Skip to content

add setting to exclude sshd #8428

New issue
New issue
Open
Open
add setting to exclude sshd#8428
Labels
DaemonIssues related to mullvad-daemonLinuxIssues related to Linuxfeature requestFor issues asking for new features
@john-peterson

Description

@john-peterson
john-peterson
opened on Jul 6, 2025

add setting to exclude sshd

I propose a new setting to specifically keep ssh working on remote server

mullvad ssh set allow

or more generically exclude by process name in Linux

mullvad split-tunnel app add sshd
~~

some one mentioned sshd was broken in mac in #6543 . Linux doesn't have this command so I can't test it

mullvad exclude is just a wrapper for pid exclude and doesn't work for sshd because it doesn't apply to forks

mullvad-exclude /sbin/sshd -p 8022 -d -h ~/.ssh/ssh*key


client connection time out

ssh $gvm -p 8022


# implementation 

the best way would be split tunnel by process name that could be used for other process also

or constantly keep the current sshd pids in the exclude list

while true; do
for e in ${a[@]}; do mullvad split-tunnel delete $e; done
for p in $(pidof sshd); do mullvad split-tunnel add $p; done
a=($(pidof sshd))
sleep 1
done


but I am against littering the exclusion list with magical numbers . it's impossible to see from numbers what it is actually doing unless resolving it to names

sshd launch a new pair of procs for each session with unpredictable pid and port making all attempts to keep this vital connection open flawed 

# pid list doesn't work 

I presently use this flawed method to keep my current session

for p in $(pidof sshd); do mullvad split-tunnel add $p; done


on a single ssh session this excludes three procs the mother proc and session twins. any new session is blocked and would I disconnect the server is forever gone. just delete the instance

and Linux tend to reuse pids so the process list has to be updated when a session disconnect . otherwise my outgoing connections that I need are also excluded because they use a pid that was previously used by sshd. since it's a cloud machine cloud flare sometimes block connections by mistake mostly because someone messed up their settings and accidentally blocked cloud machines

# or port rules 

port rules are impossible because every session use different ports

netstat -anp |grep ssh
sudo nft -f ~/etc/mullvad.rules

table inet mullvad {
chain allowIncoming {
chain excludeOutgoing {
...

Metadata

Metadata

Assignees

No one assigned

    Labels

    DaemonIssues related to mullvad-daemonLinuxIssues related to Linuxfeature requestFor issues asking for new features

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions