As long as the WireGuard client is active, all traffic routed to the client will continue to be encrypted and sent to the destination WireGuard endpoint, regardless of whether the endpoint server is active or not. If the configuration on the endpoint server is still valid, it will accept encrypted traffic from the client, if the configuration on the server is no longer valid or the server is not active, it will not be able to accept encrypted traffic from the client and no connection will be established between the WG client and the WG server. In this scenario, the traffic routed to the WG client should not leak. Have you had any experience to the contrary?
2 Likes