simplewall icon indicating copy to clipboard operation
simplewall copied to clipboard
verified publisher icon henrypp

[Bug] Simplewall sometimes blocks programs that use my VPN's split tunneling feature

Open skooter7 opened this issue 7 months ago • 7 comments

Checklist

  • [x] I have used the search function to see if someone else has already submitted the same bug report.
  • [x] I will describe the problem with as much detail as possible.

App version

NordVPN

Windows version

Windows 10

Steps to reproduce

When I split tunnel certain programs like em client in NordVPN's app and allow network access for the program in simplewall it's still being blocked

Browsers work normally when split tunneled BUT it blocks traffic when a non-split tunneled browser is opened (by clicking a link on a chat program for example) by a split tunneled program, the browser's traffic is blocked until it's closed and opened again normally this time.

Expected behavior

Not to block programs I've allowed

Actual behavior

Blocks these programs

Logs

"‎07/‎06/‎2025 ‏‎15:24:34","DESKTOP-2FGU0QR\Admin","C:\program files (x86)\em client\mailclient.exe","10.5.0.2","7117","0.0.0.0","443 (https)","tcp","FWPM_LAYER_ALE_AUTH_CONNECT_V4","NordVPN split tunnel implements custom traffic routing around VPN tunnel, per application basis.","#3521152","Outbound","Blocked" "‎07/‎06/‎2025 ‏‎15:24:34","DESKTOP-2FGU0QR\Admin","C:\program files (x86)\em client\mailclient.exe","10.5.0.2","7117","0.0.0.0","443 (https)","tcp","FWPM_LAYER_ALE_AUTH_CONNECT_V4","NordVPN split tunnel implements custom traffic routing around VPN tunnel, per application basis.","#3521152","Outbound","Blocked" "‎07/‎06/‎2025 ‏‎15:24:34","DESKTOP-2FGU0QR\Admin","C:\program files (x86)\em client\mailclient.exe","10.5.0.2","7117","0.0.0.0","443 (https)","tcp","FWPM_LAYER_ALE_AUTH_CONNECT_V4","NordVPN split tunnel implements custom traffic routing around VPN tunnel, per application basis.","#3521152","Outbound","Blocked" "‎07/‎06/‎2025 ‏‎15:24:34","DESKTOP-2FGU0QR\Admin","C:\program files (x86)\em client\mailclient.exe","10.5.0.2","7117","0.0.0.0","443 (https)","tcp","FWPM_LAYER_ALE_AUTH_CONNECT_V4","NordVPN split tunnel implements custom traffic routing around VPN tunnel, per application basis.","#3521152","Outbound","Blocked" "‎07/‎06/‎2025 ‏‎15:24:34","DESKTOP-2FGU0QR\Admin","C:\program files (x86)\em client\mailclient.exe","10.5.0.2","7117","0.0.0.0","443 (https)","tcp","FWPM_LAYER_ALE_AUTH_CONNECT_V4","NordVPN split tunnel implements custom traffic routing around VPN tunnel, per application basis.","#3521152","Outbound","Blocked" "‎07/‎06/‎2025 ‏‎15:24:34","DESKTOP-2FGU0QR\Admin","C:\program files (x86)\em client\mailclient.exe","10.5.0.2","7117","0.0.0.0","443 (https)","tcp","FWPM_LAYER_ALE_AUTH_CONNECT_V4","NordVPN split tunnel implements custom traffic routing around VPN tunnel, per application basis.","#3521152","Outbound","Blocked" "‎07/‎06/‎2025 ‏‎15:24:34","DESKTOP-2FGU0QR\Admin","C:\program files (x86)\em client\mailclient.exe","10.5.0.2","7117","0.0.0.0","443 (https)","tcp","FWPM_LAYER_ALE_AUTH_CONNECT_V4","NordVPN split tunnel implements custom traffic routing around VPN tunnel, per application basis.","#3521152","Outbound","Blocked" "‎07/‎06/‎2025 ‏‎15:24:34","DESKTOP-2FGU0QR\Admin","C:\program files (x86)\em client\mailclient.exe","10.5.0.2","7117","0.0.0.0","443 (https)","tcp","FWPM_LAYER_ALE_AUTH_CONNECT_V4","NordVPN split tunnel implements custom traffic routing around VPN tunnel, per application basis.","#3521152","Outbound","Blocked"

skooter7 avatar Jun 07 '25 12:06 skooter7

You need to post the detailed settings of the rule.

secured2k avatar Jun 25 '25 19:06 secured2k

You need to post the detailed settings of the rule.

Hi, how do I do that?

skooter7 avatar Jul 22 '25 17:07 skooter7

If you're talking about the export config file, there's only this:

<item timestamp="1753204068" path="C:\program files (x86)\em client\mailclient.exe" is_enabled="true"/>

skooter7 avatar Jul 22 '25 17:07 skooter7

Based on the log entry and description of the problem, the rule in the logs is created by the NordVPN application. See https://support.nordvpn.com/hc/en-us/articles/19618692366865-What-is-Split-Tunneling-and-how-to-use-it

Rules from Simplewall will be prefixed with things like "Internal" or "User rule". Since the block you posted is "NordVPN split tunnel implements custom traffic routing around VPN tunnel, per application basis.", this appears to be generated by NordVPN. You may need to add an exception on their app if it is defaulted to disable, or remove the rule in NordVPN if you have it set to enable for selected apps.

You can perform additional tests to determine if the behavior changes when you disable/enable the NordVPN option, or enable/disable Simplewall, to see if the issue is reproducible. The problem could be a conflict between both apps having a rule for the same app (unlikely). See if deleting the app rule entirely in SimpleWall changes the output of the logs (the description line).

Regarding the issue with traffic being blocked when opening a browser from another application, such as a chat program, this sounds like parent connection tracking, which isn't a feature I see in SimpleWall. This sounds like something NordVPN might be doing, or the chat program might be opening a sandboxed, containerized environment or a special security user context for the app. When you close the app and reopen a window normally, you are probably calling a standard/trusted app or starting it from a trusted app, such as the Start menu/explorer; thus, it works.

Whenever you find that an app isn't communicating, you can check the relevant logs; it may provide a clue to the source of the block.

Further troubleshooting requires a dump of the filters. See: https://github.com/henrypp/simplewall?tab=readme-ov-file#q-how-can-i-view-all-filters-information Or maybe zeronetworks WTF-WFP.

secured2k avatar Jul 23 '25 01:07 secured2k

Thank you for the answer. Just to clarify, NordVPN is fully allowed too and the problem only happens to split tunneled programs. Could it be that simplewall considers traffic that bypasses the VPN as untrusted for some reason? Anyway, I'm attaching the filters dump, renamed the xml to txt because github doesn't support xmls

filters.txt

skooter7 avatar Jul 24 '25 12:07 skooter7

I briefly looked at the filters and saw NordVPN rules have added redirections for the three apps you added to NordVPN's split tunnel rules.

EDITS/CORRECTION The original statement below was incorrect. SimpleWall had a higher priority (the docs say that higher weights are evaluated first). This means the rules Simplewall added were already evaluated as permitted. NordVPN's rules came into play after and caused the block.

These have a higher priority than SimpleWalls rules. Upon evaluation, it appears that NordVPN's rules result in a block before SimpleWall's rules are evaluated.

EDITS/CORRECTION

I am unsure whether NordVPN is using a callout driver or how it redirects traffic. The rules indicate FWP_ACTION_CALLOUT_UNKNOWN, which means a filter driver can return a permit, block, or continue, leading to NordVPN support for implementation issues. It is also possible that NordVPN is redirecting client traffic to an app running on the PC, acting as a proxy, and that app isn't allowed. However, the logs you provided do not show this (back to the rule description that caused the block action).

The logs in the original bug report show mailclient.exe at IP 10.5.0.2, port 7117, attempting to connect to 0.0.0.0, port 443. In this case, the IP address to connect to is invalid, which is why it is blocked (by NordVPN's callout driver?).

If this works with only one WFP interface running (SW disabled), then this is probably an incompatibility with the third-party software's (NordVPN's) implementation. If their software does not take into consideration that there may be other filters, things like this can happen. One might say this is also a security feature, as if you want no data to leak out of the VPN redirection, having another filter or redirect could create a backdoor or hole that allows traffic to bypass the VPN (which is what you are trying to do intentionally, but the conflict prevents it).

Date Username Path Address (Local) Port (Local) Address (Remote) Port (Remote) Protocol Layer Filter name Filter ID Direction State
07/06/2025 15:24:34 DESKTOP-2FGU0QR\Admin C:\program files (x86)\em client\mailclient.exe 10.5.0.2 7117 0.0.0.0 443 (https) tcp FWPM_LAYER_ALE_AUTH_CONNECT_V4 NordVPN split tunnel implements custom traffic routing around VPN tunnel, per application basis. #3521152 Outbound Blocked

secured2k avatar Jul 24 '25 16:07 secured2k

@henrypp - Is it possible/safe to add application allow rules to ALE Bind Redirect and ALE Connect layers?

secured2k avatar Jul 24 '25 17:07 secured2k