← Back to context

Comment by yamrzou

4 years ago

A bit tangential to the main post, but I'd to share a recent positive experience with Mullvad:

I am a regular user of Mullvad and recently wanted to try a different VPN, that only provides Wireguard configs (i.e. no native app). I used the default setup.

For some reason, my internet connection was flaky, and when it disconnected and reconnected, my traffic leaked.

That never happened to me with Mullvad as the app comes with an "Always require VPN" option out of the box and it has always worked reliably.

12 comments

yamrzou

Reply
suyjuris  4 years ago

On linux you can create a network namespace exposing only the wireguard network device, so that applications in that namespace cannot leak traffic. Setting this up, however, is quite fiddly in my experience.

  • Koffiepoeder  4 years ago

    In addition it is probably not a bad idea to block all traffic on wlo1 / eth0, except that to the mullvad server ip's, through some ufw rules. If you forget to configure the namespace for some applications then, it is highly unlikely the app has internet access (ie, it would need its own mullvad/vpn implementation included).

  • ComputerGuru  4 years ago

    It’s easier and more secure to just create a VM that’s bridged to the VPN interface (regardless of protocol) if you don’t use the VPN for everything but the things you do use it for absolutely must go through it.

    • Melatonic  4 years ago

      I think I like this idea the best - simple, effective, and unbreakable due to config changes or updates.

      Plus it gives you a psychological separation between "VPN related activities" and not. Or you just do everything in the VM. Adds a layer security wise as well to protect your physical system.

      If you wanted to get really fancy you could have a few different VM's and each one on a different companies VPN

ComputerGuru  4 years ago

Any “always require vpn” option is a game of cat and mouse and is going to leak traffic at some point, whether easily detectable or otherwise. As others have said, you need to set up a secure environment that only has that one and only option for accessing the outside world.

iamjbn  4 years ago

Agree, Mullvad provides really good VPN service. I faced almost zero downtimes / speed throttles. It establishes quick connection with server (maybe because it uses wireguard). Anyway, I'm a regular user and I think paying 5E worth it.

  • afavour  4 years ago

    > It establishes quick connection with server (maybe because it uses wireguard)

    I'm actually kind of curious about what Wireguard does here. I think Wireguard says it's connected almost immediately even when it isn't, presumably holding traffic back locally while it waits for the connection to be active. I was wondering because I spent some time confused by a non-Mullvad Wireguard connection that wasn't working (turns out the server wasn't available at all) that nonetheless appeared as "connected".

    • tata71  4 years ago

      network-manager UI, if I recall, just shows that the WG connection is turned on, not that there are packets coming back. (It's not a client-server, so this "makes sense")

  • _joel  4 years ago

    Seconded. Very occasionally I'll have to swap servers in a location but that's super infrequent and it's not exactly a primary tier location that I'm using. One of those things I can generally just setup and leave working.