Order of events…
- Looked up IP
- Connected to Tailscale, set exit node through Mullvad
- Looked up IP again, was different
- Started seeding in the background while working on other stuff
- At one point I saw Tailscale icon flicker
- Later I got an angry email from my ISP with a timestamp that lined up
Been seeding for years, and this was my first leak. Was for a recent popular film (Linux ISO) that I’ve been seeding for a year. I contacted Tailscale support to express my concern. This is what they said…
Though we have an open feature request for this (link), I don’t believe there are current plans to add a killswitch to the client for Mullvad.
If this is something that is important to you, the quickest solution to this would be to purchase a Mullvad subscription directly from them, since their client has a number of features more geared towards tightening users online privacy – including a killswitch.
So I suggest not using Tailscale with Mullvad for such purposes. I don’t think this is a priority for them. For other uses it’s been fine.
I imagine this could have been avoided with a restrictive torrent client configuration, as is typically recommended online. I’ve tried and failed to get that working in the past. I’ll try again once I change out my VPN. If you’ve been putting that off, learn from my mistake and look into it!
What are your route & dns settings? I don’t remember if tailscale forces all DNS queries to go via it’s tunnel, but I remember that the mullvad client uses DNS hijacking to make sure the device uses the wireguard tunnel.
I have “Use Tailscale DNS settings” and “Use Tailscale subnets” enabled. I just took the defaults, no special setup
To be clear though I’m not asking for technical advice. Just wanted to warn others this offering isn’t plug-and-play. I suppose that isn’t too surprising given its lack of killswitch functionality
Fair enough, I also would have expected tailscale to set itself as the default route when those options are enabled.
The way I do this is to bind the torrent client to the mullvad network interface. In qbittorrent for example, in the advanced options, I set mine to only use wg-mullvad. If the wg-mullvad iface goes down, the torrent client simply has no connection.
I wrote a systemd service using Nix that won’t even let me start my torrent client unless the vpn is enabled. If I disable it, torrents immediately stop.
You should have a “fake” network interface for your VPN connection. Your client should allow you to declare that it can only use a specific network interface (probably by binding to its specific IP instead of 0.0.0.0). So it’ll never even be aware of a world outside the VPN.
I think this happened to me too. Seems like it’s me forgetting to turn on mullvad but once or twice it may have been this.
So is the problem with mullvad or tailscale?
To clarify, you can purchase Mullvad access from Tailscale directly. They built an integration together. More details here: https://tailscale.com/mullvad
I’m not privy enough to know where in the chain the issue occurred. But Tailscale’s response seems to indicate they aren’t too concerned about temporary disconnections
