PSA: WireGuard Can Leak Your Connection If Using IPv6/On A Cellular Hotspot

Hi everyone,

As you probably know by now, I am a big fan of WireGuard, having written tutorials on installing WireGuard on a Raspberry Pi and installing WireGuard on unRAID.

Recently, while at the airport and connected to my hotspot, I noticed that my public IP address was an IPV6 address, and yet, I am using IPV4 on my self-hosted homelab. Putting two and two together, I realized that I was leaking my IPV6 connection provided by my hotspot. Yikes!

A field expedient way to handle this is to update your client WireGuard tunnel configuration to force your connection through the tunnel on IPV6. This can be accomplished by updating your wg0.conf on your client, under the [Peer] section to the following:

AllowedIPs=, ::/0

The above setting tells your client to use the WireGuard tunnel when connecting to any IP address on BOTH IPv4 and IPv6 addresses.

Note that there are more robust ways of implementing a kill-switch in WireGuard, but the above is a quick-and-easy method.

Stay safe out there,