VPN with wireguard makes domain unreachable

Daize · May 5, 2026, 6:37am

What app is this about, and its version: Wireguard Client 1.0.20210914~ynh1
What YunoHost version are you running: 12.1.39
What type of hardware are you using: Old laptop or computer

Describe your issue

Hi!

I have a subscription to a VPN service, and I’m trying to connect to it using wireguard. I’m trying to do this to have some specific services (e.g. qbittorrent) on the VPN (split tunnel) or if that doesn’t work, then the whole server (full tunnel).

If I setup the vpn with wireguard using the conf file provided by the VPN provider, it seems to work: when I ping my server domain, it shows “from unn-ams.cdn77.com” in this case, and when I test the torrent with https://ipleak.net/ it shows a new IP. So far so good…

However, then after a while (when I refresh browser windows?) my domain becomes unreachable via the domain name or ssh. I tried this from other devices on the same LAN, or by disconnecting them from the LAN. I also tried clearing the cache on devices from which I was trying to reach my domain, and restarting those: no change.

I do have adguard installed as well on my server. I also tried changing my router’s DNS to the ISP one, but no change. I thought maybe this was the issue, but while all this was going on, other websites could be reached just fine.

If this all doesn’t work, then an alternative might be only putting specific services IPs in Wireguard conf’s “allowedIPs” - but I can’t figure out what IP belongs to which service.

Thanks for reading, hope someone has an idea

Share relevant logs or error messages

None as far as I can see. No error in ynh, probably an error in the setup…

artlog · May 7, 2026, 6:47am

HI @Daize

This whole topic is about using qbittorrent as a service with a VPN.

I would then first advice to see directly with bitorrent community https://forum.qbittorrent.org how to address such thing.

I don’t use qbittorrent so i won’t be able to give grounded by experience answers.

There is no easy thing as a VPN split per service.
Wireguard is a kernel level feature so to control it this is through ip table and that’s not easy.
Using allowedIPs defines destination network that will tunnel traffic.
I guess that qtbittorent can contact any address, so there is no dedicated destination network for it. default is just ‘all’ ( 0.0.0.0/0 == all ).

Here we would like more a Source ip to be the selector of such traffic, that would be the ip address bound to qbittorrent.
Even setting a dedicated address by service will require some setup, or even setting wireguard interface for this service.
There is a topic related to this Split Tunneling Wireguard Qbittorent but solution seems to not be working very well.

To go back to original quesiton, getting wireguard privacy with qbittorent was addressed using docker by this project GitHub - tenseiken/docker-qbittorrent-wireguard: Docker container which runs qBittorrent-nox (headless) client while connecting to WireGuard. · GitHub

didn’t dig in whole details but for what i see

the Qbittorrent conf explicitly set wireguard interface as its address :

Session\Interface=wg0

there is a bunch of ip table changes docker-qbittorrent-wireguard/qbittorrent/iptables.sh at master · tenseiken/docker-qbittorrent-wireguard · GitHub

there is some nat portforwarding specific script docker-qbittorrent-wireguard/qbittorrent/portfwd.sh at master · tenseiken/docker-qbittorrent-wireguard · GitHub

There might be docker related code that is fully irrelevant here, but in any case, this is not an easy task.

Daize · May 8, 2026, 1:26am

Thanks @artlog ! I was not aware of that project..

It’s super helpful, thanks for the insight & the links. Given the work, I think I’ll probably create a seedbox so split tunneling won’t be required.