Hi All!
I have a media server (DietPi v8.7.1) that’s connected to a VPN service all the time. I’ve found out that my qBittorrent client is leaking my real IP through UDP. This qBittorrent client is in a docker container. What I’d like to do is to make sure all traffic is routed through the VPN tunnel, except the local network. The media server is accessible through SSH, so I have to be careful with the rules.
My config looks like this right now:
/etc/wireguard/wg0-client.conf
[Interface]
PrivateKey = xxxxxx
ListenPort = 51820
MTU = 1280
DNS = [192.168.1.5](https://192.168.1.5)
Address = [10.13.128.81/24](https://10.13.128.81/24)
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = xxx
AllowedIPs = [0.0.0.0/0](https://0.0.0.0/0)
Endpoint = xxx [.xxx.xxx.xxx:1443](https://192.252.213.182:1443)
PersistentKeepalive = 25
ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet [127.0.0.1/8](https://127.0.0.1/8) scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether dc:a6:32:68:fa:72 brd ff:ff:ff:ff:ff:ff
inet [192.168.1.5/24](https://192.168.1.5/24) brd [192.168.1.255](https://192.168.1.255) scope global eth0
valid_lft forever preferred_lft forever
3: wg0-client: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1280 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet [10.13.128.81/24](https://10.13.128.81/24) scope global wg0-client
valid_lft forever preferred_lft forever
4: br-87e2de2657b6: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:ad:ad:ab:98 brd ff:ff:ff:ff:ff:ff
inet [172.23.0.1/16](https://172.23.0.1/16) brd [172.23.255.255](https://172.23.255.255) scope global br-87e2de2657b6
valid_lft forever preferred_lft forever
5: br-1058020cc9de: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:28:88:e5:83 brd ff:ff:ff:ff:ff:ff
inet [172.19.0.1/16](https://172.19.0.1/16) brd [172.19.255.255](https://172.19.255.255) scope global br-1058020cc9de
valid_lft forever preferred_lft forever
6: br-3be0c83b199f: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:aa:57:0d:b0 brd ff:ff:ff:ff:ff:ff
inet [172.18.0.1/16](https://172.18.0.1/16) brd [172.18.255.255](https://172.18.255.255) scope global br-3be0c83b199f
valid_lft forever preferred_lft forever
7: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:6e:ac:92:e9 brd ff:ff:ff:ff:ff:ff
inet [172.17.0.1/16](https://172.17.0.1/16) brd [172.17.255.255](https://172.17.255.255) scope global docker0
valid_lft forever preferred_lft forever
17: vethe7c9ddd@if16: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether ee:03:30:5e:ce:c7 brd ff:ff:ff:ff:ff:ff link-netnsid 0
19: vethd2c23d1@if18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether ca:ce:46:21:5b:db brd ff:ff:ff:ff:ff:ff link-netnsid 1
21: veth3bf27a5@if20: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether 12:ff:be:31:e1:d5 brd ff:ff:ff:ff:ff:ff link-netnsid 2
23: veth749458c@if22: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether 4e:93:13:23:e3:5a brd ff:ff:ff:ff:ff:ff link-netnsid 3
ip route show
default via [192.168.1.1](https://192.168.1.1) dev eth0 onlink
[10.13.128.0/24](https://10.13.128.0/24) dev wg0-client proto kernel scope link src [10.13.128.81](https://10.13.128.81)
[172.17.0.0/16](https://172.17.0.0/16) dev docker0 proto kernel scope link src [172.17.0.1](https://172.17.0.1)
[172.18.0.0/16](https://172.18.0.0/16) dev br-3be0c83b199f proto kernel scope link src [172.18.0.1](https://172.18.0.1) linkdown
[172.19.0.0/16](https://172.19.0.0/16) dev br-1058020cc9de proto kernel scope link src [172.19.0.1](https://172.19.0.1) linkdown
[172.23.0.0/16](https://172.23.0.0/16) dev br-87e2de2657b6 proto kernel scope link src [172.23.0.1](https://172.23.0.1) linkdown
[192.168.1.0/24](https://192.168.1.0/24) dev eth0 proto kernel scope link src [192.168.1.5](https://192.168.1.5)
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
[0.0.0.0](https://0.0.0.0)[192.168.1.1](https://192.168.1.1)[0.0.0.0](https://0.0.0.0)UG 0 0 0 eth0
[10.13.128.0](https://10.13.128.0)[0.0.0.0](https://0.0.0.0)[255.255.255.0](https://255.255.255.0) U 0 0 0 wg0-client
[172.17.0.0](https://172.17.0.0)[0.0.0.0](https://0.0.0.0)[255.255.0.0](https://255.255.0.0)U 0 0 0 docker0
[172.18.0.0](https://172.18.0.0)[0.0.0.0](https://0.0.0.0)[255.255.0.0](https://255.255.0.0)U 0 0 0 br-3be0c83b199f
[172.19.0.0](https://172.19.0.0)[0.0.0.0](https://0.0.0.0)[255.255.0.0](https://255.255.0.0)U 0 0 0 br-1058020cc9de
[172.23.0.0](https://172.23.0.0)[0.0.0.0](https://0.0.0.0)[255.255.0.0](https://255.255.0.0)U 0 0 0 br-87e2de2657b6
[192.168.1.0](https://192.168.1.0)[0.0.0.0](https://0.0.0.0)[255.255.255.0](https://255.255.255.0) U 0 0 0 eth0
192.168.1.1 is my router and 192.168.1.5 is my Raspberry Pi’s static IP address. 10.13.128.81 is the IP address assigned by my VPN provider.
uname -a
Linux MediaServer 5.15.32-v8+ #1538 SMP PREEMPT Thu Mar 31 19:40:39 BST 2022 aarch64 GNU/Linux
I’d like to know how should I configure the routing where the local network is still accessible, but all other traffic is routed through my wg0-client tunnel. Also, several ports needs to be forwarded through the VPN tunnel (torrent, plex, etc.) Please help me! Thank you!