I would really appreciate it if someone would double check me. Sorry for the screenshot. Either the Lemmy code button isn’t great or I’m just dum at formatting.

This has local *arr servers available and traceroute shows me going through the VPN.

The largest blue blotch is the ip address of a mullvad vpn server.

Rpi4, Raspberry Pi OS lite.

Mullvad VPN. IPv6 has been nuked. Using Wireguard through wg-quick.

wg2 originates from a .conf file from Mullvad with IPv6 stripped.

Do these UFW settings look right?

  • dragonfly4933@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Why would you strip ipv6 if mullvad supports it. The reason people disable or block v6 are for 2 reasons, ignorance, and/or the vpn providor doesn’t support ipv6. V4 and v6 can and usually do run at the same time (this is called dual stack), so if the vpn only touches the v4 side of things, v4 will be tunneled while v6 will be unaffected.

    Also, the firewall doesn’t matter if you use a torrent client that can just bind to the wg interface (assuming there is no nat being performed from the wg interface to the physical interface). The client will take one or all of the ips on the interface, which will make it impossible to leak IP directly assuming your switch or router doesn’t also have an ip in the same subnet as your wg interface ip.

    I don’t know UFW, but if you run iptables-save or nft list ruleset i can take a look to see if it is sane.

    But what i can tell is that it might work. You appear to be only allowing public traffic to wg. It should be noted that this setup will likely fail at some point because you are hard coding the IP. It should fail safe, but the public internet will not work.