Order of events…
- Looked up IP
- Connected to Tailscale, set exit node through Mullvad
- Looked up IP again, was different
- Started seeding in the background while working on other stuff
- At one point I saw Tailscale icon flicker
- Later I got an angry email from my ISP with a timestamp that lined up
Been seeding for years, and this was my first leak. Was for a recent popular film (Linux ISO) that I’ve been seeding for a year. I contacted Tailscale support to express my concern. This is what they said…
Though we have an open feature request for this (link), I don’t believe there are current plans to add a killswitch to the client for Mullvad.
If this is something that is important to you, the quickest solution to this would be to purchase a Mullvad subscription directly from them, since their client has a number of features more geared towards tightening users online privacy – including a killswitch.
So I suggest not using Tailscale with Mullvad for such purposes. I don’t think this is a priority for them. For other uses it’s been fine.
I imagine this could have been avoided with a restrictive torrent client configuration, as is typically recommended online. I’ve tried and failed to get that working in the past. I’ll try again once I change out my VPN. If you’ve been putting that off, learn from my mistake and look into it!
I wrote a systemd service using Nix that won’t even let me start my torrent client unless the vpn is enabled. If I disable it, torrents immediately stop.
The way I do this is to bind the torrent client to the mullvad network interface. In qbittorrent for example, in the advanced options, I set mine to only use wg-mullvad. If the wg-mullvad iface goes down, the torrent client simply has no connection.
You should have a “fake” network interface for your VPN connection. Your client should allow you to declare that it can only use a specific network interface (probably by binding to its specific IP instead of 0.0.0.0). So it’ll never even be aware of a world outside the VPN.
I think this happened to me too. Seems like it’s me forgetting to turn on mullvad but once or twice it may have been this.
What are your route & dns settings? I don’t remember if tailscale forces all DNS queries to go via it’s tunnel, but I remember that the mullvad client uses DNS hijacking to make sure the device uses the wireguard tunnel.
I have “Use Tailscale DNS settings” and “Use Tailscale subnets” enabled. I just took the defaults, no special setup
To be clear though I’m not asking for technical advice. Just wanted to warn others this offering isn’t plug-and-play. I suppose that isn’t too surprising given its lack of killswitch functionality
So is the problem with mullvad or tailscale?
