Troubleshoot wireguard

I have issues using wireguard for client connection from my office laptop to my vyos gateway.
The problem is that there is really nothing in the log…

I tried to change the port, I tried to set the MTU lower, same issue…

Is there a way to debug the wireguard handshake?

On my windows client, the message is:
2021-11-18 09:40:03.150: [TUN] [Vyos2] Sending handshake initiation to peer 1 (xxxxx2:4000)

Client config:

PrivateKey = xxxxxxxxxxxx
Address =
DNS =,

PublicKey = yyyyyyyyyyyyyyyyyyyyyyyyyyy
AllowedIPs =,
Endpoint = y.y.y.2:4000
PersistentKeepalive = 15

Vyos config:

vyos@BR2# show interfaces wireguard
wireguard wg01 {
peer AMP {
persistent-keepalive 15
pubkey zzzzzzzzzzzzzzzzzzzzzzz
port 4000

Version: VyOS 1.4-rolling-202102060218
Release Train: sagitta

What firewall rule do you have in place to allow port 4000 into local?

No firewall rules, I use it in a pure router mode

can you share the config and what is the output of “sudo wg show” after you’ve attempted a handshake.

Hello Phillip,

Config anonymized and command output below,


vyos@MA-BR2:~$ sudo wg show
interface: wg01
public key: UxFj9GehdwhddwtWOKWYImg=
private key: (hidden)
listening port: 4000

peer: ull3dwhhgdwgdwgdwgdwa780SiT9DycnzEHU=
allowed ips:
latest handshake: 1 day, 1 hour, 7 minutes, 44 seconds ago
transfer: 10.05 MiB received, 71.18 MiB sent
persistent keepalive: every 15 seconds

set your MTU explicitly on the wg01 interface, and I assume you’ve simply removed the private-key node in sharing the config.

set interfaces wireguard wg01 mtu '1420'

What is the config for the peer?

No there was no private key node in the config.

I just added:
set wireguard wg01 private-key ‘default’
set wireguard wg01 mtu ‘1420’

Peer config:

PrivateKey = xxxxxxxxxxxx
Address =
DNS =,
MTU = 1420

PublicKey = yyyyyyyyyyyyyyyyyyyyy
AllowedIPs =,
Endpoint =
PersistentKeepalive = 15

Issue remains…

you need to generate a private key and have that stored under


Have you followed the wireguard information here (assuming you’re on 1.4-rolling)?

Yes i did follow the information you mentioned.

The keys are stored here:

more /config/auth/wireguard/default/
private.key public.key

What happens if you run tcpdump -i <your interface> udp port 4000
Do you see WG packets coming and going?

You can enable debug output manually (will be implemented as option in the future).
When you are logged in to a sudo echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control to enable it. To disable you can pass -p like: echo module wireguard -p > /sys/kernel/debug/dynamic_debug/control

Did you set a route? (set protocol static <allowd-ip(s)> interface ...., once done try to ping the other side and see what’s in the logs and check via tcpdump if your wg01 interface carries any traffic.

I see packets coming but not going. And i only see them on one of my upstream interface (eth3) whereas i am trying to bind the tunnel on my public IP (internal side) set on eth0.

vyos@router# tcpdump -i eth3 udp port 4000
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth3, link-type EN10MB (Ethernet), capture size 262144 bytes
09:25:40.204331 IP > UDP, length 148
09:25:43.354174 IP > UDP, length 148
09:25:48.378260 IP > UDP, length 148
09:25:53.400523 IP > UDP, length 148
09:25:58.418652 IP > UDP, length 148
09:26:03.441891 IP > UDP, length 148
09:26:08.585301 IP > UDP, length 148
09:26:13.720190 IP > UDP, length 148
09:26:18.867208 IP > UDP, length 148
09:26:23.920439 IP > UDP, length 148
09:26:28.955403 IP > UDP, length 148
09:26:34.018207 IP > UDP, length 148
12 packets captured
12 packets received by filter

vyos@router# sudo echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control
vbash: /sys/kernel/debug/dynamic_debug/control: Permission denied

I tried to ping the other side and capture at the same time but no traffic seems to be carried by the wg01 interface…

Do a sudo /bin/bash beofre the module call. Vbash seems not to have root permissions. If no traffic hits your interface, either you don’t have a route or you key setup is incorrect or your allowed-ips doesn’t fit the subnet you want to use. Check that at least 1 side can reach the wg port you opened (check your fw rules), if that’s the case with the debug command you should see successful key exchanges. If that works, let’s have a look at your setup in general. Can you post your wg config and your routes? (Don’t post private keys).

This is the error message i get now with debug enabled

Nov 23 09:17:44 router kernel: [1120772.963078] wireguard: wg01: Handshake for peer 2 ( did not complete after 5 seconds, retrying (try 8)
Nov 23 09:17:44 router kernel: [1120772.963095] wireguard: wg01: Sending handshake initiation to peer 2 (

My config is below,

what is in-between your client and vyos router that could be blocking comms and have you validated that your keys are correct on both sides?


All right, I see a few issue already:

wireguard wg01 {
        peer Mat {
            persistent-keepalive 15
            pubkey ****************
        port 4000

Your allowed IPs won’t be routed into wg01 unless you set a host route as it is part of the external address. You can do address, that is going to be the address wg open port 4000 on.
You don’t need keepalive, only necessary if you have NAT and you have only the chance to do the handshake from one site. Your allowed-ips is basically the host or network which will be encapsulated, that why you need the /32 netmask in your case on address

The you need an interface route for like protocols static interface-route next-hop-interface wg01.
As soon as you initiate traffic (ping, wg will connect to the other side and should do a key exchange. You can watch the log and verify with tcpdump, if that fails, needs to be fixed first. If that works, verify with tcpdump the traffic in wg01. tcpdump -nne -i wg01 for instance, if there is no traffic, your key setup is faulty (should also show you error message with HMAC etc. in syslog).

Let me know how it goes.