Wireguard client routing help

Hi All!

I have a media server (DietPi v8.7.1) that’s connected to a VPN service all the time. I’ve found out that my qBittorrent client is leaking my real IP through UDP. This qBittorrent client is in a docker container. What I’d like to do is to make sure all traffic is routed through the VPN tunnel, except the local network. The media server is accessible through SSH, so I have to be careful with the rules.

My config looks like this right now:

/etc/wireguard/wg0-client.conf

[Interface]
PrivateKey = xxxxxx
ListenPort = 51820
MTU = 1280
DNS = [192.168.1.5](https://192.168.1.5)
Address = [10.13.128.81/24](https://10.13.128.81/24)
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = xxx
AllowedIPs = [0.0.0.0/0](https://0.0.0.0/0)
Endpoint = xxx [.xxx.xxx.xxx:1443](https://192.252.213.182:1443)
PersistentKeepalive = 25

ip addr

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
     inet [127.0.0.1/8](https://127.0.0.1/8) scope host lo
        valid_lft forever preferred_lft forever

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
     link/ether dc:a6:32:68:fa:72 brd ff:ff:ff:ff:ff:ff
     inet [192.168.1.5/24](https://192.168.1.5/24) brd [192.168.1.255](https://192.168.1.255) scope global eth0
         valid_lft forever preferred_lft forever

3: wg0-client: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1280 qdisc noqueue state UNKNOWN group default qlen 1000
     link/none
     inet [10.13.128.81/24](https://10.13.128.81/24) scope global wg0-client
         valid_lft forever preferred_lft forever

4: br-87e2de2657b6: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
      link/ether 02:42:ad:ad:ab:98 brd ff:ff:ff:ff:ff:ff
      inet [172.23.0.1/16](https://172.23.0.1/16) brd [172.23.255.255](https://172.23.255.255) scope global br-87e2de2657b6
         valid_lft forever preferred_lft forever

5: br-1058020cc9de: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
     link/ether 02:42:28:88:e5:83 brd ff:ff:ff:ff:ff:ff
     inet [172.19.0.1/16](https://172.19.0.1/16) brd [172.19.255.255](https://172.19.255.255) scope global br-1058020cc9de
        valid_lft forever preferred_lft forever

6: br-3be0c83b199f: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
      link/ether 02:42:aa:57:0d:b0 brd ff:ff:ff:ff:ff:ff
     inet [172.18.0.1/16](https://172.18.0.1/16) brd [172.18.255.255](https://172.18.255.255) scope global br-3be0c83b199f
         valid_lft forever preferred_lft forever

7: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
     link/ether 02:42:6e:ac:92:e9 brd ff:ff:ff:ff:ff:ff
     inet [172.17.0.1/16](https://172.17.0.1/16) brd [172.17.255.255](https://172.17.255.255) scope global docker0
         valid_lft forever preferred_lft forever

17: vethe7c9ddd@if16: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
     link/ether ee:03:30:5e:ce:c7 brd ff:ff:ff:ff:ff:ff link-netnsid 0

19: vethd2c23d1@if18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
     link/ether ca:ce:46:21:5b:db brd ff:ff:ff:ff:ff:ff link-netnsid 1

21: veth3bf27a5@if20: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
     link/ether 12:ff:be:31:e1:d5 brd ff:ff:ff:ff:ff:ff link-netnsid 2

23: veth749458c@if22: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
     link/ether 4e:93:13:23:e3:5a brd ff:ff:ff:ff:ff:ff link-netnsid 3

ip route show

default via [192.168.1.1](https://192.168.1.1) dev eth0 onlink
[10.13.128.0/24](https://10.13.128.0/24) dev wg0-client proto kernel scope link src [10.13.128.81](https://10.13.128.81)
[172.17.0.0/16](https://172.17.0.0/16) dev docker0 proto kernel scope link src [172.17.0.1](https://172.17.0.1)
[172.18.0.0/16](https://172.18.0.0/16) dev br-3be0c83b199f proto kernel scope link src [172.18.0.1](https://172.18.0.1) linkdown
[172.19.0.0/16](https://172.19.0.0/16) dev br-1058020cc9de proto kernel scope link src [172.19.0.1](https://172.19.0.1) linkdown
[172.23.0.0/16](https://172.23.0.0/16) dev br-87e2de2657b6 proto kernel scope link src [172.23.0.1](https://172.23.0.1) linkdown
[192.168.1.0/24](https://192.168.1.0/24) dev eth0 proto kernel scope link src [192.168.1.5](https://192.168.1.5)

route -n

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
[0.0.0.0](https://0.0.0.0)[192.168.1.1](https://192.168.1.1)[0.0.0.0](https://0.0.0.0)UG 0 0 0 eth0
[10.13.128.0](https://10.13.128.0)[0.0.0.0](https://0.0.0.0)[255.255.255.0](https://255.255.255.0) U 0 0 0 wg0-client
[172.17.0.0](https://172.17.0.0)[0.0.0.0](https://0.0.0.0)[255.255.0.0](https://255.255.0.0)U 0 0 0 docker0
[172.18.0.0](https://172.18.0.0)[0.0.0.0](https://0.0.0.0)[255.255.0.0](https://255.255.0.0)U 0 0 0 br-3be0c83b199f
[172.19.0.0](https://172.19.0.0)[0.0.0.0](https://0.0.0.0)[255.255.0.0](https://255.255.0.0)U 0 0 0 br-1058020cc9de
[172.23.0.0](https://172.23.0.0)[0.0.0.0](https://0.0.0.0)[255.255.0.0](https://255.255.0.0)U 0 0 0 br-87e2de2657b6
[192.168.1.0](https://192.168.1.0)[0.0.0.0](https://0.0.0.0)[255.255.255.0](https://255.255.255.0) U 0 0 0 eth0

192.168.1.1 is my router and 192.168.1.5 is my Raspberry Pi’s static IP address. 10.13.128.81 is the IP address assigned by my VPN provider.

uname -a

Linux MediaServer 5.15.32-v8+ #1538 SMP PREEMPT Thu Mar 31 19:40:39 BST 2022 aarch64 GNU/Linux

I’d like to know how should I configure the routing where the local network is still accessible, but all other traffic is routed through my wg0-client tunnel. Also, several ports needs to be forwarded through the VPN tunnel (torrent, plex, etc.) Please help me! Thank you!

maybe @trendy could have a look.

Why not implement the dietpi-killswitch?
Currently firewall allows everything and default route is via router, so it’s like not having a VPN at all.

@trendy if I’m not mistaken, our Killswitch is working for OpenVPN only. Isn’t it?

If that is the case then we need to copy the rules from another topic, e.g

but first of all you need to enable default route over the wireguard tunnel.

Also the iptables NAT rules look weird for a client. However, with AllowedIPs = 0.0.0.0/0 WireGuard should setup ip rules to override the default route for everything but the WireGuard server itself. This differs from the 2 additional routes with OpenVPN sets up.

Thank you! Yes, the VPN works, I get a new external IP address after connecting to the VPN server. Wireguard is overriding the IP rules, however the default route is the router. That’s what should be changed to the wg0-client interface. But at the same time local ip addresses should not be routed through the VPN.

Yes exactly, the WireGuard client rules only override the default route but not routes for local IP ranges. ip rule show should list them.

However you say qBittorrent is bypassing the VPN.

Is there a specific reason for the iptables NAT rules? Are those required for Docker, VLANs or so to work with the VPN?