Wireguard VPN - Issues

• VPN

• Wireguard VPN (in detail)

• Wireguard VPN - Issues

Initial Diagnostics

Check the wireguard interface is up:

sudo wg

peer: siOe0gA/wSjnFZpX1ODhHjv5z6WDsIm+B3SEJy58DlU=
  endpoint: 133.122.144.188:52062
  allowed ips: 10.10.2.10/32
  latest handshake: 32 minutes, 31 seconds ago
  transfer: 10.03 GiB received, 331.45 MiB sent

Tip

So the server has not checked in for 32 minutes!

Connection issues

To diagnose connection issues use (on both the client and the server):

sudo wg show

or if the interface is configured to start at boot time (assuming interface is called wg0) use:

sudo systemctl wg-quick@wg0 status

e.g a typical client will show:

interface: wgx
  public key: yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy=
  private key: (hidden)
  listening port: yyyyy

peer: sssssssssssssssssssssssssssssssssssssssssss=
  endpoint: s.s.s.s:sssss
  allowed ips: a.a.a.0/24
  latest handshake: 20 seconds ago
  transfer: 46.90 MiB received, 523.78 MiB sent
  persistent keepalive: every 25 seconds

A typical server will show:

interface: wgx
  public key: sssssssssssssssssssssssssssssssssssssssssss=
  private key: (hidden)
  listening port: sssss

peer: yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy=
  endpoint: y.y.y.y:yyyyy
  allowed ips: a.a.a.x/32
  latest handshake: 1 second ago
  transfer: 2.37 GiB received, 964.48 MiB sent

peer: zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz=
  endpoint: z.z.z.z:zzzzz
  allowed ips: a.a.a.z/32
  latest handshake: 3 seconds ago
  transfer: 28.27 MiB received, 20.33 MiB sent

peer: wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww=
  allowed ips: a.a.a.w/32

Lines to look out for in this output are:

- If there are no ``latest handshake`` or ``transfer lines`` (e.g peer
  wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww= above) this indicates the peer has
  not been seen since the service started.

- If the interface has been started recently a ``transfer`` line showing
  ``0B received`` indicates that the service is not connected.  This is
  usually due to a configuration issue.

- ``latest handshake`` should be less than a few minutes. if the transfer
  line shows a value for bytes received this indicates the configuration
  worked at some point so it may be a public network issue - the wireguard
  interface sends encrypted traffic over the public network imnterface.

Reset the interface

To reset a the wireguard interface (assuming it’s called wg0) use:

wg-quick wg0 down && wg-quick wg0 up

If the interface is started at boot time you can also use:

sudo systemctl restart wg-quick@wg0

Configuration issues

The PublicKey in the Peer section of the client configuration is the public key of the server, not the client:

[Peer]
PublicKey = sssssssssssssssssssssssssssssssssssssssssss=

DNS

If you only have a single wireguard network and have a DNS server configured to resolve the nodes on a wireguard network, you can configure nodes to use this with the DNS directive in the wireguard configuration file. e.g:

DNS = a.a.a.x

If your system is configured to start the VPN network at boot rebooting may resolve DNS issues or you can simply Reset the interface as described above.

Tip

To check your name server information on ubuntu 20.04 and later use resolvectl status.

Ubuntu 24.04

The DNS changes in 24.04 cause an issue.

To resolve this either install systemd-resolved:

apt install systemd-resolved

Or remove the DNS entry in the configuration file e.g:

# e.g. remove 'DNS = 10.10.2.1' from:
/etc/wireguard/wg0.conf
# restart
sudo wg-quick up wg0

For more information, see wg-quick fails with systemd resolvconf compatibility shim

Firewall

ssh

If the firewall is failing to block access to ssh, then check the /etc/ssh/sshd_config file to make sure it includes the following line:

Include /etc/ssh/sshd_config.d/*.conf

If you upgraded Ubuntu from a version earlier than 20.04, then the file may have been modified by a Salt state and be invalid.

To fix the issue, copy /etc/ssh/sshd_config from another server (for example commands, see Ticket 4445 on the 21/12/2021).

Unstable connection

Check to make sure you are not using the configuration in two (or more) places!

Wireguard identifies a node using the public key. The server is able to route to the node using the AllowedIPs = a.a.a.x/32 directive for the peer in the server configuration file. If two nodes have the same IP or public key they will constantly break each other.

Firewall Rules

A server protected by a firewall (recommended) needs a rule for it’s port to allow traffic.

A client with PersistentKeepalive directive only needs a firewall rules if the output chain is restricted (for iptables, check using sudo iptables -L).