How to debug wireguard on the server?

Anatoli me at
Thu Mar 21 07:21:21 CET 2019

First of all, check if the server receives the handshake with: sudo wg 
show wg0 help (you'll see all available options). Start with 
latest-handshakes and endpoints. If the server sees the client in the 
endpoints and its latest handshake time updates accordingly, then the 
tunnel is working.

Then check the routes. When you do sudo wg-quick up wg0, what's the 
output? Are the routes created? What's the output of ip rule show and ip 
route show table all? If you specify on the client AllowedIPs =, then wg-quick creates all needed routes automatically. If 
not, you'll have to create them manually. Check the man pages: and

Try to see what's the route to the desired destination with: ip -s route 
get <IP>.

*From:* Wojtek Swiatek <w at>
*Sent:* Tuesday, February 26, 2019 06:59
*To:* Wireguard Mailing List <wireguard at>
*Subject:* How to debug wireguard on the server?

Hello everyone

I am trying to set up wireguard on a Linux server (Ubuntu 18.04) and I 
am having some issues. The configuration of the server:

Address = <>
ListenPort = 51820
PrivateKey = UbuntuPrivateKey

# the laptop I want to connect from
# this public key is derived from the laptop's private key LaptopPrivateKey
PublicKey = kExj276RLpqCZoDdOYHiq4FQHKA94y0eY1W/ptvT2y4=
AllowedIPs = <>

Bringing up the wg0 interface via wg-quick is OK:

root at srv ~# wg
interface: wg0
   public key: A7MreEBC3maH305tVrU0HEoQrBhy+An6KlvZ+z9KFRA=
   private key: (hidden)
   listening port: 51820

peer: kExj276RLpqCZoDdOYHiq4FQHKA94y0eY1W/ptvT2y4=
   allowed ips: <>

I have a client peer configured as well:

Address = <>
ListenPort = 51820
PrivateKey = LaptopPrivateKey

# the server I want to connect to
# this public key is derived from the server's private key UbuntuPrivateKey
PublicKey = A7MreEBC3maH305tVrU0HEoQrBhy+An6KlvZ+z9KFRA=
AllowedIPs = <>
# Address of the server
Endpoint = <>
# Send periodic keepalives to ensure connection stays up behind NAT.
PersistentKeepalive = 25

When connecting from the client, I see handshake packets leaving it, and 
arriving on the server - on its external interface:

root at srv ~# tcpdump -i eth0 port 51820 -vvv -X
tcpdump: listening on br0, link-type EN10MB (Ethernet), capture size 
262144 bytes
10:35:29.386976 IP (tos 0x0, ttl 115, id 17333, offset 0, flags [none], 
proto UDP (17), length 176) > [udp sum ok] 
UDP, length 148
         0x0000:  4500 00b0 43b5 0000 7311 eeda 5bf4 ee0e  E...C...s...[...
         0x0010:  c0a8 0a02 ea36 ca6c 009c 98e7 0100 0000  .....6.l........
         0x0020:  ac50 0f85 6ead 67f6 2c38 4b74 43c4 6388  .P..n.g.,8KtC.c.
         0x0030:  f594 1886 6699 f439 183e ad2b 0e02 4e13  ....f..9.>.+..N.
         0x0040:  c1a8 d14a f1c6 8d13 1f98 8c2c 6cfd dbf6  ...J.......,l...
         0x0050:  9f2f 8d35 9073 bad1 ddd7 927e 0552 aadf  ./.5.s.....~.R..

The same tcpdump command ran against wg0 does not show any traffic (but 
maybe this is normal?)

The client keeps on sending handshake packets.

Q1: is there anything I should do in order for the packets to reach wg0, 
or do they reach it but I just do not see that with tcpdump (sorry, I am 
not well versed with virtual interfaces)
Q2: if there is nothing more to do than a wg-quick, is there a way to 
debug the server to understand what happens with this handshake packet 
(= it is rejected because ...)


WireGuard mailing list
WireGuard at

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the WireGuard mailing list