I have imported some wireguard configs from my VPN provider. Imported one into a new Network Connection in Network Manager. Seemed to import ok, but not many settings. I’d like a switch or some kind of “Always On” setting, is that possible?
If not, I remember the Mac version of the Wireguard app had a setting which effectively provided a ‘kill switch’ (to prevent connections outside the VPN and block all traffic if VPN connection dropped). I’d like this functionality on Fedora if possible.
NetworkManager preserves the WireGuard interface and its default route even when the server is down or unreachable which effectively provides a routing based kill switch OOTB.
Hmm, I don’t understand that but I get it enough to think it’s worth me looking into what you mean and how to do that. I like the idea of blocking native IP connections at system level, very much!
sudo -i
cd /etc/systemd
mkdir resolved.conf.d
cp resolved.conf resolved.conf.d/block-all.conf
# edit the lines here, uncomment the DNS lines, etc.
A VPN is often connected through a static IP, so you dont need DNS. And then after connecting to your new LAN (VPN) it has its own DNS server set up often.
But this will not block direct IP connections.
So you may want to do something in /etc/hosts but I dont know that yet.
Since wireguard is not a VPN which makes a connection to a VPN server, but a network interface which happens to send a key plus encrypted packets to a predefined IP, I would give it a try to define the VPN in e.g. /etc/wireguard/wgvpn.conf and let the service wg-quick@wgvpn start BEFORE NetworkManager. systemd-resolved is already started, so wg-quick can enter the DNS address already, if not, fall back to /etc/resolv.conf.
The routing of wireguard is that clever that the default route should not be overruled by DHCP.
Only thing is that DHCP communication should not be catched.
WLAN with captive portal will be no longer possible.
No problem.
Just refer to the post of @vgaetera: a regular VPN like IPsec connects to a server, negotiates keys and account, and if the server goes down it might drop the VPN. Wireguard does not have “connection” to the server, if the wireguard server receives a packet from you and recognizes the key, it is happy to process it. If it does not for some reason, you just do not have any connection, as long as your wireguard interface is up.
So indeed: killswitch implicitly on.
I might have not understood something but… if I turn off in GNOME quick settings my wireguard vpn connection, the WiFi connection keeps working and my IP changes. Is this expecting behaviour?
How do I make sure that if my vpn via wireguard does not work or gets disabled by accident, I do not get leaked?
Your IP would normally be assigned by the dhcp server (gateway router?) but when a VPN is active the used IP is then assigned by the vpn server you connect to and traffic is supposed to be thru the tunnel. Thus the IP and routing is expected to change.
You must have an internet connection that works to start the VPN and it must continue to work when the VPN is stopped.
Leakage is defined as having communications where some of the traffic is thru the vpn and some is via the normal routing on the gateway at the same time. That is controlled by the vpn config and the local routing on the workstation. When the vpn is not active it cannot be considered as leakage.
i am just learning how this works, coming from many years of using 3rd party VPN apps.
Here’s how to think about it - if you CLICK on VPN in quick settings, you’re telling the OS you don’t want VPN on any more, so it disconnects and leave you with your native underlying connection. That’s sensible behaviour, but as I have had so long on 3rd party apps, I am used to (as you may be too) a bit more ‘warning’!!
Basically, as Jeff pointed out ^ - this is not leakage. Leakage is something I think of as traffic bypassing the VPN when it is SUPPOSED to be tunneling all traffic through VPN. But when you press that VPN button, you turned off the VPN. I can see why it’s handy for many people who only use a VPN occasionally, say in a certain browser, they can turn it on with one click in quick settings, then when finished, click again to turn it off. returning everything to normal (ISP assigned IP).
What I am concerned about right now is the fact that the only way I can change from one VPN connection to another is by turning VPN off and choosing another connection. But the period of time that takes is when my IP is exposed. It’s not technically a ‘leak’, but the fact the VPN goes off and on produces the same undesirable result, my real IP is exposed to all the connections I have open while I fumble with mouse buttons!
