This repository holds our custom binaries and build scripts for third party software we need to
bundle with the Mullvad VPN app: libmnl and libnftnl for Linux, and Wintun and WireGuardNT
for Windows.
This repository should conform to the same integrity standards as the main Mullvad VPN app repository, meaning that every merge commit has to be signed.
This repository contains a number of submodules, pulling in the source code for the third party software we store the binaries for. These submodules must point to commits that are either directly signed or has a signed tag attached to them. Upon moving a submodule to a different commit, the new commit must be cryptographically verified.
The easiest way to build the binaries is by using the container image specified by Dockerfile:
podman build . -t mullvadvpn-app-binariesThese libraries are only required for Linux and are required by our app to
apply firewall rules. To produce the required libraries, run ./container-run.sh make libnftnl.
Cross-compile both libraries on x64 Linux by setting the appropriate TARGET:
./container-run.sh make libnftnl TARGET="aarch64-unknown-linux-gnu"Only applicable to Windows.
Wintun is found in .\<arch>-pc-windows-msvc\wintun\wintun.dll. The driver can be downloaded and verified
by running the script .\wireguard\download-wintun.cmd. This script downloads Wintun, verifies its
checksum, and makes sure that wintun.dll is correctly signed.
Only applicable to Windows.
WireGuardNT can be found in .\<arch>-pc-windows-msvc\wireguard-nt. The wireguard-nt
submodule contains a fork that fixes multihop tunnels.
To update it, pull the new tag from https://git.zx2c4.com/wireguard-nt, manually verify that the
changes are sensible, and rebase the mullvad-patches-build branch on top of it. The new head of
mullvad-patches-build should be tagged as <original tag name>-mullvad, for example
0.7-mullvad. This tag should be signed and pushed to the fork repository.
Follow the instructions in MULLVAD_BUILD.md in said submodule to build and sign the driver.
Only applicable to Windows.
The split tunneling functionality implemented in Mullvad VPN app is supported by a custom kernel driver.
The driver is developed by us, and is represented here as a submodule named win-split-tunnel.
Instructions for building and signing the driver are provided in said submodule.
The built and signed driver, and associated files, reside under <arch>\split-tunnel.
This repository holds the built binaries for the platforms we need. These exist under directories named after the target triplet they are intended for.