Test leaking TCP/UDP/ICMP packets in split tunnel

Author: hulthe

mullvad-management-interface/src/client.rs

@@ -631,7 +631,6 @@ impl MullvadProxyClient {
         Ok(())
     }
 
-    //#[cfg(target_os = "windows")]
     pub async fn add_split_tunnel_app<P: AsRef<Path>>(&mut self, path: P) -> Result<()> {
         let path = path.as_ref().to_str().ok_or(Error::PathMustBeUtf8)?;
         self.0
@@ -641,7 +640,6 @@ impl MullvadProxyClient {
         Ok(())
     }
 
-    //#[cfg(target_os = "windows")]
     pub async fn remove_split_tunnel_app<P: AsRef<Path>>(&mut self, path: P) -> Result<()> {
         let path = path.as_ref().to_str().ok_or(Error::PathMustBeUtf8)?;
         self.0
@@ -651,7 +649,6 @@ impl MullvadProxyClient {
         Ok(())
     }
 
-    //#[cfg(target_os = "windows")]
     pub async fn clear_split_tunnel_apps(&mut self) -> Result<()> {
         self.0
             .clear_split_tunnel_apps(())
@@ -660,7 +657,6 @@ impl MullvadProxyClient {
         Ok(())
     }
 
-    //#[cfg(target_os = "windows")]
     pub async fn set_split_tunnel_state(&mut self, state: bool) -> Result<()> {
         self.0
             .set_split_tunnel_state(state)

test/Cargo.lock

@@ -12,7 +12,7 @@ members = [
     "test-runner",
     "test-rpc",
     "socks-server",
-    "am-i-mullvad",
+    "connection-checker",
 ]
 
 [workspace.lints.rust]

test/Cargo.toml

@@ -17,11 +17,11 @@ if [[ $TARGET == x86_64-unknown-linux-gnu ]]; then
         -e CARGO_HOME=/root/.cargo/registry \
         -e CARGO_TARGET_DIR=/src/test/target \
         mullvadvpn-app-tests \
-        /bin/bash -c "cd /src/test/; cargo build --bin test-runner --release --target ${TARGET}"
+        /bin/bash -c "cd /src/test/; cargo build --bin test-runner --bin connection-checker --release --target ${TARGET}"
 else
     cargo build \
         --bin test-runner \
-        --bin am-i-mullvad \
+        --bin connection-checker \
         --release --target "${TARGET}"
 fi
 

test/am-i-mullvad/src/main.rs

@@ -1,5 +1,5 @@
 [package]
-name = "am-i-mullvad"
+name = "connection-checker"
 description = "Simple cli for testing Mullvad VPN connections"
 authors.workspace = true
 repository.workspace = true
@@ -11,7 +11,10 @@ rust-version.workspace = true
 workspace = true
 
 [dependencies]
+clap = { workspace = true, features = ["derive"] }
 color-eyre = "0.6.2"
 eyre = "0.6.12"
+ping = "0.5.2"
 reqwest = { version = "0.11.24", default-features = false, features = ["blocking", "rustls-tls", "json"] }
 serde = { version = "1.0.197", features = ["derive"] }
+socket2 = { version = "0.5.3", features = ["all"] }

test/build.sh

@@ -0,0 +1,32 @@
+use std::net::SocketAddr;
+
+use clap::Parser;
+
+/// CLI tool that queries <https://am.i.mullvad.net> to check if the machine is connected to
+/// Mullvad VPN.
+#[derive(Parser)]
+pub struct Opt {
+    /// Interactive mode, press enter to check if you are Mullvad.
+    #[clap(short, long)]
+    pub interactive: bool,
+
+    /// Timeout for network connections (in millis).
+    #[clap(short, long, default_value = "2000")]
+    pub timeout: u64,
+
+    /// Try to send some junk data over TCP to <leak>.
+    #[clap(long, requires = "leak")]
+    pub leak_tcp: bool,
+
+    /// Try to send some junk data over UDP to <leak>.
+    #[clap(long, requires = "leak")]
+    pub leak_udp: bool,
+
+    /// Try to send ICMP request to <leak>.
+    #[clap(long, requires = "leak")]
+    pub leak_icmp: bool,
+
+    /// Target of <leak_tcp>, <leak_udp> or <leak_icmp>.
+    #[clap(long)]
+    pub leak: Option<SocketAddr>,
+}

test/am-i-mullvad/Cargo.toml test/connection-checker/Cargo.toml

@@ -0,0 +1,2 @@
+pub mod cli;
+pub mod net;

test/connection-checker/src/cli.rs

@@ -0,0 +1,73 @@
+use clap::Parser;
+use eyre::{eyre, Context};
+use reqwest::blocking::Client;
+use serde::Deserialize;
+use std::{io::stdin, time::Duration};
+
+use connection_checker::cli::Opt;
+use connection_checker::net::{send_ping, send_tcp, send_udp};
+
+fn main() -> eyre::Result<()> {
+    let opt = Opt::parse();
+    color_eyre::install()?;
+
+    if opt.interactive {
+        let stdin = stdin();
+        for line in stdin.lines() {
+            let _ = line.wrap_err("Failed to read from stdin")?;
+            test_connection(&opt)?;
+        }
+    } else {
+        test_connection(&opt)?;
+    }
+
+    Ok(())
+}
+
+fn test_connection(opt: &Opt) -> eyre::Result<bool> {
+    if let Some(destination) = opt.leak {
+        if opt.leak_tcp {
+            let _ = send_tcp(opt, destination);
+        }
+        if opt.leak_udp {
+            let _ = send_udp(opt, destination);
+        }
+        if opt.leak_icmp {
+            let _ = send_ping(opt, destination.ip());
+        }
+    }
+    am_i_mullvad(opt)
+}
+
+/// Check if connected to Mullvad and print the result to stdout
+fn am_i_mullvad(opt: &Opt) -> eyre::Result<bool> {
+    #[derive(Debug, Deserialize)]
+    struct Response {
+        ip: String,
+        mullvad_exit_ip_hostname: Option<String>,
+    }
+
+    let url = "https://am.i.mullvad.net/json";
+
+    let client = Client::new();
+    let response: Response = client
+        .get(url)
+        .timeout(Duration::from_millis(opt.timeout))
+        .send()
+        .and_then(|r| r.json())
+        .wrap_err_with(|| eyre!("Failed to GET {url}"))?;
+
+    if let Some(server) = &response.mullvad_exit_ip_hostname {
+        println!(
+            "You are connected to Mullvad (server {}). Your IP address is {}",
+            server, response.ip
+        );
+        Ok(true)
+    } else {
+        println!(
+            "You are not connected to Mullvad. Your IP address is {}",
+            response.ip
+        );
+        Ok(false)
+    }
+}