Real-ip leaked with VPN turned on

kabut · September 26, 2024, 3:06pm

I recently experience an issue on GL.iNet GL-MT3000 router. My VPN was connected throughout but a window of a few minutes my data was leaked. I suspect this since my corp tailscale client on my machine blocked me for a few minutes and that can happen if tailscale becomes aware of the real-ip.

VPN config
client
dev tun
proto udp
remote 443
resolv-retry infinite
nobind
persist-key
persist-tun
persist-remote-ip
verify-x509-name name
auth-user-pass
comp-lzo
keepalive 10 60
verb 3
auth SHA256
cipher BF-CBC
data-ciphers-fallback BF-CBC
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA

I did not have "Block Non-VPN Traffic" setting turned on at that time. Would it help to turn it on? I also have the VPN set as Global Proxy on the router.

admon · September 26, 2024, 3:44pm

Do you have any proof that it was an IP leak and not just some other issue like a connection timeout?

kabut · September 26, 2024, 4:00pm

Not really but the issue persisted for 2-3minutes and in that window the tailscale client got into a "Blocked" state. The issue resolved itself after a restart.

admon · September 26, 2024, 4:26pm

This could be anything - without proper testing no way to troubleshoot, imho.

kabut · September 26, 2024, 5:00pm

I spoke with the VPN provider (for the router VPN client) and they said that there was an error " Error 6050 usually means that the connection was successful, but the post-connection call to our servers to verify a "good" connection failed, so the connection was terminated ." in that timeframe which could explain. I think the VPN client on the router probably did not handle that error properly.

Am not able to retry the router with this error simulated, however could you check with the team if VPN client is handling such class of errors?

kabut · October 3, 2024, 9:24pm

Any update here?

xize11 · October 4, 2024, 7:15am

this happens when you just switch it to on?

Correct?

make sure its only checked against turning on, for turning off such things are normal because the killswitch won't work on a manual user interaction.

as a work around you can enable Block Non-VPN Traffic.

or when you want more advanced fine control:

via luci -> network -> firewall, and then remove the forwarding zone wan from the lan zone, if vpn policies fail you can type ip rule in the cli you will find the mark for wan, then just make a traffic rule allowing every traffic with this mark to passthrough wan like:

src: any zone
dest zone: wan
match mark: (a hexadecimal long string from ip rule)
target/action: accept

kabut · October 4, 2024, 3:42pm

I have turned on Block Non-VPN Traffic and since then I have not hit this issue yet. Actually I hit this issue just once so far and I checked with my VPN provider, it was during a window when the server returned Error 6050.

I would have to do some research on the LUCI settings to understand the previous recommendations better before applying them on the router.

HalfLife · December 12, 2024, 5:05pm

I would just use Wireguard with the Block Non-VPN Traffic option enabled. Never had a leak with that.

We should wait to use TailScale as a primary option until they have added a killswitch.