4

Using wireguard VPN with a self-hosted VPN server.

I learned of this "leak" when visiting family.

I happened to be seeding a movie in my torrent list.

A single movie, not a particularly exciting one, but it was there.

I arrived late, but by morning my host got notice from their internet provider to "stop downloading pirated content".

I'd been there for such a short period of time, and I never took down the VPN, so all I can imagine is that it was leaking this traffic during boot, or slightly before connecting wireguard.

How do I ensure the service loads before traffic goes out, or even prevent traffic from escaping unless through VPN?

InfoMiner
  • 61
  • 1
  • 6

2 Answers2

4

The best option to prevent leaks is to force all of your sensitive traffic through the VPN adapter.

You can check to see if your torrent client is currently leaking using a tool like ipleak.

qBittorrent has the ability to force all torrent traffic to use a specific network adapter. The setting for this is Options>Advanced>Network Interface. If the adapter is not available then qBittorrent will give a connection error.

If you still have issues with leaks after restricting qBittorrent to use a specific adapter you can limit it to use only the network stacks that are supported by your tunnel. The setting for this is Options>Advanced>Optional IP address to bind to. If your tunnel supports both IPv4 and IPv6 then leave this set to All Addresses.

If you want to set up routing for a split tunnel please see the answer on How do I disable routing table changes in WireGuard for Windows. This question and answer are tailored to Windows but its solution can be adapted to Linux.

Ryan Williams
  • 408
2

As @frank-thomas mentioned, vpn disconnect all the time, but my user experience with wireguard vs openvpn is that the connection appears to remain, consistently.

I don't know how to check if it only sometimes might be leaking traffic, but I found this:

Linux - Wireguard Kill Switch

  1. Open the WireGuard config file with any text editors:

$ sudo nano /etc/wireguard/wg0.conf

Add the following two lines to the [Interface] section:

PostUp  =  iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show  %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show  %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

will leave this question open, because I don't know how well it will work or if someone else will arrive with a better solution

InfoMiner
  • 61
  • 1
  • 6