General Computing
networking vpn
Updated Thu, 08 Sep 2022 07:07:27 GMT

Which network interface does my VPN use?

I have both a wired (enp59s0u2u1i5) and wireless interface connected to the internet, and on top of that I use a VPN (wg-mullvad).

How do I see which of these interfaces (wired or wireless) is used by the VPN interface to route traffic through?

This is the output of ip link:

2: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DORMANT group default qlen 1000
    link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
4: enp59s0u2u1i5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
    link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
6: wg-mullvad: <POINTOPOINT,UP,LOWER_UP> mtu 1380 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000

Output of netstat -r:

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         _gateway         UG        0 0          0 enp59s0u2u1i5
default         _gateway         UG        0 0          0 wlan0 UH        0 0          0 wg-mullvad   U         0 0          0 enp59s0u2u1i5   U         0 0          0 wlan0


Use ip route get with the exact parameters, i.e. the tunnel endpoint's remote IP address and importantly the fwmark that's used by wg-mullvad if one is shown by the wg command.

# wg show wg-foo
interface: wg-foo
  fwmark: 0x52
# ip r get mark 0x52 via dev rtl0 table 82 mark 0x52

(You can add fibmatch to directly see the actual route entry that's used.)

In general, use ip route to list routing tables on Linux, as there could be more than one the packet mark set by WireGuard is used with ip rule to select an alternative table for the encrypted traffic. You could work it out manually, but some VPN clients generate a bit complex rules and it's easier to use ip r get and let the kernel provide the answer.

# ip rule
501:    from all fwmark 0x52 lookup 82 proto static
# ip r ls table 82
default via dev rtl0 proto dhcp

(But even for just the main table, I'd generally avoid netstat -r on Linux, because it doesn't know how to show beyond the simplest route entries.)

Don't forget that tcpdump can literally show you the packets being sent out through each interface.