Wireguard on Mac leaking traffic outside of VPN?
Side question: which app is responsible for that output on your terminal? It seems nettop from the screenshot but I checked the man page and I can’t see the m switch I see in the title bar so I’m asking 
This is new to me so apologies if I’m misunderstanding -if anyone could help here I’d really appreciate it. I’ve been searching the web and can’t find clear answers on this.
The screenshot shows active connections for an app I’m using (Windows App) on my Mac while I’m connected with the Wireguard app to my VPN.
Most of the connections are going through the “utun8” interface (which is the user tunnel interface set up by Wireguard on my Mac so traffic can go through the VPN) and these show my correct VPN IP on the left, so I’m happy they’re working properly.
However there are some connections going through the “en0” interface which is just the standard Wi-Fi interface on Mac, and the IP shown on the left is my actual network IP. Does this mean this traffic is ignoring the VPN? Presumably these connections are exposing my real IP and location etc on the other side, which could be a security issue - I want everything routed through the VPN.
I’ve tried a few things to see if I could change this including using Little Snitch to block certain connections, but I haven’t been able to get it to just ensure everything is routed through the correct interface. I also already have set AllowedIPs = 0.0.0.0/0, ::/0 in the tunnel configuration file under [Peer].
Does anyone know what’s going on here?
I think these are connections which were established before wireguard was up.
Try to check app that use ports: 49508 and 49509. Maybe something system or contain hard coded interface?
what are the allowed IPs in your wireguard config, and do you have it set with kill switch enabled?
Well for starters you need to setup a killswitch using pf…
1.) sockets open from before wireguard was enabled will persist. It is possible this is the source.
2.) check the output of netsat -rn. It will show you the OS’s routing tables. You can see any errors there
i suspect that connections already established before you start the VPN will continue to persist outside the VPN.
Not sure what you mean, I just go in Terminal and type nettop -m tcp
Endpoint IP address?
You’re saying the app in question is a “Windows App”? What do you mean? Is it running in a VM?
If so, maybe that’s the issue, that the VM is linked directly to en0, thus bypassing utun8.
They aren’t. Wireguard is running before I launch the app and they appear afterwards. I can replicate this and same thing happens each time.
Sorry bit of a noob here, can you break that down a bit for me?
Since the connections are displayed under the app I’m showing in the screenshot, how can they be from system or another app?
And if they are, how do I stop this from happening when that app is running?
It seems like the app is literally just ignoring my VPN and exposing my real IP/network. Shouldn’t wireguard be routing every connection through the VPN?
I have set AllowedIPs = 0.0.0.0/0, ::/0 in the tunnel configuration file under [Peer].
Not sure how to set kill switch enabled? There is no option I can see. I’m using the macOS Wireguard app for the client device.
It sounds obvious yeah but there no clear info anywhere on how to do it? / no kill switch info or functionality built into the app…
I’ve looked into this today and have tried using pf configuration to block all traffic except traffic on utun8 (the vpn interface) yet every time I do this, all traffic is blocked and I can’t use anything. Every guide I’ve found online tells me how to set up the config file, I follow it, but everything gets blocked.
There’s no clear answer anywhere (I’ve searched) for how to set up a kill switch on wireguard for Mac.
It’s not possible - they aren’t established before I start the vpn
They aren’t established before the VPN though
Not sure what you’re asking - the Endpoint IP address is my home IP address where my Wireguard Server is running
It’s just a Remote Desktop viewer, no VM is being run locally. Microsoft renamed their “Remote Desktop” app to Windows app recently. (Dumb name I know)