Configuring WireGuard on Linux for WebRTC Leak Testing

Question

I'm trying to make wireguard work with a special config, to test Browsers for WebRTC Leaks. With this said I need a config, that allows allows traffic outside of the tunnel. In Windows I could accomplish this by turning of the "Block untunneled traffic (kill-switch) checkbox" on the client, but the config file I get from this (see below) isn't working on Linux (ubuntu) with wg-quick, because no working tunnel is created.

I saw suggestions for splitting tunnels but I'm not shure how to adress this here since I don't want so spilt the tunnel for a specific Server or IP-Range, but allow WebRTC to also route over the Default Gateway (which would make the Leak visible).

[Interface]
PrivateKey = key
Address = 10.14.0.2/16
DNS = 162.252.x.x, 149.154.x.x

[Peer]
PublicKey = fJDA+OA6jzQxfRcoHfC27xz7m3C8/590fRjpntzSpGo=
AllowedIPs = 0.0.0.0/1, 128.0.0.0/1
Endpoint = example.com:51820

Any ideas, why this isn't working on Linux? Or maybe ideas how I can set up this usecase in an Linux-Environment? When I set AllowedIPs = 0.0.0.0/0 in the Linux-Config, then the tunnel works, but now all the traffic is routed through the tunnel (WebRTC Leak not visible).

Maybe the setup is a bit special but I would really like to understand why this isn't behaving in the same way. I would really appreciate your answer.

Answer 1

If you want to make your posted config work on Linux, you need to add an explicit route for example.com (or whatever endpoint address you're actually using). Run the following on the Linux system with the WireGuard interface down to determine how it's normally routing to example.com:

$ host example.com
example.com has address 93.184.216.34
$ ip route get 93.184.216.34
93.184.216.34 via 192.168.1.1 dev eth0 src 192.168.1.123 uid 1000

Then add an explicit route for it:

$ sudo ip route add 93.184.216.34 via 192.168.1.1 dev eth0

With that explicit route in place, you should be able to start up a working WireGuard tunnel; and most everything will be routed through the tunnel -- very similar to how it would work if you used AllowedIPs = 0.0.0.0/0 in your WireGuard config.

---

However, in your question, you wrote that using AllowedIPs = 0.0.0.0/0 in your WireGuard config isn't producing the result you're looking for. It would be helpful if you edited your question to describe what traffic you want to route through the WireGuard tunnel, and what traffic you want to route through your local default gateway. Here are my first three guesses:

1. You want to route just 10.14.0.2/16 through the tunnel, and route all your public Internet traffic out your local default gateway. If so, change your WireGuard config to this:

    [Interface]
    PrivateKey = key
    Address = 10.14.0.2/16
   
    [Peer]
    PublicKey = fJDA+OA6jzQxfRcoHfC27xz7m3C8/590fRjpntzSpGo=
    AllowedIPs = 10.14.0.0/16
    Endpoint = example.com:51820
   

2. You want to route all your public Internet traffic through the tunnel, and route all your local traffic out your local default gateway. If so, change your posted config to use AllowedIPs = 0.0.0.0/0, and add explicit routes for your local private-use networks, like the following (or whatever networks you want to reach through your local gateway instead of the WireGuard tunnel):

    ip route add 10.0.0.0/8 via 192.168.1.1 dev eth0
    ip route add 172.16.0.0/12 via 192.168.1.1 dev eth0
    ip route add 192.168.0.0/16 via 192.168.1.1 dev eth0
   

3. You want to route most of your public Internet traffic through the tunnel, but route STUN/TURN queries out your local default gateway. If so, change your posted config to use AllowedIPs = 0.0.0.0/0, and add policy-routing rules for the exceptions you want to make. For example, the following rules would send traffic to the standard STUN/TURN ports through your default gateway:

    ip rule add dport 3478 ipproto udp table main priority 100
    ip rule add dport 3478 ipproto tcp table main priority 100
    ip rule add dport 5349 ipproto tcp table main priority 100
   

See the Routing All Your Traffic section of the WireGuard Routing & Network Namespace Integration page for an explanation of what's going on when you use AllowedIPs = 0.0.0.0/0 with wg-quick on Linux.