Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

xxray

macrumors 68040
Original poster
Jul 27, 2013
3,115
9,412
It appears the GM version of MacOS Sonoma has a critical flaw with its firewall and VPNs according to Mullvad, a very reputable VPN provider. I first noticed an issue with Mullvad on the beta 6, and then Mullvad recently released this blog post:

The macOS 14 Sonoma betas and release candidate contain a bug that causes the firewall to not filter traffic correctly. As a result, our app does not work.

During the macOS 14 Sonoma beta period Apple introduced a bug in the macOS firewall, packet filter (PF). This bug prevents our app from working, and can result in leaks when some settings (e.g. local network sharing) are enabled. We cannot guarantee functionality or security for users on macOS 14, we have investigated this issue after the 6th beta was released and reported the bug to Apple. Unfortunately the bug is still present in later macOS 14 betas and the release candidate.

We have evaluated whether we can patch our VPN app in such a way that it works and keeps users secure in macOS 14. But unfortunately there is no good solution, as far as we can tell. We believe the firewall bugs must be fixed by Apple.

The bug affects much more than just the Mullvad VPN app. Firewall rules do not get applied properly to network traffic, and traffic that is not supposed to be allowed is allowed. We deem this to be a critical flaw in the firewall, anyone relying on PF filtering, or apps using it in the background on their macOS devices should be cautious about upgrading to macOS 14.


I'm about to downgrade from Sonoma for this reason. Why does Apple have such a history of not caring about VPN leaks?
 
Last edited:

xxray

macrumors 68040
Original poster
Jul 27, 2013
3,115
9,412
You could use the WireGuard or OpenVPN configuration files provided by Mullvad.
"Unable to use the app?" https://mullvad.net/en/download/vpn/macos
WireGuard https://apps.apple.com/app/id1451685025
Tunnelblick https://tunnelblick.net/downloads.html

Thanks! The problem is Mullvad makes it sound like this problem affects other VPN apps too.

We have evaluated whether we can patch our VPN app in such a way that it works and keeps users secure in macOS 14. But unfortunately there is no good solution, as far as we can tell. We believe the firewall bugs must be fixed by Apple.

The bug affects much more than just the Mullvad VPN app. Firewall rules do not get applied properly to network traffic, and traffic that is not supposed to be allowed is allowed. We deem this to be a critical flaw in the firewall, anyone relying on PF filtering, or apps using it in the background on their macOS devices should be cautious about upgrading to macOS 14.
 

bogdanw

macrumors 603
Mar 10, 2009
6,117
3,028
  • Like
Reactions: xxray

dmccloud

macrumors 68040
Sep 7, 2009
3,142
1,899
Anchorage, AK
It appears the GM version of MacOS Sonoma has a critical flaw with its firewall and VPNs according to Mullvad, a very reputable VPN provider. I first noticed an issue with Mullvad on the beta 6, and then Mullvad recently released this blog post:





I'm about to downgrade from Sonoma for this reason. Why does Apple have such a history of not caring about VPN leaks?

FYI, there was an article I read this week where NordVPN and one other provider stated they were experiencing none of the issues claimed by Mullvad. It sounds like they continued to rely on packet filtering when Apple has created a newer framework to accomplish the same thing.
 
  • Like
Reactions: Rnd-chars and xxray

xxray

macrumors 68040
Original poster
Jul 27, 2013
3,115
9,412
With all due respect to Mullvad, they should not be using PF.
https://en.wikipedia.org/wiki/PF_(firewall)

Network Extension https://developer.apple.com/documentation/networkextension
Filtering Network Traffic https://developer.apple.com/documentation/networkextension/filtering_network_traffic

free, open-source firewall
“LuLu leverages Apple's new Network Extension framework” https://objective-see.org/products/lulu.html

FYI, there was an article I read this week where NordVPN and one other provider stated they were experiencing none of the issues claimed by Mullvad. It sounds like they continued to rely on packet filtering when Apple has created a newer framework to accomplish the same thing.

