Incompatibility between Murus and PIA-VPN

Murus
TonO
Posts: 25
Joined: Fri Dec 26, 2014 9:45 am

Incompatibility between Murus and PIA-VPN

Post by TonO » Sun Nov 12, 2017 10:16 am

Hi Hany,

It seems there's a small incompatibility between Murus and Private Internet Access APP (PIA VPN).
When Murus is activated, I'm not able to disconnect the VPN-session through PIA's Menu's anymore.
Once Murus is stopped, I can disconnect again.
Problem was reported at PIA's technical service but while talking, I've stumbled on this.

Might be an issue on PIA's side, but just wanted to see if you know the issue / register it here.
Other VPN-APP's (Tunnelblick for example) work fine.

Regards,
Ton.

TonO
Posts: 25
Joined: Fri Dec 26, 2014 9:45 am

Re: Incompatibility between Murus and PIA-VPN

Post by TonO » Sun Nov 12, 2017 10:21 am

Using Murus Pro version 1.4.2

hany
Posts: 445
Joined: Wed Dec 10, 2014 5:20 pm

Re: Incompatibility between Murus and PIA-VPN

Post by hany » Wed Nov 15, 2017 8:35 pm

Hello TonO,
sorry I have no idea why this happens. I think this is something related to PIA, probably it needs some specific address/port to be reachable in order to work correctly. And, probably, your Murus configuration block some needed connections.
Please try updating Murus to version 1.4.11 then enable logs and look for blocked connections when disconnecting PIA. If you see some blocked logged connections then probably you will be able to issue the correct rules in order to let them pass.

TonO
Posts: 25
Joined: Fri Dec 26, 2014 9:45 am

Re: Incompatibility between Murus and PIA-VPN

Post by TonO » Thu Nov 16, 2017 11:31 am

Hi Hany.

Yep, did what you suggested (didn't do change/analyse for a long period, therefore I'm getting rusty;_)) and it seems that local traffic isn't being passed.
Portnr used doesn't seem to be fixed, so I would like to allow all local traffic towards local (127.0.0.1->127.0.0.1)
I would have expected this traffic to be allowed by the Everyone Group (0.0.0.0/0 & ::/0) and the All_Local service (ports 1:65535) in the Outbound Services section.

pf 00:00:01.01286 rule 11/0(match): block out on lo0: 127.0.0.1.31742 > 127.0.0.1.51188: tcp

During testing I also found out that the 1Password-plugin in Safari is getting blocked by the same idea:

pf 00:00:00.00250 rule 11/0(match): block out on lo0: 127.0.0.1.50820 > 127.0.0.1.6263: tcp

Could you give me some direction in how to solve this and allow this kind of local traffic (based on 127.0.0.0)?
127.0.0.1 is bound to BSD Name lo0 but not selectable as network interface....

Thanks.

TonO
Posts: 25
Joined: Fri Dec 26, 2014 9:45 am

Re: Incompatibility between Murus and PIA-VPN

Post by TonO » Tue Nov 21, 2017 3:16 pm

Any response?

TonO
Posts: 25
Joined: Fri Dec 26, 2014 9:45 am

Re: Incompatibility between Murus and PIA-VPN

Post by TonO » Thu Nov 23, 2017 1:39 pm

Guys........

This is a serious problem that I do not seem to be able to solve myself..... For now, I still think it's a bug.

Please respond.....

hany
Posts: 445
Joined: Wed Dec 10, 2014 5:20 pm

Re: Incompatibility between Murus and PIA-VPN

Post by hany » Tue Nov 28, 2017 8:50 pm

Hello,

it cannot be a bug :) you are running PF, the built-in firewall. Murus is only a GUI.
If a connection is blocked by the firewall, then there must be a rule blocking it. In your case is rule 11 in root anchor. You can use Murus rules browser to identify the rule.
Now, lo0 is the loopback interface. Murus offers two ways to deal with it: skipping traffic or passing traffic, the former being the default.
Look at the top of your ruleset, you should see a rule like

set skip on lo0

Now open Murus Preferences -> Advanced -> Skip Loopback interface
remove the checkbox from that option and retry running your software.
I hope it helped!

TonO
Posts: 25
Joined: Fri Dec 26, 2014 9:45 am

Re: Incompatibility between Murus and PIA-VPN

Post by TonO » Wed Nov 29, 2017 7:23 am

Potatoes, Potatoes, bug, feature, bug in Murus, misconfiguration in Murus;-)
I agree Murus is only a (very good) frontend to PF; From my viewpoint is seemed a misconfiguration of PF or a configuration-setting that needs a bit more attention.

Removed the skip loopback results in both a working PIA and 1Password:-):-)

Thank you.

hany
Posts: 445
Joined: Wed Dec 10, 2014 5:20 pm

Re: Incompatibility between Murus and PIA-VPN

Post by hany » Wed Nov 29, 2017 1:05 pm

Glad to know it worked.
The issue arised because PIA and 1password are bugged. They make a wrong use of system network API. They should not need this option set in pf.
Murus can "correct" this wrong behavior with this option but this is NOT a good choice. I would not remove the "skip loopback", I'd rather stop using those bugged apps. The correct approach is to SKIP traffic on loopback interface. If an app does not work with that PF rule then the app is rubbish, better avoid it. That's my opinion :)

TonO
Posts: 25
Joined: Fri Dec 26, 2014 9:45 am

Re: Incompatibility between Murus and PIA-VPN

Post by TonO » Wed Nov 29, 2017 6:13 pm

I tend to agree with your response.
Other products in the VPN-area worked out of the box. That's also what I've told the support department of the company Private Internet Access (PIA).
They were quite helpful through and willing to dive into the issue, no complaint there!
As said, I've informed them of this solution.

Thanks again for the spot-on analysis!

Post Reply