summaryrefslogtreecommitdiffhomepage
path: root/docs
diff options
context:
space:
mode:
Diffstat (limited to 'docs')
-rw-r--r--docs/known-issues.md31
-rw-r--r--docs/security.md1
2 files changed, 19 insertions, 13 deletions
diff --git a/docs/known-issues.md b/docs/known-issues.md
index 7e614bb596..8cdcd3f52e 100644
--- a/docs/known-issues.md
+++ b/docs/known-issues.md
@@ -169,14 +169,24 @@ app. We have observed it on macOS 14.6 and newer, but it could very well have ex
The Hyper-V Virtual Ethernet Adapter passes traffic to and from guests without letting the
host’s firewall inspect the packets in the same way normal packets are inspected.
The forwarded (NATed) packets are seen in the lower layers of WFP (OSI layer 2) as
-Ethernet frames only. This means that all firewall rules inserted by the Mullvad app
+Ethernet frames only. This means that all the normal firewall rules inserted by the Mullvad app
to stop leaks are circumvented.
-This affects all virtual machines, containers and software running on a Hyper-V virtual network.
+This problem affects all virtual machines, containers and software running on a Hyper-V virtual
+network.
-We currently have no fix for this issue. We have been experimenting with simply blocking all
-layer 2 traffic. This solution would be safer, but at the same time break some software. The
-user can instead choose to not use said software.
+The app mitigates the issue by blocking all Hyper-V traffic in secured states using Hyper-V-specific
+filters, i.e. a firewall that applies specifically to the Hyper-V hypervisor. The connected state is
+exempted since the routing table will ensure that traffic is tunneled in that case, at least for WSL
+(see details below).
+
+There are certain limitations to this mitigation. First, the Hyper-V firewall is only available on
+*Windows 11 version 22H2 and above*, so it has no effect on earlier versions of Windows.
+Additionally, LAN traffic will never be blocked while connected, regardless of whether "Local
+network sharing" is enabled. Moreover, DNS leaks are more likely to occur.
+
+Your [WSL config] needs to enable the `firewall` setting for the Hyper-V firewall to be enabled.
+It is enabled by default.
#### Linux under WSL2
@@ -184,12 +194,7 @@ Network traffic from a Linux guest running under WSL2 always goes out the defaul
the host machine without being inspected by the normal layers of WFP (the firewall on the
Windows host that Mullvad use to prevent leaks). This means that if there is a VPN tunnel
up and running, the Linux guest’s traffic will be sent via the VPN with no leaks!
-However, if there is no active VPN tunnel, as is the case when the app is disconnected,
-connecting, reconnecting, or blocking (after an error occurred) then the Linux guest’s
-traffic will leak out on the regular network, even if “Lockdown mode” is enabled.
-
-WSL1 does not have this issue. So if you need to prevent leaks and you also need to use
-Linux on Windows, you can try using it under WSL1 instead.
+In the other states, the mitigation above is used to prevent leaks.
#### Edge using Application guard
@@ -197,13 +202,15 @@ When running the Microsoft Edge browser with Microsoft Defender Application Guar
the browser uses Hyper-V networking underneath. This makes the network traffic generated
by the browser ignore the Mullvad firewall rules. On top of this, it even ignores the routing
table, and *always* send the traffic directly on the physical network interface
-instead of the tunnel interface.
+instead of the tunnel interface. Hence, the mitigation above is ineffective when the VPN tunnel is
+active.
This affects all app versions and all versions of Edge on Application Guard as far as we know.
Since [Application Guard is deprecated] we are not going to put much effort into solving this.
We recommend users to not use Application Guard.
[Application Guard is deprecated]: https://learn.microsoft.com/en-us/deployedge/microsoft-edge-security-windows-defender-application-guard
+[WSL config]: https://learn.microsoft.com/en-us/windows/wsl/wsl-config#main-wsl-settings
#### Other VPN software
diff --git a/docs/security.md b/docs/security.md
index c79efa2598..6acd412c14 100644
--- a/docs/security.md
+++ b/docs/security.md
@@ -313,7 +313,6 @@ removed.
### Windows
-
On Windows, persistent firewall filters may be added when the service exits, in case the service
decides to continue to enforce a blocking policy. These filters block any traffic occurring before
the service has started back up again during boot, including before the BFE service has started.
Copyright © 2025 - 2026 Wayne Cole. WTFPL. Attribution appreciated. No warranty. Not liable for bodily damages.