diff options
| author | David Lönnhager <david.l@mullvad.net> | 2025-04-03 11:57:33 +0200 |
|---|---|---|
| committer | David Lönnhager <david.l@mullvad.net> | 2025-04-07 14:02:48 +0200 |
| commit | 3b7a086cff884209b60e3e761227c03508ce7d27 (patch) | |
| tree | 736f08ec3551e57925fefbd7383906df0a9cb298 | |
| parent | 5d5e695099c4c89e21101b6683d1a7277c07bd44 (diff) | |
| download | mullvadvpn-3b7a086cff884209b60e3e761227c03508ce7d27.tar.xz mullvadvpn-3b7a086cff884209b60e3e761227c03508ce7d27.zip | |
Mention limitations related to IPC
| -rw-r--r-- | docs/known-issues.md | 9 | ||||
| -rw-r--r-- | docs/split-tunneling.md | 18 |
2 files changed, 23 insertions, 4 deletions
diff --git a/docs/known-issues.md b/docs/known-issues.md index 40d1e34c63..a71cee0b49 100644 --- a/docs/known-issues.md +++ b/docs/known-issues.md @@ -93,13 +93,14 @@ This affects all versions of the iOS app on all versions of iOS. [blog about TunnelVision]: https://mullvad.net/blog/evaluating-the-impact-of-tunnelvision -### DNS requests for excluded applications can go inside the tunnel +### Excluded application traffic can sometimes go inside the tunnel Ideally DNS requests from excluded apps would always go outside the tunnel. However, this -is not really possible, or hard to implement on some operating systems. See the -[split tunneling documentation] for details. +is not really possible, or hard to implement on some operating systems. There are also other +limitations that are mostly related to IPC. See the [split tunneling documentation] for +details. -[split tunneling documentation]: ./split-tunneling.md#dns +[split tunneling documentation]: ./split-tunneling.md ### Temporary leaks while tunnel is being reconfigured on Android diff --git a/docs/split-tunneling.md b/docs/split-tunneling.md index 722484ad70..9c2ef730d7 100644 --- a/docs/split-tunneling.md +++ b/docs/split-tunneling.md @@ -71,3 +71,21 @@ possible to exclude public custom DNS in that case. Otherwise DNS won't work. In other words: Excluded apps behave as if there was no VPN tunnel running at all. + +## Other limitations + +Several limitations exist that relate to interprocess communication. An app is excluded if its path +is excluded or if its parent process is excluded. This can be problematic at times. For example, +opening a browser often typically tells the existing browser instance to open a new window, which +means the "excluded" status is not inherited. + +On Linux, especially, where split tunneling isn't path-based at all, this means that the new browser +window will be forked off from a process that isn't excluded. + +This model also implies other potentially unexpected behavior. For example, clicking a link in an +excluded app may (if there's no existing browser instance) open a browser window that _is_ +unexpectedly excluded, simply because the parent is excluded. + +The limitations due to IPC are perhaps especially noticeable on macOS, since WebKit relies on other +processes to render web pages. This means that many browsers, including Safari, cannot be excluded +from the VPN. |