Wait. So I am unclear how this leak works. Are you saying that this leak works by having a program bind to the physical interface and start communicating before the VPN daemon starts? So, the leak is not present after the daemon runs? How would this work with server switching, since the daemon is already running?
Any VPN experts wanna weigh in?
Last edited by @Breeze7846 2026-03-11T01:04:34Z
The way I am describing is VPN use via Wireguard set up via the terminal. To answer your question, there is no program as such nor a GUI VPN app in how and what I mean.
Hold tight, I am writing up a guide on what I mean and will share the info soon for anyone to understand and learn the best way to set up a VPN on desktop Linux.
Iām writing up a guide. Will share it soon and it should answer your question.
Here is a new post I just made that should answer your question.
cc: @anon36227541
For the people using Wireguard, how do you make port forwarding convenient on this setup? I use the GTK app, and ProtonVPN switching your forwarded port every time you connect made me resort to a script + systemd service that monitors changes to the /run/user/1000/Proton/VPN/forwarded_port file, opens said port to TCP and UDP connections on the firewall, and updates that number on Nicotine+ and qbittorrent for me. Here are my questions after reading @anon57862721ās and Protonās guides: connections do not seem to be made automatically, do I have to open the terminal and type sudo wg-quick up config-file-name every time I boot or do you use some systemd service? Do you create config files for various servers to have some options? And whatās your solution to make port forwarding easier with a tight firewall? Iām presuming thereās no way of fixing this leak while keeping the convenience of the GTK package as it is right now.
It should. There must be something hindering it if its not working but it should not happen. Please try again and reboot your system too.
Yes, that is a natural ādrawbackā.
This type of a set up is primarily meant for 100% leak proof VPN. Port forwarding is not really within the scope of my wiki post there.
I see! Iāll try to follow your wiki post later and see if thereās an easy way of automatically keeping a forwarded port open with all the other convenient stuff I mentioned whenever I connect to a Proton P2P server.
Iām surprised that ProtonVPN continues to be recommended. Back in February I made a post on reddit seeking help because the killswitch for macos (silicone) did not work on computer boot and also, even more importantly, that the IP would leak every time you switched network. They banned me from their subredditā¦ according to them these arenāt considered IP leaks (their logic is that technically you are disconnecting from the IP and then connecting to another so itās not an IP leak, what a joke!). @jonah Privacyguides, which I used to inform my purchase of ProtonVPN still doesnāt mention these issues anywhere on their VPN recommendation page - thatās also disappointing.
That is not a joke. Thatās correct because a leak would only occur/be called a leak if your IP between re-connections becomes known to your ISP. If this is the case, then Proton would be in the wrong. As far as I am aware, the VPN does not let that happen.
a leak would only occur/be called a leak if your IP between re-connections becomes known to your ISP
Iām not sure what you mean by āyour IP being known to your ISPā, my ISP always knows what my IP is, they are the provider of it after all. In any case, my real IP does become known to any server that is connecting to my computer during the server switch. The way I found out this was happening was by refreshing a āwhatās my IPā test page while switching servers and it would always show my real IP during this time (no exceptions).
So if you are ever getting IP blocked and switch servers, you are directly exposing your real IP to the service during the re-connection. This is not the desired or expected behavior from a VPN, especially one that advertises itself as a privacy oriented choice.
Sorry, I mispoke. Was thinking a little differently in my head.
If your real IP provided by your ISP (dynamic or not) is not known by any software/tool/website between reconnections, there is no leak. If not, there is leak.
This is not considered a leak. The service provider (Proton VPN in this case) will always know your real IP, no matter what. Because they are the VPN. It is the tool youāre using to obfuscate your IP from websites and other apps. Thatās how VPNs work.
Not sure what or how you mean by this. Please explain because I donāt see a problem here (to the extent to which youāve explained that is).
Yes, Iām aware that ProtonVPN will know my real IP. Iām talking about all other online services. E.g., I go on YouTube - > Iām getting blocked due to the VPN server being banned ā I switch servers (yes, with killswitch activated) ā (between the time I connect to the new ProtonVPN server) my real IP is exposed to YouTube.
ProtonVPN should block internet access during switches to other servers but it does not. Therefore I continue to connect to online services with my real IP exposed prior to re-connection.
I hope this is clearer.
If this is the case which it can be as kill switches by VPN apps and services in their GUI apps are not fool proof yet on Linux at-least, then the best way to use a VPN on Linux is the way I describe it in my community post here: How to best set up & use a VPN with WireGuard on desktop Linux
Yes, this should be the case. Itās clear now. Thatās what I was getting at but the way you wrote it implied that you were expecting something else.
The best VPN with a GUI on Linux (on the officially supported distros) that does work ensuring of leaks and whatnot is Mullvad. Others can be finicky on Linux.
I hope I am clear now too.
Yes, sorry for any confusion.
However, my initial comment was regarding my experience with ProtonVPN on macos (silicone). Since then I have switched to Mullvad and have had zero issues.
I brought this point up because I find that ProtonVPN cannot be relied upon if issues like this are deemed āexpected behaviorā on their part, especially as they make no mention this is happening anywhere and banned me for respectfully asking about the issue on their subreddit.
(Their official reason for banning me btw was that my title suggested this was an IP leak, which they object to - I will let more network savvy people let me know if they are technically correct, in any case it makes no difference to me as the user)
Iām also disappointed in Privacyguides since I used the website to make my purchase decision, and despite the rigor that is supposedly required to get a recommendation; this issue exists, is known, but is not mentioned by Privacyguides either.
This thread is primarily about Linux so I took it to mean youāre talking about Linux.
This should not happen on macOS btw. If you delete the app as they recommend (and remove the network extension they install), reboot you system and try installing it again and give it a try, Iām sure this wonāt be the problem.
The way you wrote it in this thread for what you consider it a problem is wrong, I feel. Hence my original confusion with how you were saying it or thinking about it based on your statements. and explanation of the problem.
At best this issue is known only for Linux. Not macOS or Windows. Its also difficult to say why youāre seeing this problem or if you have something else that may be interfering with the VPNās operation on macOS. As far as I know, this is not an issue on macOS. Iāve never had this issue myself.
(if you want to make a new post/start a new thread and explain your issue from the top to better explain and for others to better understand your grievances, we can look at it better).
Yes, sorry for barging in on this thread, it just reminded me of the MacOs issue. I made a thread for it here : Remove ProtonVPN
Yes. Reading it now.