Mullvad-VPN application inside Incus container

I’m trying to use the mullvad-vpn application inside a Debian 12 Incus container, but I’m running into some issues.

I’ve found a few topics and even read the Incus docs FAQ where everyone has discussed how to make the mullvad-vpn app work concurrently with Incus on the Host OS.
https://linuxcontainers.org/incus/docs/main/faq/#why-does-starting-containers-suddenly-fail

But I’m trying to get the mullvad-vpn app running inside an Incus container, not on the Host OS.

Here is snippet of the logs from the mullvad-daemon that I’m observing:

mullvad-daemon[2993]: [mullvad_daemon::version][INFO] Starting mullvad-daemon - 2024.5 2024-09-03
mullvad-daemon[2993]: [mullvad_daemon][INFO] Logging to /var/log/mullvad-vpn
mullvad-daemon[2993]: [mullvad_daemon::management_interface][INFO] Management interface listening on /var/run/mullvad-vpn
mullvad-daemon[2993]: [mullvad_api::address_cache][DEBUG] Loading API addresses from /var/cache/mullvad-vpn/api-ip-address.txt
mullvad-daemon[2993]: [mullvad_api::address_cache][DEBUG] Using API address: 45.83.223.196:443
mullvad-daemon[2993]: [mullvad_api::availability][DEBUG] Suspending API requests
mullvad-daemon[2993]: [mullvad_daemon::settings][INFO] Loading settings from /etc/mullvad-vpn/settings.json
mullvad-daemon[2993]: [mullvad_relay_selector::relay_selector::parsed_relays][DEBUG] Reading relays from /var/cache/mullvad-vpn/relays.json
mullvad-daemon[2993]: [mullvad_relay_selector::relay_selector::parsed_relays][DEBUG] Reading relays from /opt/Mullvad VPN/resources/relays.json
mullvad-daemon[2993]: [mullvad_relay_selector::relay_selector][INFO] Initialized with 695 cached relays from 2024-09-03 12:54:28.000
mullvad-daemon[2993]: [mullvad_api::availability][DEBUG] Pausing background API requests
mullvad-daemon[2993]: [mullvad_daemon::account_history][INFO] Opening account history file in /etc/mullvad-vpn/account-history.json
mullvad-daemon[2993]: [mullvad_daemon::target_state][DEBUG] No cached target state to load
mullvad-daemon[2993]: [talpid_core::firewall][INFO] Resetting firewall policy
mullvad-daemon[2993]: [talpid_core::firewall::imp][DEBUG] Removing table and chain from netfilter
mullvad-daemon[2993]: [mullvad_daemon::version_check][DEBUG] Loading version check cache from /var/cache/mullvad-vpn/version-info.json
mullvad-daemon[2993]: [mullvad_daemon::api][INFO] Initial offline state - online
mullvad-daemon[2993]: [mullvad_daemon::version_check][WARN] Error: Unable to load cached version info
mullvad-daemon[2993]: Caused by: Failed to open app version cache file for reading
mullvad-daemon[2993]: Caused by: No such file or directory (os error 2)
mullvad-daemon[2993]: [mullvad_daemon][ERROR] Error: Unable to initialize daemon
mullvad-daemon[2993]: Caused by: Unable to initialize split tunneling
mullvad-daemon[2993]: Caused by: Unable to initialize net_cls cgroup instance
mullvad-daemon[2993]: Caused by: EPERM: Operation not permitted
mullvad-daemon[2993]: [mullvad_daemon][DEBUG] Process exiting with code 1

I note the appearance of Unable to initialize net_cls cgroup instance.
I think this appears to be the same nature of problem regarding net_cls cgroup1`.

Could anyone advise how I could make this work inside the Incus container?

See this old discussion (since before the creation of Incus) on Mullvad VPN and net_cls.

Please correct me if I’ve misread that topic, but it appears to be focused around mullvad-vpn on the Host OS, and not inside the container.

What I’m trying to do with this topic is the opposite. I want to run the mullvad-vpn app inside a container.

I am however observing a similar issue.

I’m not sure what adjustments I should make to the container to make it work.

Is it possible to mount net_cls cgroup1 inside the container? I was playing around and couldn’t get that to work.

I was thinking that I’d need to specify a raw lxc argument, but I’m not sure I’m heading down the right path.