I seriously believe that needs adjusting. But until then, I am going to have to use a 3rd party VPN app (not ideal either)
Not really true.
Any tcp connection would be broken by the change of routing vpn to isp to different vpn since the connection is based upon (at least mostly) the endpoint IP and since that changes at your host with those tunnel switches the connection would break and need reestablished. Even a ping from your host with icmp would break at least during the times between packet transmits since a ping from one address would not get returned to the same, now void, IP address when the tunnel is dropped.
Remote servers you have connected to via a vpn have no clue about your real address unless you actively reconnect from the local address. Their responses are directed to the remote endpoint of your tunnel. (which you just closed). While the tunnel is active the remote server provides NAT for your actual IP on the tunnel.
At granular level, you are of course correct, but only for the most part I think. I don’t believe there is ZERO chance of any of my connected parties (websites, accounts, dynamic pages refreshing content, email program making sync connections…) noticing my real IP. Even if it were only a theoretical risk, I want to be able to switch VPN connections without reverting to my real IP in between.
I am not sure that is a possibility. I do not believe you can have 2 different VPNs active at the same time, which would be required to avoid the momentary gap between dropping one and opening the second.
However, it also is true that your outgoing connections would need to reestablish the link to the remote server during that few seconds or less between dropping one tunnel and adding the next tunnel.
Maybe you should be looking at what your apps are doing that has you this paranoid that your system cannot have even such a short time between switching vpns to cause such a security risk. Nothing trying to make an external connection implies very miniscule risk during that time period.
NetworkManager can activate multiple VPNs simultaneously if you properly manage the default route as well as the routes to the VPN endpoints.
By the way, there is another thread that discusses a kill switch that is better suited to persist across different VPN connections: VPN bug and leaks during changeover
I have not once used the words ‘security risk’. I would expect a Fedora wizz to know the difference between privacy and security. I don’t appreciate the use of the word “paranoid”. You have no clue what I am doing or why I might want to prevent ‘leaks’ of my IP to third parties. You therefore have no basis for knowing if I am ‘irrational’ or not, rendering your post a plain insult.
FYI - My apps are not doing anything ‘worrying’. (I don’t have any apps installed other than via Software). I have various bonafide reasons to need to avoid IP leaks. I shouldn’t need to (and can’t) go into all of those reasons. Suffice to say, one small example (of many) is that when doing research and SEO work (for others as well as myself) I often need to study the Google web results of certain countries or geographic locations. I’ve been doing this a long time, and if the browser pings my real IP, I have to go through the process of clearing all data, cookies etc, and starting a procedure again as I suddenly lose access to what I ‘should’ be seeing if I were physically in the target country. But again, that’s just one of many reasons, others relate to accounts which can lock/prohibit my use if my IP changes (US to UK or similar distance).
There are many reasons why a sudden change of IP (representing 4000 miles across the earth) can cause significant problems, account lockouts/security checks, and for understandable reasons. I’ve been doing this for many years, and have had it happen hundreds of times, it’s extremely annoying. Thus it’s just MUCH easier to ensure my IP doesn’t change unless I choose to make the change myself.
Nearly every VPN app on the planet tries to provide some sort of ‘kill switch’. I would think it more than reasonable (and desirable for its users) for the VPN function of Network Manager to contain some sort of similar feature/protection. Maybe I’m wrong there, it appears so right now, hence I will have to just use a 3rd party VPN app, but I would prefer to stick to native stuff like NM instead of more apps from other sources.
The latest version of NetworkManager in Fedora 40 allows to simultaneously activate multiple WireGuard connections altering the default route.
This should solve the problem of traffic leaks, but you need to manually deactivate the old connection after activating the new one, otherwise both tunnels remain deadlocked.
I tested this using own WireGuard server and 2 client profiles with unique keys.