Page MenuHomeSolus

Mullvad VPN client
Closed, WontfixPublic

Related Objects

Event Timeline

Are you actually planning on using this because at this point you've requested multiple different VPN providers and quite frankly I find it hard to believe you use or need all of them.

baimafeima added a comment.EditedNov 24 2016, 8:53 AM

Frankly, I need to be able to use at least 10 of them and change them on a regular basis because at the location where I live they are frequently subject to DPI and access to their networks gets blocked. I will be requesting several more but these are good for the beginning.

I will be requesting several more but these are good for the beginning.

Honestly, I want @ikey's opinion on this. Don't submit any more until he chimes in please.

Frankly, I need to be able to use at least 10 of them

Uh. All of these VPNs are reinventing crypto every time and that makes you feel *secure*? As opposed to using standardised well supported protocols? IDK how to break it to you man but tools like this and AirVPN etc concern me deeply.

In T1713#29951, @ikey wrote:

Frankly, I need to be able to use at least 10 of them

Uh. All of these VPNs are reinventing crypto every time and that makes you feel *secure*? As opposed to using standardised well supported protocols? IDK how to break it to you man but tools like this and AirVPN etc concern me deeply.

Security is important but secondary in this case. I rather trust selected VPN providers than my ISPs. Given the amount of censorship at my place, not to speak of intentional bandwidth throttling for all foreign websites, the only viable way is to use VPN or proxy-related services. Different services provide different layers of security, privacy or anonymity (or none thereof). Just because a VPN is branded as secure doesn't make it secure and doesn't make me feel secure in any way. It is really a matter of choosing the lesser evil and having the flexibility to switch according to my use case. What particularly concerns you about AirVPN? Both Mullvad and AirVPN use standard protocols. In what way are they reinventing crypto? Both can be configured via OpenVPN but in my case I need additional obfsproxy configuration which frankly makes it a pain to use, hence, I really need native Linux clients and/or a universal VPN client like Fruho (which unfortunately is not compatible with systemd).

JoshStrobl closed this task as Wontfix.Dec 23 2016, 11:12 PM
JoshStrobl claimed this task.

@JoshStrobl Could you please advise why Mullvad VPN cannot be included? Is the software package too old or are there any other concerns about the trustworthiness of the company?

I'll re-evaluate this when I have some time.

anaknaga added a subscriber: anaknaga.
baimafeima added a comment.EditedFeb 4 2017, 10:40 PM

I have tested both Mullvad and Safejumper in China and they work well. Servers get frequently blocked and with both I can easily select different server locations and ports without importing config files manually. Additionally, both obfuscate traffic which is necessary when you live in a country where state actors are capable of deep packet inspection and block all OpenVPN connections in real time. In general, I am very careful with VPN providers and not all of them are technically on the same level as well as trustworthy as a company. Mullvad and Proxy.sh (Safejumper) are among those I can recommend without reservations. They both actually have native Linux client software (as opposed to many other VPN providers), operate outside US jurisdiction and have a zero logging policy (https://mullvad.net/blog/2017/1/13/clarifying-our-no-logging-policy/). Proxy.sh also has a Warrant Canary: https://proxy.sh/canary

VPN providers I cannot recommend: ExpressVPN (low standard of encryption, no zero-logging policy, US jurisdiction)

@baimafeima Even though I agree with you on the VPN providers, I think the problem is that we cannot (and should not) ask the Solus devs to make a decision regarding which VPNs should be included (trusted) and which shouldn't. They are not experts on VPNs (afaik?), and even if they were, choosing one or a few could lead to lots of hassle.

The real problem with the mullvad gui is that it is a python program, which you could install through pip as documented here for other distros: https://mullvad.net/guides/installing-mullvad-client-linux/

However, for some reason I have not gotten this to work on Solus. I *think* this has to do with the fact that the mullvad client uses an older, incompatible, python. It works on openSUSE Leap, but I'm getting errors on Solus. At the moment I think therefore that the problem lies with Mullvad, and not with whether or not Solus should package this (which I do not think it should). Keep in mind that obfsproxy won't work, if it is not packaged, even if you run the client. Packaging obfsproxy is imho more important.

