WireGuard Windows client handshake packets appear to be blackholed

Felix Geschwindner felix.geschwindner at icloud.com
Fri May 13 05:10:57 UTC 2022


Hey folks,

I sent a similar mail a week ago and it said it’s waiting for approval but haven’t gotten anything else back so I thought, try again since there were other mails on the list that came through in the meantime.

I’ve been using WireGuard on my macOS, Linux & Windows machines for a while now and recently the Windows machines started to block WireGuard in a strange way.
I’m using Windows 10 & 11 with the latest updates. WireGuard client version is v0.5.3.

The config looks like this:

[Interface]
PrivateKey = <client_private_key>
Address = 10.0.0.10/32
DNS = 192.168.0.1

[Peer]
PublicKey = <server_public_key>
AllowedIPs = 192.168.0.0/24
Endpoint = vpn.example.com:51820

When I activate the WireGuard VPN it reports that the connection is active and ready to go. I even see the new adapter created in the Windows network settings but when I try to ping resources behind the VPN, I get a “General Failure” message from the command line.
Pinging the local client VPN adapter IP works.

First I tried a couple simple things that may help the WireGuard client to succeed:

	• Reboot
	• Run as administrator
	• Re-install client
	• Re-generate keys & config
	• Try same config on a Mac to rule out mismatches (this works)
	• Run WireGuard in Windows 7 compatibility mode
	• Configure the TCP/IP stack in the registry to favor IPv4 over IPv6
	• Disable IPv6 entirely
	• Add explicit firewall rule to allow WireGuard ports
	• Disable firewall entirely
	• Try full-tunnel via 0.0.0.0/0 in "AllowedIPs"

None of the above points produced any change whatsoever.

Finally I took to WireShark to see if it can help me identify where the packets get stuck and surprisingly WireShark doesn’t show ANY packets destined for the 51820 UDP port on ANY interface. Which is the point at which I ran out of ideas.
I tried this on 2 different Windows machines and both exhibit the same behavior so it doesn’t look like it is something that is special to a machine. I have not yet gotten to test a complete fresh install of windows as that is a bigger undertaking.

Thanks,
Felix


More information about the WireGuard mailing list