IDEA Glue Blog https://renesat.me/atom.xml renesat self@renesat.me 2026-03-21T00:57:00Z How to Yggdrasil with Mullvad https://renesat.me/posts/how_to_yggdrasil_with_mullvad.html 2026-03-21T00:57:00 2026-03-21T00:57:00Z Most of the time I use Mullvad as my ISP. I think Mullvad is more trustworthy than my local ISP. I configure it through NetworkManager using a simple WireGuard config. It works fine, but I miss some cool features like Post-quantum encryption, DITA, or Obfuscation, like on my phone.

So I thought, why not write this in my NixOS config:

services.mullvad-vpn.enable = true;

And… it works! With all features! But then I tried to access my server using a Yggdrasil address, and I saw this error:

ssh: connect to host 2**:****:****:****:****:****:****:**** port ***: Connection refused

Ping is also not reachable:

> ping 2**:****:****:****:****:****:****:****
PING 2**:****:****:****:****:****:****:**** (2**:****:****:****:****:****:****:****) 56 data bytes
From 2**:****:****:****:****:****:****:**** icmp_seq=1 Destination unreachable: Port unreachable
From 2**:****:****:****:****:****:****:**** icmp_seq=2 Destination unreachable: Port unreachable

At first I thought my server was down again, but no – all services were available. So what was wrong? I allowed the local network for Mullvad and… wait… Yggdrasil uses 200::/7 addresses, which are not public IPv6, but also not a local subnet.

And this is the problem. Mullvad can’t allow specific masks. Yes, you can use mullvad tunnel set allowed-ips, but it uses an include list, not an exclude list as I want. I searched and found a few issues about that (Bug: Kill switch applies to non-global unicast IPv6 ranges, How to use yggdrasil with vpn in same time?), but no solution. However, I found one useful clue – split tunneling.

For per-application split tunneling, Mullvad marks packets for exclusion:

This is achieved by having rules that check if traffic is marked with a connection tracking mark (0x00000f41) to get through the firewall and a meta mark (0x6d6f6c65) to route the traffic outside the tunnel.

So I needed to mark all outgoing Yggdrasil connections. Fortunately, I use nft as firewall, so I just added this rule:

table ip6 yggdrasil-mullvad {
  # Mark all outgoing connections.
  chain output {
    type filter hook output priority 0; policy accept;

    # Use ip ranges
    ip6 saddr 200::/7 ip6 daddr 200::/7 ct mark set 0x00000f41 meta mark set 0x6d6f6c65

    # Or specific interface
    oifname "tun0" ct mark set 0x00000f41 meta mark set 0x6d6f6c65
  }
}

For NixOS users:

networking.nftables.enable = true;
networking.nftables.tables.yggdrasil = {
  enable = true;
  name = "yggdrasil-mullvad";
  family = "ip6";
  content = ''
    chain output {
      type filter hook output priority 0; policy accept;
      ip6 saddr 200::/7 ip6 daddr 200::/7 ct mark set 0x00000f41 meta mark set 0x6d6f6c65
    }
  '';
};

And done! Now I can use these cool technologies at the same time.

P.S. Mullvad App now supports DNS on localhost, and I can still use my Unbound + dnscrypt solution.

]]> How convert SVG icon to favicon in Hakyll https://renesat.me/posts/svg_to_ico_in_hakyll.html 2021-07-01T20:38:31Z 2021-07-01T20:38:31Z I am using Hakyll for this blog. And I have a problem start script for every icon change. And I thought: Why am I not using Hakyll to do this?

Icon has been created in Inkscape with SVG format. A script like this converted SVG icon to PNG:

inkscape -w 16 -h 16 -o icon-16.png icon.svg
inkscape -w 32 -h 32 -o icon-32.png icon.svg
convert icon-16.png icon-32.png favicon.ico

I am not using only ImageMagick because it doesn’t convert the background correctly. Twice start Inkscape is not a good idea. I find parameter actions and rewrite the script for run Inkscape once:

inkscape --without-gui --actions "export-width:16px; export-filename:icon-16.png; export-do; export-width:32px; export-filename:icon-32.png; export-do;" icon.svg
convert icon-16.png icon-32.png favicon.ico

It’s a long command but good for a script running speed (I don’t know why I need this…).

I create a new route in Hakyll with icon.svg depend:

iconDep <- makePatternDependency "images/icon.svg"
rulesExtraDependencies [iconDep] $ create ["favicon.ico"] $ do
    route   idRoute
    compile $ faviconCompiler "site/images/icon.svg"

faviconCompiler create favicon.ico using icon.svg:

faviconCompiler :: FilePath -> Compiler (Item LBS.ByteString)
faviconCompiler svgPath =
  let sizes = [32, 16] :: [Int]
  in do
    tmpFiles <- getFaviconPngs svgPath sizes
    paths <- return $ map (\(TmpFile tmpPath) -> tmpPath) tmpFiles
    ico <- (unixFilterLBS "convert" (paths ++ ["ico:-"]) "")
    makeItem ico

Function getFaviconPngs create multiple TmpFile and PNG for each size. Inkscape starts once using Hakyll’s process.

createFaviconExportLine :: Int -> TmpFile -> String
createFaviconExportLine size (TmpFile path) =
  "export-width:" ++ show size ++ "px; export-filename:" ++ path ++ "; export-do;"

getFaviconPngs :: FilePath -> [Int] -> Compiler [TmpFile]
getFaviconPngs svgPath sizes = do
  tmpFiles <- sequence $ map
      (\size -> newTmpFile $ "hakyll-blog-favicon-" ++ show size ++ ".png")
      sizes
  actions <- return
    $ foldr1 (++)
    $ map (uncurry createFaviconExportLine)
    $ zip sizes tmpFiles
  (_, _, _, handle) <- unsafeCompiler $ createProcess
        (proc "inkscape" ["--without-gui", "--actions",  actions, svgPath])
        { std_err = NoStream
        , std_out = NoStream
        , use_process_jobs = True
        }
  _ <- unsafeCompiler $ waitForProcess handle
  return tmpFiles

Finally, I use ImageMagick for creating ICO:

...
    ico <- (unixFilterLBS "convert" (paths ++ ["ico:-"]) "")
...
]]>