Understanding packet routing when using Wireguard/Tailscale and the BitTorrent Protocol

Question

I have a local machine on a VPN network with private IP A , and a VPS with private IP B which acts as an exit node, i.e. all traffic in the local machine is supposedly being routed from the local machine encrypted to the VPS which then routes it to the final public destination.

I was trying to find out if my VPN was leaking so I span up Wireshark and had it listen on the virtual interface created by the VPN and filtered by ip.addr != B

I would expect to only see DNS requests there, but all BitTorrent traffic shows up as well. I can see packets with source/destination as A -> <Public IP> and vice-versa

It's clearly leaving via the interface and using the local machine's (macOS) private IP address A, but looking at the WireShark output it seems to not pass through the VPS.

Weirder still, if I use ipleak.net I don't see any leak, the torrent address comes out as the public address of the VPS.

Am I just interpreting the output incorrectly?

Answer 1

You're interpreting the output incorrectly. More specifically, you're expecting that output on the wrong interface.

It's completely normal to see your regular Internet traffic on the virtual interface created by the VPN client: that's what the virtual interface is for. Its entire purpose is to take "regular" traffic to Internet so that the VPN client could encapsulate it – invisibly to your apps, which just carry on talking to various Internet hosts as they did before.

The traffic that you were expecting to see (DNS traffic as well as the encrypted A↔B VPN tunnel traffic) will be visible on the original network interface, i.e. the Ethernet or Wi-Fi adapter, and it will have B's external address on the outside.

If you want to see this "live", try to set up a GRE or IPIP tunnel without encryption so that Wireshark could see both the outer and inner headers at once. But since macOS doesn't really do either of those, you can load a sample capture e.g. GRE.pcap or IP-in-IP.pcap into Wireshark.

(Both examples use 10.0.0.1↔10.0.0.2 as the external/WAN addresses and 1.1.1.1↔2.2.2.2 as the internal/VPN addresses, and both samples show the "outer" traffic of a 'ping 2.2.2.2' that goes through the 10.0.0.2 VPN server. The site has more samples available.)