ProtonVPN IP Leakage on Linux and Workaround

Privacy
,
1

Open your terminal, then follow this quick guide to check the leak.

You can use the command to list all physical interfaces on your device:

ip link show

Then you can enter the following command with result of physical interface names in place of “<physical interface name>”.

curl --interface <physical interface name> https://ipinfo.io

and test for each physical interface to see which one leaks the IP.

Implement the workaround for now, and keep pressing ProtonVPN to implement fixes to this obvious leak!

1 Like
2

This is what I follow and use ProtonVPN or any VPN on Linux (albeit with less flexibility but with certainty):

Wireguard VPN via Terminal with Killswitch:

  1. Download config file
  2. Open config file
  3. Add the following under “Interface” section:
> PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
> PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
  1. Save file
  2. Add file in folder: admin:///etc/wireguard
  3. Enter this in terminal: systemctl enable wg-quick@config-file-name
  4. Enter system password to authenticate when prompted
  5. Start VPN: sudo wg-quick up config-file-name
  6. Reboot system with reboot or systemctl reboot

Now you have Wireguard VPN (with any service of your choice) with killswitch enabled that blocks all internet traffic and ensures all traffic goes through that encrypted tunnel as soon as OS connects to the internet and starts transmitting.

Follow Mullvad and Proton support website for more details:

3

Everyone should just use a proper client, which is WireGuard.

Not only are you risking leakage with these VPN provider clients, but all of them that I know use Electron, which is a big no-no.

1 Like
4

Can you elaborate on the privacy and security implication of it given your comment?

5

This discussion explains everything pretty well: Flatpak Electron App Throws Error With `libhardened_malloc.so` · Issue #193 · secureblue/secureblue · GitHub

6

Can websites also see my IP?

7

Every website sees or can see where you’re coming from - hence the recommendation to use a VPN to help you mask the same from your ISP and the website you visit (should you want to).

8

I meant my real IP not Proton VPN Ip

9

If you don’t use a VPN, they can see your real IP. If you use a VPN, they will see your VPNs IP and not your real IP since you will be masking it.

I hope this is clearer.

10

Since there is leakage, I wanted to know if website could see my real IP, as in context of the Original Post

11

Yes, it could.

12

Any workaround for official protonvpn-gtk app?

Can you specify which one WireGuard with Network manager or WireGuard Cli?

I tried ProtonVPN Linux gtk, WireGuard with Network manager, WireGuard Cli and Windscribe. Only Windscribe doesn’t leak through any physical interface and others leak real IP only through Wi-Fi/Ethernet.

Edit: Someone can try and update how it goes with Mullvad and IVPN.

13

Not really.

I’m talking about wireguard-tools CLI package.

1 Like
14

I can confirm this works, and my real IP appears :open_mouth:

15

I also posted a fix for it above that’s has nothing to do with GUI. There’s still ways to ensure of this.

16

Thanks, but I am a bit shocked Proton VPN doesn’t care. Config file are great but I need to switch between 3 countries VPN, is that possible ?

17

@Proton_Team please fix this ASAP
@team there needs to be a warning about this

2 Likes
18

Yes. But it’s not the simplest solution.

You just have to have three config files in that same /etc/wireguard folder and use the sudo wg-quick down config-file-name and the sudo wg-quick up config-file-name commands to disconnect and reconnect to the three locations you want to or as and when you want to. I do recommend a quick reboot too every time you do that.

19

To avoid leaks follow guide provided by @universal-exports. Same can be verified with guides provided by Mullvad and IVPN.

This is what I got after modifying interface of wireguard conf file

curl --interface <physical interface name> https://ipinfo.io

curl: (7) Failed to connect to ipinfo.io port 443 after 200 ms: Could not connect to server

Before I got real IP and other details.

Also, I tried firewalld workaround in OP’s post but it didn’t work and wireguard cli can’t establish connection with VPN server.

1 Like
20

Actually I don’t think there is an IP leak in this scenario because you are choosing to use the existing wired/wireless network interface instead of the network interface created by the VPN client. So there is nothing leaking out of the VPN tunnel because there is no curl traffic going through the tunnel.