Having said that, you should really run openVPN. The mullvad client would introduce another attack vector, not to mention that if it crashes silently, you're without a VPN. A combination of openVPN, iptables rules, and obfsproxy would be a much safer, kernel based, bet. Less convenient, surely, but there's some price to convenience for security :). Everything you can do through the client, you can do through the command line as well, and most of it you can even do through networkmanager gui. Here's a thought: have networkmanager include an obfsproxy option!

baimafeima added a comment.EditedSep 9 2017, 8:51 PM

Here's a thought: have networkmanager include an obfsproxy option!

@anaknaga Do you have an idea how this could be done?

On https://thatoneprivacysite.net/vpn-comparison-chart/ I found five obfuscation options that could be investigated:

  • Multihop
  • TCP Port 443
  • Obfsproxy
  • SOCKS
  • SSL Tunnel
  • SSH Tunnel

On IRC someone recommended "setting up with TLS-Crypt and port 443, this will allow the authentication and connection to look like HTTPS". Last time I tried TCP Port 443 it didn't work from China.

The following chart may also be helpful to investigate what VPN software to get into the repository and which ones to reject. I think this is by far the best overview on the subject: https://thatoneprivacysite.net/simple-vpn-comparison-chart/

anaknaga added a comment.EditedSep 10 2017, 9:09 AM

Here's a thought: have networkmanager include an obfsproxy option!

@anaknaga Do you have an idea how this could be done?

Not a clue honestly! But I suspect this will have to happen upstream.

EDIT: And honestly, with the coming of wireguard, it might not be necessary anymore, but I don't know.

Not a clue honestly! But I suspect this will have to happen upstream.

Mullvad actually now supports both OpenVPN and Wireguard. There was a discussion on the OpenVPN forums in 2013 regarding the option to obfuscate OpenVPN traffic and it was rejected on the grounds that the patch was not tested thoroughly enough: https://forums.openvpn.net/viewtopic.php?f=15&t=12605&hilit=openvpn_xorpatch&sid=05c4d721ea2058ad1d2212e91bc3d897&start=60#p49837
The reality is that OpenVPN traffic is recognized as such in real-time by ISPs and state actors in countries such as China and blocked almost instantaneously.

EDIT: And honestly, with the coming of wireguard, it might not be necessary anymore, but I don't know.

A great discussion regarding Wireguard and obfuscation can be found here: https://lists.zx2c4.com/pipermail/wireguard/2016-July/000184.html
Wireguard in China: https://www.reddit.com/r/China/comments/68lk5n/wireguard_in_china/
China: https://github.com/jlund/streisand/issues/413 and http://blog.zorinaq.com/my-experience-with-the-great-firewall-of-china/

VPN solutions for Linux users: http://www.techradar.com/news/best-vpn-solutions-for-linux-users/2

Mullvad has recently been reviewed by That One Privacy Site: https://thatoneprivacysite.net/2017/10/03/mullvad-review/

ikey added a comment.EditedNov 8 2017, 7:34 PM

As long as this doesn't use a forked/custom set of security binaries/libs (openvpn, etc) then I'm fine with it being reopened.

It doesn't appear to be forked software and doesn't contain binaries.

ikey reopened this task as Open.Nov 11 2017, 7:30 PM
ikey moved this task from Backlog to Accepted For Inclusion on the Package Requests board.

