gary113 / wireguard-gui-python

GNU General Public License v3.0
1 stars 0 forks source link

[FEATURE REQUEST] Can you add the ability to disconnect from the internet when the Wireguard VPN connection is lost and the ability to not give out the IP address? #5

Open universish opened 5 days ago

universish commented 5 days ago

In the Proton VPN settings, there is a feature to disconnect from the internet if the wireguard VPN disconnects.

If the VPN disconnects, it disconnects the internet connection before the original IP address is returned to the original IP address. Thus, Wireguard does not give away our original IP address when the VPN connection is lost.

This creates a layer of security against the internet service provider. In addition, our original IP address data is not registered with the website servers we access. Also, since any software in the system cannot access the internet, our IP address is not leaked.

Can you add this feature to your software?

gary113 commented 1 day ago

Are you referring to not having internet access when, for some reason, the connection to the ProtonVPN server is lost (this wouldn't turn off the interface), or are you saying that if you manually turn off the WireGuard interface, you still won't have internet access until you turn it back on?

universish commented 1 day ago

I mean no internet access if for some reason the connection to the VPN server is lost (this does not close the interface).

gary113 commented 23 hours ago

As far as I know, that's WireGuard's default behavior. You can try the following experiment:

curl -4 ifconfig.io (To check your original IPv4 address)
curl -6 ifconfig.io (To check your original IPv6 address; if you're not using IPv6, this will fail)

Here are some key points of interest in the wireguard configuration:

This is the server IP through which you're routing, in this case, ProtonVPN:

Endpoint = VPN_SERVER_IP:VPN_SERVER_PORT

This part is important because it FORCES your network card to route ALL IPv4 traffic through the specified endpoint as long as the WireGuard interface is active:

AllowedIPs = 0.0.0.0/0

If you're also using IPv6, you should add a configuration like this to redirect both traffic types (I personally recommend disabling IPv6 on your PC and using only IPv4 to avoid dealing with IPv6 issues):

AllowedIPs = 0.0.0.0/0, ::/0

Now, activate your WireGuard interface and let’s check your new IPs:

curl -4 ifconfig.io
curl -6 ifconfig.io

Next, we'll simulate a connection error to the server while your WireGuard interface is still active (these commands are for IPv4):

sudo iptables -A OUTPUT -d REPLACE_HERE_THE_VPN_SERVER_IP -j MARK --set-mark 1
sudo iptables -A OUTPUT -m mark --mark 1 -j DROP

These commands block any outgoing traffic to the VPN server, simulating a connection loss. Note that this doesn't turn off the WireGuard interface.

With this connection loss, you’ll notice that you can’t reach any other internet IP with ping. This simulates what would happen if you lost connection to the VPN server, because your network card is still trying to send packets to the vpn server.

With the interface still active, remove the rules we set to simulate reconnecting:

sudo iptables -D OUTPUT -d REPLACE_HERE_THE_VPN_SERVER_IP -j MARK --set-mark 1
sudo iptables -D OUTPUT -m mark --mark 1 -j DROP

And check your IPs again:

curl -4 ifconfig.io
curl -6 ifconfig.io

If you manually deactivate the WireGuard interface, you’ll regain internet access, but you’ll be exposed. For this to happen, you would have to disable it yourself since it doesn’t turn off even if the connection is lost, as you just saw.