WireGuard is a relatively new VPN that is getting a lot of buzz as of late. It is a very simple VPN implementation which makes it very fast and it can run with very little resources on things like phones. Plus, with the rise of COVID and trying to get around certain governmental firewalls, people are suddenly faced with needing to access remote resources more than ever. Additionally, many commercial anonymizing VPN providers support Wireguard as a standard.
Having hung out in various WireGuard forums and sub-reddits, I am finding the same few questions asked over and over and over. This page is an attempt to answer these questions. If you want to know how to install WireGuard, I suggest you see the Arch Wiki WireGuard page or use PiVPN to install WireGuard for the first time. For most people on their first time out, PiVPN can’t be beat.
Table of Contents
Why is WireGuard different than most other VPNs?
Most other VPN implementations people are familiar with such as OpenVPN, Cisco ASA, Palo Alto Global Connect and dozens of others try to solve a lot of problems. They have built in routing, authentication, push compliance policy, and many other features. WireGuard in the most Linux way possible is trying to solve one problem: in-transit encryption. That is, whatever traffic flows between two WireGuard nodes is encrypted.
Also, WireGuard is serverless. That means that all nodes run the same software and you are creating singular point-to-point connections between each node. However, many people do setup WireGuard in a client server style configuration even though technically there is no “server”. In this guide I am assuming you are configuring things up as a typical client-server setup. So please, the pedantic among us, forgive me.
Essentially, WireGuard is an encrypted virtual Ethernet cable and that’s it. What this means is it is up to you to solve many of these other issues.
WireGuard connects from inside my network, but not from outside my network! – not using your public IP
This is an especially common issue when folks first use PiVPN. Most every network has a router or firewall on it’s edge that connects the LAN to the internet. The router has private IPs on the internal interface and public IPs on the external interface. Typically the issue is that you are trying to connect to your private IP while outside of your network!
If the [Peer] section of your client configuration shows Endpoint = with a value starting with 192.168.x.x, 10.x.x.x, or 172.16.x.x, you are not using the correct IP. While on your LAN, go to ifconfig.me or search for ‘my ip’ on Google. This is the address you should be using.
I can’t connect to the WireGuard from outside my network! v1 – port forwarding
This assumes you have already confirmed you are trying to connect to the proper external IP. If you are running WireGuard on something other than your router, you must setup a port-forward on your router to the device running WireGuard. Every router and firewall is different, so I can’t possibly tell you how to setup port-forwarding on your router.
This shows a pretty typical port-forwarding setup on my Asus router and pfSense firewall respectively. Hopefully this gives you a hint as to what to look for in your router or firewall.
The key bits of info you must use:
External and internal port – this is 51820 in the default WireGuard configuration.
Protocol – UDP
Internal IP – this is the IP address of your WireGuard server on your internal LAN. This address will start with 192.168.x.x, 10.x.x.x, or 172.16.x.x.
I can’t connect to the WireGuard from outside my network! v2 – double NAT
So your Endpoint= value is a proper external IP, you setup a port forward, and it STILL doesn’t work. Verify the WAN IP of your router/firewall. If the WAN IP of your router or firewall starts with 192.168.x.x, 10.x.x.x, or 172.16.x.x you have a double NAT. This means that your ISP has a device blocking public access to your router.
Typically this is fixed by enabling “bridge mode”, “pass through mode” or “modem mode” on the device your ISP has provided. There are countless ISPs and modems that they provide, so I can’t tell you how to fix this. In general, you can point a browser to the IP of the default gateway reported by the WAN interface of your router and sniff around. Google for the make and model of the device your ISP installed along with “bridge mode” and you will likely find others that have solved this issue.
At the end of the day, if the WAN address on the device where you setup the port forward does not match the IP that ifconfig.me tells you, this will never work.
When I try to start WireGuard I get an error like RTNETLINK answers: Operation not supported OR Unable to access interface: Protocol not supported
This is saying that the WireGuard kernel module is missing. 99.9% of the time this is because your installation never actually completed. Apt may have finished, but you didn’t notice errors in the wireguard-dkms section. This is because your kernel headers either are not installed OR are not the same version as the running kernel. What to do?
On Raspbian
apt update
apt upgrade
apt install raspberrypi-kernel-headers
reboot now
Once the reboot is complete runapt reinstall wireguard-dkms
On Debian/Ubuntu
apt update
apt upgrade
apt install linux-headers-$(uname -r)
reboot now
Once the reboot is complete runapt reinstall wireguard-dkms
If that didn’t work
You likely got yourself on a pre-production kernel somehow. Pre-production kernels often don’t ship with headers. This often happens if you previously ran rpi-update. To fix this run:
sudo apt-get update
sudo apt install --reinstall libraspberrypi0 libraspberrypi-{bin,dev,doc} raspberrypi-bootloader raspberrypi-kernelreboot now
After the reboot, run the commands from the previous section again.
I can’t find where I configure the encryption type or strength!
If you have used other VPNs in the past, there is usually a whole menu of parameters relating to encryption type, bit length, Diffie-Hellman Group, etc. In WireGuard, one size fits all. ChaCha20- Poly1305 is the one and only choice. You can read plenty more on the official WireGuard website.
4 replies on “The Unofficial Non-Definitive WireGuard Troubleshooting Page”
Had Wireguard working just fine for over a month (maybe a few now) and as of 10PM last night no one can connect. Or rather, the connection connects but it never completes with a handshake. All I get now is
[NET] peer(SC1k…cdik) – Handshake did not complete after 5 seconds, retrying (try 2)
in the log. In much searching, aside from port forward and other firewall issues (which I’m pretty sure I don’t have since it *was* working) it seems that people have regenerated the keys and that solved it.
So do the keys expire? How the heck do you set their expiration date? There doesn’t seem to be anything in the docs I can think of. The only other thing I can think of is the clock has drifted on the “server” node and thus the handshake is failing. If true it would be REALLY nice if that was logged as part of the handshake failure message. I have to drive to check the clock on the “server” node so that’s next. Am still hoping it might be something I can fix on this side, or fix without having to walk everyone through replacing keys. Ooof.
The keys never expire. I suspect that unattended-upgrade is running and updating your kernel. Once the kernel updates, you must recompile the wireguard-dkms package. I suspect this section will fix your issue when it occurs.
I have Wireguard running on a Pi using PiVPN, and my Android tablet connects fine (can ping the virtual 10.6.x.x address from the LAN and vice versa) but I’m trying to transfer data over port 8080 between the tablet and my PC, which normally works on the LAN, but not over the VPN. Are all ports routed or just 80/ICMP? Can I ensure all traffic is sent from client devices for all services over the tunnel to speak to LAN clients?
Wireguard can/will tunnel any and all traffic. I suggest you post on the Wireguard subreddit and there are lots of us that can help. However I suspect you need a masquerade rule – which PiVPN automatically creates for you and why I recommend it to install Wireguard for noobs.