Extra leak prevention file for Wireguard same as ovpn?

Just to confirm something.. as i seen over vpn provider config the used of some watchdog script. And for openvpn, there is also a 99prevent-leak file into /etc/hotplug.d/iface/.
So 1: can we put the Wg interface name (ex: wgvpn) instead of tun0 in that and get secure like the ovpn ? Or by being different it will not do anything..?

if [ "$ACTION" = ifup ] && (ip a s wgvpn up) && (iptables -C forwarding_rule -j REJECT); then
        iptables -D forwarding_rule -j REJECT
if [ "$ACTION" = ifdown ] && (! ip a s wgvpn up) && (! iptables -C forwarding_rule -j REJECT); then
        iptables -I forwarding_rule -j REJECT


And 2- on the watchdog as : wireguard_watchdog.sh


# ping wg provider dns that can only be reached via the VPN tunnel
# if no contact, reboot!

while [[ $tries -lt 5 ]]
        if /bin/ping -c 1
                echo "wg works"
                exit 0
        echo "wg fail"
echo "wg failed 5 times - rebooting"


So is it the same that was supposed to be present into the wireguard-tools package?
And i guess there a cron job to do run it with adding: /etc/crontabs/root
*/15 * * * * /root/wireguard_watchdog.sh

.. but not supposed if fully handle by the wg-tools pack .. ?


The same approach should also work for WireGuard:

  • Assign the VPN interface to a separate firewall zone.
  • Disable the LAN-to-WAN forwarding.
  • Enable the LAN-to-VPN forwarding.



Oh ok. So adding /etc/hotplug.d/iface/99prevent-leak has no real effect as soon the lan-to vpn is in forward to destination mode. Or it was only for older firmware ?

A kill switch is supposed to reliably prevent traffic leak over the WAN intervace.
If you make it automatic, it becomes dependant on the VPN connection state.
However, the VPN connection may fail for different reasons including external ones.
This makes the kill switch unreliable and discredits its main purpose.

Your second script deserves a separate thread.
Unfortunately, it's also unreliable since ISPs can route private IPs.
In addition, there's usually no need to reboot the router.

1 Like