WireGuard troubleshooting

Debugging capabilities

Enable WireGuard kernel debug logging:

echo 'module wireguard +p' | sudo tee /sys/kernel/debug/dynamic_debug/control

Disable WireGuard kernel debug logging:

echo 'module wireguard -p' | sudo tee /sys/kernel/debug/dynamic_debug/control

Common Logs

WireGuard loaded in kernel:

wireguard: loading out-of-tree module taints kernel.
wireguard: WireGuard 1.0.20200413 loaded. See www.wireguard.com for information.
wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.

Handshake (sender):

wireguard: wg0: Sending handshake initiation to peer 2 (<server-ip>:<server-port>)
wireguard: wg0: Receiving handshake response from peer 2 (<server-ip>:<server-port>)
wireguard: wg0: Keypair 2 destroyed for peer 2
wireguard: wg0: Keypair 4 created for peer 2
wireguard: wg0: Sending keepalive packet to peer 2 (<server-ip>:<server-port>)
wireguard: wg0: Sending keepalive packet to peer 2 (<server-ip>:<server-port>)

Handshake (receiver):

wireguard: wg0: Receiving handshake initiation from peer 2 (<client-ip>:<client-port>)
wireguard: wg0: Sending handshake response to peer 2 (<client-ip>:<client-port>)
wireguard: wg0: Keypair 3 created for peer 2
wireguard: wg0: Receiving keepalive packet from peer 2 (<client-ip>:<client-port>)

Keep-Alive packet:

wireguard: wg0: Receiving keepalive packet from peer 2 (<client/server-ip>:<client/server-port>)

Common errors:

Allowed Client-IP mismatch:

wireguard: wg0: Packet has unallowed src IP (<client-ip>) from peer 3 (<client-ip>:<client-port>)

Key mismatch errors:

Client has wrong server public key:

wireguard: wg0: Invalid MAC of handshake, dropping packet from <client-ip>:<client-port>

Server has wrong client public key:

wireguard: wg0: Invalid handshake initiation from <client-ip>:<client-port>

Client private key mismatch:

wireguard: wg0: Invalid handshake initiation from <client-ip>:<client-port>