Hacker News new | ask | show | jobs
by justsomehnguy 1524 days ago
You probably missed

> It’s a WireGuard tunnel being sent inside another WireGuard tunnel

Edit: replaced with a better diagram (and again, now based on example in [0]):

                   ▼    ▼                    ▼    ▼
                  YOU->NL1 tunnel           SE4->NL1 tunnel           PLAIN/TLS

            YOU ────────────────────► SE4 ───────────────────► NL1 ───────────────► CATPICS.COM

    On the wire:  YOU->SE4 traffic          SE4->NL1 traffic       NL1->CATPICS.COM traffic
                 ┌────────────────┐        ┌────────────────┐            ┌──────┐
    Inside:      │YOU->NL1 traffic│        │YOU->NL1 traffic│            │ DATA │
                 └────────────────┘        └────────────────┘            └──────┘
[0] https://mullvad.net/en/help/wireguard-and-mullvad-vpn/
1 comments
topdancing 1524 days ago
This isn't how it works. If you actually pull down one of their multihop configurations - you'll see:

- the WireGuard public key for server 2

- the IP address for server 1

- a unique port for server2 on server 1

So all they're doing is a standard iptables redirect to the second host (which may or may not itself be under a WireGuard tunnel).

link
faern 1523 days ago
Your description is correct for the configuration files, yes! But it's not correct for the app. There are multiple ways of doing multihop with Mullvad. The config files use a simple redirect where each server has a unique port it's reachable over on all other servers. That's what the config files are doing.

But the app actually has a wg tunnel inside another wg tunnel. If you (on Linux) run `wg` (as root) in a terminal when it's connected with multihop you will see that it has two peers set up for the `wg-mullvad` interface, one peer is routed through the other.

So the only thing that SE4 can see is encrypted WireGuard traffic headed for NL1.

link
justsomehnguy 1524 days ago
Well, I stand corrected, because I relied on their promo description. *shrug_emoji*

I replaced the diagram in the previous comment, take a look.

link
faern 1523 days ago
This can be very confusing indeed, since there are multiple ways of doing multihop. Please see my description in https://news.ycombinator.com/item?id=31012071.

The guide at https://mullvad.net/en/help/wireguard-and-mullvad-vpn/ only talks about how the config files does it. Which is completely different from how the app does it!

link