[WireGuard] Unable to configure routing

Vladimir Matveev vladimir.matweev at gmail.com
Sat Aug 6 14:36:23 CEST 2016


I wanted to try Wireguard so I decided to test it on my laptop to
route all connections through my VPS. I have set up it on the VPS with
the following config file:

PrivateKey = <server private key>
ListenPort = 41414

PublicKey = <client public key>
AllowedIPs =

On my laptop I have the following file:

PrivateKey = <client private key>

PublicKey = <server public key>
Endpoint = <VPS public IP>:41414
AllowedIPs =

I configured a wg0 interface both on the server ( and on the
client ( and also configured the firewall on the VPS to pass
UDP packets for the 41414 port through, as well as masquerading for
packets coming from

Afterwards I was able to reach the laptop from the server and vice
versa using their wg0 addresses just fine. However, I wasn't able to
route any connections through the VPS from the laptop.

On the server, as I have said already, I have set up masquerading for On the client I've added a route like this:

ip r add via dev wg0

Then, when I try to ping, I get errors like this:

% LANG=C ping
PING ( 56(84) bytes of data.
>From icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Required key not available
>From icmp_seq=2 Destination Host Unreachable
ping: sendmsg: Required key not available
>From icmp_seq=3 Destination Host Unreachable
ping: sendmsg: Required key not available
--- ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2000m

Naturally, no other connection to this host gets through. Also, it
seems that in this case no packets even reach the server, I can see it
in the tcpdump -i wg0 output on the VPS. If I try to ping
from the laptop, I get correct responses and I also see them in the
tcpdump output, and I'm able to connect to the server itself just

I tried configuring the route without "via", like it is
described in the documentation (although I don't understand how it
should find the correct gateway address in such configuration), but to
no avail - the errors are exactly the same.

What am I doing wrong here?

uname -a on the laptop:

Linux hostname 4.6.5-2-ck #1 SMP PREEMPT Wed Jul 27 18:33:05 EDT 2016
x86_64 GNU/Linux

uname -a on the VPS:

Linux hostname 4.6.4-1-ARCH #1 SMP PREEMPT Mon Jul 11 19:12:32 CEST
2016 x86_64 GNU/Linux

Both computers are running Archlinux, with Wireguard 0.0.20160722
built via DKMS.


Best regards,

More information about the WireGuard mailing list