macOS sometimes leaks traffic after system updates
We have found that you could be leaking traffic on macOS after system updates. To our current knowledge a reboot resolves it. We are currently investigating this and will follow up with more information.
The current state
In this scenario the macOS firewall does not seem to function correctly and is disregarding firewall rules. Most traffic will still go inside the VPN tunnel since the routing table specifies that it should. Unfortunately apps are not required to respect the routing table and can send traffic outside the tunnel if they try to. Some examples of apps that do this are Apple’s own apps and services since macOS 14.6, up until a recent 15.1 beta.
What’s next?
We’ve reported this to Apple and hopefully we’ll see a fix in the near future. In the meanwhile we will continue to investigate this to be able to provide more information to Apple and to see if there are any workarounds that we can implement in the app.
Check if you are affected
Run the following commands in a terminal to check if you are affected:
1. Add a firewall rule that blocks all traffic
echo "block drop quick all" | sudo pfctl -ef -
2. Try to send traffic outside the tunnel
curl https://am.i.mullvad.net/connected
To clean up after the experiment, disable the firewall and clear all rules.
sudo pfctl -d
sudo pfctl -f /etc/pf.conf
It is also possible to check if our app is leaking by doing the following:
1. Make sure you are not connected to a VPN
2. Find the default interface by running the following command in a terminal
route get mullvad.net | sed -nE 's/.*interface: //p'
3. Connect to a VPN server using our app
4. Run the following command (replace “<interface>” with the interface from step 2)
curl --interface <interface> https://am.i.mullvad.net/connected
5. If everything is working properly the response should say either that you are connected to Mullvad or that it cannot connect to the server. If there is a response stating that you are not connected to Mullvad then you are leaking.