[kelsey98765431]

A small note to do your own research on:

Wireguard sets up an IPV4 based internal network and the machine responsible for the routing MUST know the client IP that was assigned to the connecting machine. There are some kernel modules to OBFUSCATE but not eliminate this data. Wireguard therefore has a fundamental design flaw that makes it faster but potentially less anonymous than OpenVPN protocol.

DYOR and YMMV. I always disable WG for at least my first hop.

[yjftsjthsd-h]

> Wireguard sets up an IPV4 based internal network and the machine responsible for the routing MUST know the client IP that was assigned to the connecting machine.

How else would it work? You could strip the source IP, but then you couldn't get replies and you'd have a very anonymous VPN that could only be used to send UDP packets; no receiving and no TCP since even establishing TCP requires replies.

[threecheese]

Are you referring to this issue specifically? “Wireguard leaks IP address in client mode if connection fails” https://github.com/linuxserver/docker-wireguard/issues/139

[tptacek]

I think you need to post more context here because this doesn't make sense. We run large-scale WireGuard for hundreds of thousands of clients, and we know none of their client source IP addresses.