IP leak with WireGuard VPN and Internet Kill Switch

I have a setup that I am testing for IP leaks.

  1. Beryl as WireGuard server on home internet
  2. Beryl as WireGuard client connecting to mobile hotspot.
  3. ssh into Beryl client and 'tcpdump -i apclix0 -n ‘not udp and not icmp and not arp’

I would expect to not see anything in the logs, because I am filtering the expected traffic.

I have seen a few unexpected packets.

16:09:19.537708 IP 18.65.25.85.443 > 192.168.43.132.51731: Flags [P.], seq 39:63, ack 1, win 133, options [nop,nop,TS val 1736048560 ecr 291021362], length 24
16:09:19.542358 IP 18.65.25.85.443 > 192.168.43.132.51731: Flags [F.], seq 63, ack 1, win 133, options [nop,nop,TS val 1736048560 ecr 291021362], length 0
16:09:19.896640 IP 18.65.25.85.443 > 192.168.43.132.51731: Flags [F.], seq 63, ack 1, win 133, options [nop,nop,TS val 1736048848 ecr 291021362], length 0
16:09:20.240509 IP 18.65.25.85.443 > 192.168.43.132.51731: Flags [FP.], seq 0:63, ack 1, win 133, options [nop,nop,TS val 1736049264 ecr 291021362], length 63
16:09:21.085047 IP 18.65.25.85.443 > 192.168.43.132.51731: Flags [FP.], seq 0:63, ack 1, win 133, options [nop,nop,TS val 1736050064 ecr 291021362], length 63
16:09:22.610054 IP 18.65.25.85.443 > 192.168.43.132.51731: Flags [FP.], seq 0:63, ack 1, win 133, options [nop,nop,TS val 1736051632 ecr 291021362], length 63
16:09:25.906668 IP 18.65.25.85.443 > 192.168.43.132.51731: Flags [FP.], seq 0:63, ack 1, win 133, options [nop,nop,TS val 1736054928 ecr 291021362], length 63
16:09:29.405195 IP 18.67.76.127.443 > 192.168.43.132.52023: Flags [FP.], seq 2070037465:2070037496, ack 2182455858, win 390, options [nop,nop,TS val 223417183 ecr 2892455556], length 31

192.168.43.132 is the IP for the Beryl (client) wifi interface.

How come this packets are not coming from my VPN IP under UDP (WireGuard)?

I found this was related to having VPN off and Kill Switch off prior to testing. Servers for which I connection had been previously established continue trying to reestablish a connection after switch is on.

Can you try using this, execute these command

uci set firewall.@defaults[0].flow_offloading='0'
uci set firewall.@defaults[0].flow_offloading_hw='0'
uci commit  firewall

Then unplug and replug the power.

Then try again.

It is the hardware NAT caches all the existing connections.

For me this is solved by simply never turning off Internet Kill Switch