100.64.0.0/10 is not included in allowed LAN ranges

[nothingmuch]

Is it a bug?

• I know this is an issue with the app, and contacting Mullvad support is not relevant.

I have checked if others have reported this already

• I have checked the issue tracker to see if others have reported similar issues.

Current Behavior

Although 100.64.0.0/100 is part of the IPv4 reserved address blocks used for internal networks, it is not included in the list of allowed addresses when LAN access is unblocked.

Strictly speaking that range is for carrier-grade NAT, so it's debatable whether or not that should be considered LAN.

However, not adding this manually to to nftables means I can't use tailscale and mullvad concurrently.

I'm aware of tailscale's mullvad integration, but unfortunately since I use headscale and not the tailscale service, I can't yet utilize this functionality.

Expected Behavior

With tailscale enabled and connected, mullvad lan set allow, when connecting to mullvad traffic on the tailscale interface should not be blocked.

I can work around this using the following firewall rule:

    table inet mullvadExclusions {
      chain mullvadAllowTailsacle {
        type route hook output priority -1; policy accept;
        ip daddr 100.64.0.0/10 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
      }

but it would be less brittle and more secure if I would not have to do that statically, since that would still be allowed if mullvad lan set block is configured.

Steps to Reproduce

1. tailscale up
2. mullvad lan set allow
3. tailscale ping ... (works)
4. mullvad connect
5. tailscale ping ... (no response)
6. mullvad disconnect
7. tailscale ping ... (works)

Failure Logs

No response

Operating system version

NixOS unstable (pre release 24.05)

Mullvad VPN app version

2023.6

Additional Information

No response

[harbor6688]

You could for now manually add it towards talpid-core/src/firewall/mod.rs in the sourcecode at https://github.com/mullvad/mullvadvpn-app/blob/6868d3c3336a8289c56fdd978ad61ef8a19a7155/talpid-core/src/firewall/mod.rs
and modify ALLOWED_LAN_NETS
while rust code can be a bit scary i feel that this part is pretty self explanatory.
and then manually compiling from said modified source preferably with build.sh --optimized so you get a release build now i cannot guarantee this to work since i have yet to test it myself but it could be a stopgap solution for now.
Now only issue with this would be that you would not run the release version but the latest git commit unless you can figure out what commit they used to compile the latest release version.

[harbor6688]

nvm i think this should be the commit of the latest release b261238

[nothingmuch]

Sure i'm comfortable making that change, nixpkgs uses a binary release so it might take me a bit to test it first, but happy to make the effort if this change is likely to get accepted. I'll follow up soon.