Mullvad desktop on linux blocks connections to IPv6 addresses with the same prefix as the global ipv6

[jm355]

Is it a bug?

• I know this is an issue with the app, and contacting Mullvad support is not relevant.

I have checked if others have reported this already

• I have checked the issue tracker to see if others have reported similar issues.

Current Behavior

If you have a home server, and you're connected to the same network, mullvad blocks connection to it because the default route is to connect directly to that ip rather than go through mullvad. In other words, the default route is via the current network device (e.g. eth0) rather than mullvad (i.e. wg0-mullvad). But, mullvad blocks that traffic, and there isn't a route for it to go through mullvad, so the traffic just doesn't go through.

Expected Behavior

Connecting to a publicly accessible IPv6 address should work even if you're on the same LAN as the server in question, by routing through mullvad first.

Steps to Reproduce

1. have home server with public ipv6 address
2. connect to the same router for internet access
3. connect to mullvad with wireguard
4. the prefix of the server IPv6 is the same as the prefix of your computers IPv6
5. the routing table shows that IPs with that prefix will be routed through the network device, not mullvad
6. attempt to connect to home server via public ipv6 address
7. can not connect

Failure Logs

No response

Operating system version

Arch Linux latest

Mullvad VPN app version

2024.7

Additional Information

The solution as far as I can tell is simply for mullvad to add a route for the IPv6 prefix to go through mullvad. In my case, the routing table had

2001:db8:abcd:1234::/64        [::]                       Ue   100 1      0 enp2s0f0

and after adding

2001:db8:abcd:1234::/64        [::]                       U    100 17      0 wg0-mullvad

with sudo ip -6 route replace 2001:db8:abcd:1234::/64 dev wg0-mullvad metric 100 protocol static, I'm now able to connect. I think mullvad should create this route automatically.

Or, maybe this can be handled by nftables? I know mullvad adds a big table with a lot of rules, but I don't really understand it, but it could be as simple as adding a specific rule for IPs with the same prefix to also go through mullvad instead of being blocked? I'm not familiar enough with nftables to be sure

[jm355]

On the android app, this is already handled correctly. Even on the same LAN, data to the server is routed through mullvad.

And for clarity, it's not an issue with the server. I can connect to the server when I'm connected to mullvad on any other network. The issue is only present when my computer is on the same LAN as the server and I'm connected to mullvad

[hulthe]

Thanks for reporting, seems like a pretty clear bug. I'll see if we can look into this.