4

Using wireguard VPN with a self-hosted VPN server.

I learned of this "leak" when visiting family.

I happened to be seeding a movie in my torrent list.

A single movie, not a particularly exciting one, but it was there.

I arrived late, but by morning my host got notice from their internet provider to "stop downloading pirated content".

I'd been there for such a short period of time, and I never took down the VPN, so all I can imagine is that it was leaking this traffic during boot, or slightly before connecting wireguard.

How do I ensure the service loads before traffic goes out, or even prevent traffic from escaping unless through VPN?

Improve this question
3
  • 1
    VPNs disconnect all the time. you need a kill switch to disable the network traffic when the VPN is not connected or healthy. just because the vpn is started by a service, that that service state is always connected. review the options provided by your VPN providers software, and evaluate whether they have a suitable killswitch for your host.
    – Frank Thomas
    Commented Jun 8, 2022 at 18:16
  • 2
    Can you share your (anonymized) route table while connected to the Wireguard VPN? It could be that your VPN solely provides secure access to your home network, without routing all of your traffic through your home. In that case, what you experienced would be expected.
    – Slartibartfast
    Commented Jun 8, 2022 at 18:21
  • Did you perhaps forget to route IPv6 through the tunnel?
    – grawity_u1686
    Commented Jun 9, 2022 at 3:28

2 Answers 2

Reset to default
4

The best option to prevent leaks is to force all of your sensitive traffic through the VPN adapter.

You can check to see if your torrent client is currently leaking using a tool like ipleak.

qBittorrent has the ability to force all torrent traffic to use a specific network adapter. The setting for this is Options>Advanced>Network Interface. If the adapter is not available then qBittorrent will give a connection error.

If you still have issues with leaks after restricting qBittorrent to use a specific adapter you can limit it to use only the network stacks that are supported by your tunnel. The setting for this is Options>Advanced>Optional IP address to bind to. If your tunnel supports both IPv4 and IPv6 then leave this set to All Addresses.

If you want to set up routing for a split tunnel please see the answer on How do I disable routing table changes in WireGuard for Windows. This question and answer are tailored to Windows but its solution can be adapted to Linux.

Improve this answer
2

As @frank-thomas mentioned, vpn disconnect all the time, but my user experience with wireguard vs openvpn is that the connection appears to remain, consistently.

I don't know how to check if it only sometimes might be leaking traffic, but I found this:

Linux - Wireguard Kill Switch

  1. Open the WireGuard config file with any text editors:

$ sudo nano /etc/wireguard/wg0.conf

Add the following two lines to the [Interface] section:

PostUp  =  iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show  %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show  %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

will leave this question open, because I don't know how well it will work or if someone else will arrive with a better solution

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .