IP is leaking when a Wireguard configuration has been revoked

[tlartaud]

Hi,

If a Wireguard configuration expired, has been revoked, or is eventually not reachable (server in maintenance), the wireguard proxy shows "connected", but the phone and apps connect via the ISP ip.

Version: 0.5.5n
Hardware: Google Pixel 7
VPN provider: Proton
OS: tried on both stock ROM + GrapheneOS, same issue
Wireguard setting: confined (global) + always-on enabled
VPN settings: permanent VPN + block connections without VPN enabled

---

Steps to reproduce

• Create a Wireguard configuration from the VPN provider
• Configure it on RethinkDNS
• Verify it works using dnsleaktest
• Revoke the Wireguard VPN settings session from the VPN provider
• Reboot the phone : RethinkDNS will tell wireguard is connected but apps connect via the ISP ip

---

Note: I understand we should make sure that the configuration is correct, and not expired, by ourselves.
But it can happen that a server fall in maintenance, and we have no way to know the Wireguard config has been bypassed, and that we're using our ISP ip.

Using RethinkDNS for 2 years now for being the most helpful DNS + firewall app + monitoring tool on the market.
Donated 50€.

Thanks a lot for all your great work, keep it going!

Best regards.

[ignoramous]

Donated 50€.

Ah, so that was you. Thanks (:

Wireguard setting: confined (global) + always-on enabled

Hm. Using WireGuard in Advanced mode? Can you see if the issue happens if Lockdown is also enabled for this Always-on WireGuard?

has been revoked

You mean deleted on the client? Or revoked/deleted on the server?

[tlartaud]

Using WireGuard in Advanced mode?

Yes.

Can you see if the issue happens if Lockdown is also enabled for this Always-on WireGuard?

Yes, lockdown is actually enabled. Sorry, my app was in french and I badly translated "lockdown" to "confined (global)".

You mean deleted on the client? Or revoked/deleted on the server?

I mean from the server.
This happened after I accidentally revoked some "VPN settings sessions" from my proton account, from my desktop browser.
I was then still able to connect to internet from my phone, even after reboots, using the revoked session, but apps were using my ISP ip, and RethinkDNS was telling the Wireguard proxy was connected, as usual.
I was able to verify that using dnsleaktest.
Note that I did not remove the Wireguard configuration from the server, but just revoked the session.

After I switched the wireguard proxy to the last "VPN session" I did not revoke from my account, everything were back to normal. No more IP leak.

I sometimes noticed IP leaks in the past, and I think it is related to this. In my case, it looks like that RethinkDNS can't make sure the Wireguard connection is really successful, even if marked as "connected".

I'll for now create a simple Tasker profile in order to check my IP each time my network status change, set an alarm if it doesn't match my wireguard configs, and let you know if this happen again with a non-revoked session, but I guess it shouldn't.

[ignoramous]

@hussainmohd-a confirmed this can happen in v055n. The good news is, we've completely rewritten this portion and such surprising bugs/behaviour shouldn't happen wrt proxy rules in v055o, the upcoming version (due a release in the next few days / weeks / months).