Thanks, in that case we can approve :)

siru added a subscriber: siru.Nov 11 2017, 9:39 PM

I made this package

name       : mullvad
version    : 65
release    : 1
source     :
    - https://www.mullvad.net/media/client/mullvad-65.tar.gz : 952e01dbc889a5cfb086a11a048fbc8a1b1d5a3b978f14bbe6a068d39ae565d5
license    : GPL-2.0
component  : network.util
summary    : Mullvad VPN
description: |
    Mullvad is a VPN service that helps keep your online activity, identity, and location private.
builddeps  :
    - python-setuptools
rundeps    :
    - openvpn
    - python-appdirs
    - python-ipaddr
    - python-netifaces
    - python-psutil
    - wxPython
build      : |
    %python_setup
install    : |
    %python_install

but when I ran the application to check it, I got the following error

CRITICAL: An uncaught exception occured: Traceback (most recent call last):
  File "/usr/bin/mtunnel", line 11, in <module>
    load_entry_point('mullvad==65', 'console_scripts', 'mtunnel')()
  File "/usr/lib/python2.7/site-packages/mullvad/tunnelprocess.py", line 126, in main
    main_args(args)
  File "/usr/lib/python2.7/site-packages/mullvad/tunnelprocess.py", line 116, in main_args
    tp = TunnelProcess(pipe_dir, settings, args.confdir)
  File "/usr/lib/python2.7/site-packages/mullvad/tunnelprocess.py", line 41, in __init__
    self.tunnel = mtunnel.Tunnel(settings, conf_dir)
  File "/usr/lib/python2.7/site-packages/mullvad/mtunnel.py", line 139, in __init__
    self.route_manager = route.get_route_manager()
  File "/usr/lib/python2.7/site-packages/mullvad/route.py", line 34, in get_route_manager
    return RouteManager()
  File "/usr/lib/python2.7/site-packages/mullvad/route.py", line 260, in __init__
    self.gw = _find_default_gateway()
  File "/usr/lib/python2.7/site-packages/mullvad/route.py", line 405, in _find_default_gateway
    routing_table = proc.run_assert_ok(['netstat', '-r', '-n'])
  File "/usr/lib/python2.7/site-packages/mullvad/proc.py", line 49, in run_assert_ok
    return _get_proc().run_assert_ok(args, stdin)
  File "/usr/lib/python2.7/site-packages/mullvad/proc.py", line 194, in run_assert_ok
    (code, stdout, stderr) = self.run(args, stdin)
  File "/usr/lib/python2.7/site-packages/mullvad/proc.py", line 173, in run
    proc = self.open(args)
  File "/usr/lib/python2.7/site-packages/mullvad/proc.py", line 148, in open
    **hide_window)
  File "/usr/lib/python2.7/subprocess.py", line 390, in __init__
    errread, errwrite)
  File "/usr/lib/python2.7/subprocess.py", line 1024, in _execute_child
    raise child_exception
OSError: [Errno 2] No such file or directory

Since netstat will never find its way to Solus, I guess this should be reported upstream ?

JoshStrobl triaged this task as Low priority.Nov 18 2017, 10:50 PM

Reading that review intrigued me enough to send Mullvad Support an e-mail regarding the netstat thing, here is their response:

Hello
We are at the moment working on a completely new application from
scratch, and I recommend you to use plain OpenVPN if you can't install
the client under your operating system.
https://mullvad.net/guides/linux-openvpn-installation/
Best regards
Sanny

So hopefully their new client will solve this issue. :)

hubris added a subscriber: hubris.Dec 29 2017, 3:13 AM
JoshStrobl removed JoshStrobl as the assignee of this task.Jan 1 2018, 8:40 PM

Should rather be "awaiting package upgrade" I guess...

DataDrake closed this task as Wontfix.Jul 12 2018, 6:47 PM
DataDrake claimed this task.
DataDrake added a subscriber: DataDrake.

If the devs are saying to use OpenVPN until the replacement to Mullvad is out, no point in including this.

@baimafeima, please file a new package request. Since it is an entirely different application, not just a new release of the old one, it will need to go through the approval process again.

@baimafeima I made a request for qomui T6722 (GUI managing different VPNs providers like mullvad, windscripe, protonvpn, PIA...) maybe you can be interested.

@DataDrake @Devil505 Thanks, I've made a request for the new MullvadVPN client and will take a look at qomui as well.