Best to set a firewall rule with nftables to block non-vpn traffic from leaving (you should also do the save for IPv4 traffic to prevent leaks in case the tunnel disconnects)
Linux
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Rules
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
- No misinformation
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
I tried the same setup with Ubuntu 24.04.1 desktop live system and I can replicate this IP leak issue, I guess I will have to disable IPv6.
You could edit your configuration to change the wireguard connection's AllowedIPs
from 0.0.0.0/0
to 0.0.0.0/0,::/0
so that IPv6 traffic is routed over it. Regardless of if your wireguard endpoint actually supports it, this will at least stop IPv6 traffic from leaking.
Wireguard config already includes "::/0"
If you have ::/0
in your AllowedIPs and v6 connections are bypassing your VPN, that is strange.
What does ip route get 2a00:1450:400f:801::200e
(an IPv6 address for google) say?
I haven't used wireguard with NetworkManager, but using wg-quick
it certainly adds a default v6 route when you have ::/0
in AllowedIPs
.