Incompatibility between Murus and PIA-VPN

Murus
Post Reply
TonO
Posts: 21
Joined: Fri Dec 26, 2014 9:45 am

Incompatibility between Murus and PIA-VPN

Post by TonO » Sun Nov 12, 2017 10:16 am

Hi Hany,

It seems there's a small incompatibility between Murus and Private Internet Access APP (PIA VPN).
When Murus is activated, I'm not able to disconnect the VPN-session through PIA's Menu's anymore.
Once Murus is stopped, I can disconnect again.
Problem was reported at PIA's technical service but while talking, I've stumbled on this.

Might be an issue on PIA's side, but just wanted to see if you know the issue / register it here.
Other VPN-APP's (Tunnelblick for example) work fine.

Regards,
Ton.

TonO
Posts: 21
Joined: Fri Dec 26, 2014 9:45 am

Re: Incompatibility between Murus and PIA-VPN

Post by TonO » Sun Nov 12, 2017 10:21 am

Using Murus Pro version 1.4.2

hany
Posts: 397
Joined: Wed Dec 10, 2014 5:20 pm

Re: Incompatibility between Murus and PIA-VPN

Post by hany » Wed Nov 15, 2017 8:35 pm

Hello TonO,
sorry I have no idea why this happens. I think this is something related to PIA, probably it needs some specific address/port to be reachable in order to work correctly. And, probably, your Murus configuration block some needed connections.
Please try updating Murus to version 1.4.11 then enable logs and look for blocked connections when disconnecting PIA. If you see some blocked logged connections then probably you will be able to issue the correct rules in order to let them pass.

TonO
Posts: 21
Joined: Fri Dec 26, 2014 9:45 am

Re: Incompatibility between Murus and PIA-VPN

Post by TonO » Thu Nov 16, 2017 11:31 am

Hi Hany.

Yep, did what you suggested (didn't do change/analyse for a long period, therefore I'm getting rusty;_)) and it seems that local traffic isn't being passed.
Portnr used doesn't seem to be fixed, so I would like to allow all local traffic towards local (127.0.0.1->127.0.0.1)
I would have expected this traffic to be allowed by the Everyone Group (0.0.0.0/0 & ::/0) and the All_Local service (ports 1:65535) in the Outbound Services section.

pf 00:00:01.01286 rule 11/0(match): block out on lo0: 127.0.0.1.31742 > 127.0.0.1.51188: tcp

During testing I also found out that the 1Password-plugin in Safari is getting blocked by the same idea:

pf 00:00:00.00250 rule 11/0(match): block out on lo0: 127.0.0.1.50820 > 127.0.0.1.6263: tcp

Could you give me some direction in how to solve this and allow this kind of local traffic (based on 127.0.0.0)?
127.0.0.1 is bound to BSD Name lo0 but not selectable as network interface....

Thanks.

Post Reply