Thank you both very for the information. That makes me feel better knowing I can switch to a different provider in the meantime.
 

kappabruce

macrumors newbie
Aug 24, 2023
5
10
With all due respect to Mullvad, they should not be using PF.
https://en.wikipedia.org/wiki/PF_(firewall)

Network Extension https://developer.apple.com/documentation/networkextension
Filtering Network Traffic https://developer.apple.com/documentation/networkextension/filtering_network_traffic

free, open-source firewall
“LuLu leverages Apple's new Network Extension framework” https://objective-see.org/products/lulu.html

Apple fixed it in RC2 and Mullvad explained why they use it.
 

xxray

macrumors 68040
Original poster
Jul 27, 2013
3,115
9,412

Apple fixed it in RC2 and Mullvad explained why they use it.
Thank you so much for this update. I’ve been refreshing their blog every couple days but didn’t see this yet. Great news! I’ve been using ProtonVPN in the meantime and it’s not only more expensive but giving me a lot more bugs/issues. Excited to go back to Mullvad knowing it’s secure again.
 

transmaster

Contributor
Feb 1, 2010
1,757
874
Cheyenne, Wyoming
The first thing that happened after My Mac came up from loading Sonoma was ExpressVPN loaded an update. ExpressVPN actually works even better than it did before, and has some really interesting new features.
 
Last edited:

zakarhino

Contributor
Sep 13, 2014
2,611
6,963
FYI, there was an article I read this week where NordVPN and one other provider stated they were experiencing none of the issues claimed by Mullvad. It sounds like they continued to rely on packet filtering when Apple has created a newer framework to accomplish the same thing.
With all due respect to Mullvad, they should not be using PF.
https://en.wikipedia.org/wiki/PF_(firewall)

Network Extension https://developer.apple.com/documentation/networkextension
Filtering Network Traffic https://developer.apple.com/documentation/networkextension/filtering_network_traffic

free, open-source firewall
“LuLu leverages Apple's new Network Extension framework” https://objective-see.org/products/lulu.html

Mullvad talked about this many years ago, as did others in the security community. The new APIs Apple introduced to handle firewalls and VPNs were not as extensive and secure as the previous method; specifically, some apps (including most native Apple apps) were all capable of bypassing any firewall or VPN setup. This was because the new APIs weren't designed to give the developer's software the final say over what comes in and out of the system, Apple's own networking/firewall layer sat on top of it. According to Mullvad (and I agree) this is insecure and defeats the purpose of a VPN.

So if any conclusion can be drawn it would actually be that NordVPN and the other providers were not attempting to adhere to the same standard of security as Mullvad.

Someone already linked the blog post where Mullvad summarize the above but yeah, it's not because they're using an older framework merely out of ignorance or laziness.
 
  • Like
Reactions: altaic and gilby101

gilby101

macrumors 68030
Mar 17, 2010
2,947
1,630
Tasmania
So if any conclusion can be drawn it would actually be that NordVPN and the other providers were not attempting to adhere to the same standard of security as Mullvad.
Completely agree. My understanding is that most VPN providers need to use PF rules in an attempt to shore up their products against the inadequacies of network extensions and the network security holes that Apple introduced for their own purposes. PIA told me that their product uses PF rules, but in a different way to Mullvad.
 
  • Like
Reactions: zakarhino

elvisimprsntr

macrumors 65816
Jul 17, 2013
1,052
1,612
Florida
“Privacy” VPNs really do nothing the protect your privacy. All you are doing has handing your traffic to another provider, potentially offshore, while slowing down your bandwidth. Don’t listen to the paid YouTube shills.

I moved to self hosted TailScale MESH VPN. They have a free tier with up to 100 devices. Will traverse any level of NAT, including CGNAT.

Ive been on every Sonoma and TailScale developer beta. Sounds like Mullvad is trying to deflect blame.
 
Last edited:
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.