Are Destination IPs listed in OpenWRT routed through the VPN? Is VPN leaking?

I am connected to Wireguard with Kill Switch on. I have it set so all processes should go though the VPN. I am examining IPs listed in the destination column in luci and there are many IP addresses listed that are not the VPN address or a DNS service.

Does this mean the VPN in leaking somehow? Or are these destinations listed but it is still going through the VPN and luci is just listing them to show where they are going before they go though VPN?

I am seeing some IP destinations repeatedly and don’t know why. I already reinstalled the initial firmware and some destinations are still there and they are not time 123 destinations. They are originating as a TCP source from the router IP address, often with port 443 which I’m not even using for the VPN.

Any response? Is it normal to see this?

What is the router model and firmware version?

Which LuCI page are you seeing the IP addresses? Can you post a screenshot with any private information redacted?

Do the IP addresses also show up when WireGuard is not running?

I do not work for and I do not have formal association with GL.iNet

It’s the latest firmware. I also downloaded the firmware again, verified the SHA-256, and reinstalled it.

I am seeing these connections in status, realtime graphs, under connections. Below the graph there is a list:

Network Protocol Source Destination Transfer

I am seeing some destinations that make sense, like my VPN IP. I am also seeing other things that make sense, like if traffic is being forwarded to the router so then it can be forwarded into the VPN. I am also seeing syncs with 123 ports for time server stuff. I am also seeing random stuff on there that is happening outside of the VPN that makes no sense to me. Connections to random amazon stuff, connections to hosting companies, all sorts of strange stuff that should be going through the VPN or not even going anywhere.

I can check to see if the IP addresses show up without Wireguard running, but I know the VPN IP address and that is not what these are going to. They are also showing up with multiple types of VPNs and VPN companies.

It’s possible that programs on the router are doing this to see if there are updates and so it’s connecting outside of the VPN, but I don’t even want this. I want all traffic to go to 1 IP, my VPN IP. The DNS requests can even go through the VPN IP too since the VPN doesn’t have a name that needs to be translated to a number. I don’t really even need to the time servers to not go thought the VPN.

Either many packets are being sent outside the VPN or the destination IP here doesn’t mean it’s getting sent outside the VPN. When I saw all these IPs, I at first thought I was hacked, but then once I flashed the SHA confirmed firmware and saw the same thing I didn’t know what to make of it.

It’s the latest firmware. I doubt it’s hacked.

And although I h ave devices that are connected, even if these devices are connected, all the traffic should go through the VPN so I don’t think my devices could be corrupting the router when they connect if all traffic is supposed to go through the VPN. It’s possible my computer is infected. I did have an issue with upgrading but I just don’t see how that could infect the router and let connections to the router exist outside the VPN. I am perplexed on this.

I will do some tests here. If you have any thoughts on this, please let me know.

I checked on my GL-MV1000W Brume-W with both WireGuard and OpenVPN. I did not find connections to destination IP addresses that originate from the source IP address of the router itself. I did find lots of connections to destination IP addresses that originate from the source IP address of my client device, which I think is the listing from the client device to the router before going through the VPN connection from the router to the VPN server. The Realtime Graphs → Traffic tab → wg0/tun0 tab shows traffic is going through wg0 for WireGuard/tun0 for OpenVPN, but I cannot tell whether every packet goes through the VPN tunnel.

It is “normal” that client devices connect to IP addresses that I do not recognize, which I see lots of in the query log of my AdGuardHome server. Client devices going to websites and background applications access domains, which in turn, may cause the client to access even more domains, some of which AdGuardHome catches and blocks their DNS resolution.

On the other hand, when I enabled VPN policy to turn on Use VPN for guest network, the opposite of what I expected occurred and client device traffic did not go through the VPN tunnel. I do not use VPN policies, so did not notice this before and will not be using them again.

I do not work for and I do not have formal association with GL.iNet

I did do a test. With VPN on or off, and whatever is connected, I still get connections to random IP destinations. They include Akamai technology, Amazon AWS, and even a tor relay. They are originating from the router IP address and connecting directly to these IPs and not going through the VPN server. I am not using Tor also, although I have the option to do so using the firmware. The setting for Tor is definitely off and not originating from a connected device. It is not good that these are connecting outside of a VPN. Some countries have tor as illegal or make things bad for Tor user and these connections to tor relays are going through my IP without a VPN, making traffic analysis for my internet provider easy. My Internet provider does traffic analysis for the government based on what I have read so I am concerned.

My guess is that there is a software or firmware error allowing applications on the device to connect to these servers. My settings are very clear that I only want things to go through the VPN.

I should not be seeing this and there is a problem.

Can you just post screenshot to help understand what is that?

The question is so long so takes 10 minutes to read. A image show the issue immediatelly.