thrnz
commented
3 years ago I'd be surprised if it was an issue.
wg-quick is used to setup wireguard, which should set the wireguard interace as the default gateway for all outgoing traffic. Because wireguard doesn't 'go down' as OpenVPN might, in many cases that would probably be enough.
As a further precaution though, firewall rules are also added to drop any traffic that's not going out over the VPN, with exceptions made for attached docker networks and those set in LOCAL_NETWORK. So in the unlikely event that something wonky does happen, any outgoing traffic should be dropped. This is the same approach mentioned in the FAQ you linked.
First I would like to say that this is an awesome image! I was looking for something exactly like this as I like to have the VPN client service standalone and not built in as part of another image.
I was looking into the source code as I am trying to learn a bit myself, however, I do not know a lot of the mechanic behind iptables and networking so I was just wondering; Is there any chance of IP leakage if the VPN connection goes down or in any other scenarios?
Btw, you probably know of it already, but if you don't, binhex has some good quality Wireguard VPN images and he seems to really know what he is doing in that regard. Unfortunately, they are bundled together with other services and port forwarding is not "transparent" for use with services in other containers. However, you could probably steal some ideas from them to refine your own great image.