The AUR provides a mozillavpn package. It used to work for me, then it failed. So I debugged the issue a bit:
The issue was found in the systemd service for mozillavpn:
$ systemctl status mozillavpn
Error listing tables: netlink receive: operation not permitted
When verifiying the functionality of nft I encountered this:
$ nft list ruleset
netlink: Error: cache initialization failed: Invalid argument
This seems like a critical error but is very simple to explain. As nftables works with userspaces it is mandatory they
are in sync with the systems ones. A quick check revealed that the installed kernel did not match the loaded kernel.
Easiest way to fix this is of course to reboot. After that we get a valid output from nft list ruleset. So
turns out the pattern when the client did not work was that I then had a kernel updated that I had not loaded.