shoddy-Thought1827 on 2025-03-24 10:50:20.

Right now on windows, linux and mac is possible to do operations with mullvad without using the GUI, which is neat and very useful. Is it possible to do so with the android shell console? i'm not finding anything about it but i really need it

The original post: /r/mullvadvpn by /u/kwhytte on 2025-03-24 02:44:36.

reading many comments that mullvad browser will no longer be maintained

appreciate an official correction if any please

The original post: /r/mullvadvpn by /u/destroytokyo11 on 2025-03-23 20:14:59.

Pretty much what the title says. I’m on Windows and while I had qBittorent open, added a completely separate program to my split tunnel (my internet browser). Suddenly no data was being downloaded/uploaded anymore. Remove the browser from split tunnel, moved on with my day, until I got a letter from my ISP. Checked iknowwhatyoudownload and what do you know, my whole letterboxd is there.

Mullvad was binded to qbit as the allowed network interface in qbit settings, too. No idea how my IP leaked but just giving a heads up.

The original post: /r/mullvadvpn by /u/Intelligent-Stone on 2025-03-23 16:41:16.

As in title, I'm unable to connect them when Mullvad is enabled. Is there any way to add 100.x.x.x or specific IP addresses to a white list so Mullvad won't tunnel them, and let it be done by others.

The original post: /r/mullvadvpn by /u/Eliminate-DaBots on 2025-03-23 13:25:17.

I see audit reports for Mullvad, but it seems none of them confirm that Mullvad is logless. Has this ever been audited?

Edit: As I said in a comment I've been using Mullvad for four years and it was just something I thought to check and found very little. Mullvad seems like a great company but I don't want to solely take their word for it. I'd like to see a definitive clear statement from an auditor on such an important topic. Have a good day everyone!

The original post: /r/mullvadvpn by /u/vzzzbxt on 2025-03-23 11:54:52.

Can only seen to connect to a few servers worldwide, and speed is pretty slow.

Any idea if this will be fixed, my sub is ending this week

Thanks

The original post: /r/mullvadvpn by /u/drzero3 on 2025-03-23 09:53:38.

The original post: /r/mullvadvpn by /u/EmeraldGhostie on 2025-03-23 07:07:28.

can't download any youtube videos with mullvad vpn. not sure what the problem is (tried different servers and turning on/off quantum-resistant and obscufication)

The original post: /r/mullvadvpn by /u/newstationeer on 2025-03-22 22:14:13.

Hi, new to mullvad, and I'm trying to find a way to open the GUI application on boot on linux (fedora). I know that I can schedule a cron job to connect using the terminal command, but I would like the tray icon to always display. Any help appreciated!

The original post: /r/mullvadvpn by /u/stylobasket on 2025-03-22 19:47:27.

Hello Mullvad community,

I've been experiencing an issue with split tunneling on my system. For some reason, the split tunneling feature works perfectly with most of my applications, but it doesn't seem to work with Safari at all.

When I configure other apps to bypass the VPN tunnel, they connect directly to the internet as expected. However, when I add Safari to the split tunnel list, it still routes through the VPN connection instead of bypassing it.

Has anyone else encountered this issue? Is this a known limitation with Safari specifically? I've tried restarting the app, my computer, and even reinstalling Mullvad, but the problem persists.

My setup:

• Mullvad version: 2025.03
• OS: MacOS

Any help or insight would be greatly appreciated!

The original post: /r/mullvadvpn by /u/PearOfJudes on 2025-03-22 12:52:40.

The original post: /r/mullvadvpn by /u/AventureraA on 2025-03-21 16:52:45.

I recently changed from ExpressVPN to MullvadVPN, on both laptop and iPhone. Normally I use 3-4 GB of mobile data per month. This month, I used 15GB in less than three weeks, without any changes in my habits.

Has anyone else had this experience? Why does Mullvad use more mobile data? Any advice on how to reduce Mullvad's mobile data load?

The original post: /r/mullvadvpn by /u/Slow-Confusion7169 on 2025-03-21 14:03:35.

Hi everyone,

When using Mullvad VPN, does traffic to localhost (127.0.0.1) or other loopback addresses route through the VPN, or does it remain local to the machine? Or do I need to manually whitelist these addresses? Thank you!

The original post: /r/mullvadvpn by /u/Pepe__LePew on 2025-03-21 10:16:32.

I understand tailscale and mullvad are supposed to work together on Android phones.

How can I achieve this as I can't see any options on either mullvad or tailscale app?

I currently have nordvpn but Android only lets you have one vpn turned on, either tailscale or Nord so this doesn't work.

Was hoping mullvad can fix this on Android but can't see an option?

Please advise if you managed to do it.

Thx

ps. Dear Admin = I'm unclear how this is FUD? Unless you can please advise how we can use anonymous mullvad accounts via tailscale? It seems they don't allow using existing anonymous accounts, so have to purchase via tailscale = disclosing full credit card and other details. If I'm wrong, happy to be corrected? thanks

The original post: /r/mullvadvpn by /u/BetterArcher5115 on 2025-03-21 05:52:26.

This month, CPC meeting are held ， China GFW has caused serious DNS pollution , even we can't connect VPN server

Now that's it , we can use DNScrypt resolve DNS pollution , but Mullvad VPN CLI not support spilt IP , so I think use nekoray run wireguard config

nekoray's TUN mode support bypass some IP and process , that's we can resolve DNS Pollution when we connect VPN server

The original post: /r/mullvadvpn by /u/DunderMifflin_HR on 2025-03-20 18:04:20.

I was all in with proton for a while now. But after comments by proton ceo I’ve decided to start looking for alternatives

Loving mullvad so far