WireGuard enable debug logging to fix network issues

WireGuard is an awesome new and promising VPN protocol. And I recently made some videos about it. It’s usually very to set up, but there may be still the case where you’re facing some problems. May it network issues, connection problems, or whatever. So, In this tutorial, I’ll show you, how you can create WireGuard debug logs and find out what’s going on. And of course, how to fix it!

For more details about the WireGuard Architecture, check out the official Documentation, or my tutorial on how to install and configure it.

How to enable debug logging in WireGuard

Debug logging can help you to track what’s going on in the kernel module. It took me quite a while to find the right resource how to enable it. With the correct commands it’s fairly easy though.

With this command you can enable the debug logging in WireGuard:

echo 'module wireguard +p' | sudo tee /sys/kernel/debug/dynamic_debug/control

And the same command with -p can disable it again:

echo 'module wireguard -p' | sudo tee /sys/kernel/debug/dynamic_debug/control

Common logs in WireGuard

These are common logs you can discover, when turning on debug logging. Don’t worry if you see them, because this is intended when WireGuard operates functional. In the next section we also cover some error, which may occur.

WireGuard loaded in kernel:

wireguard: loading out-of-tree module taints kernel.
wireguard: WireGuard 1.0.20200413 loaded. See www.wireguard.com for information.
wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <[email protected]>. All Rights Reserved.

Handshake (sender):

wireguard: wg0: Sending handshake initiation to peer 2 (<server-ip>:<server-port>)
wireguard: wg0: Receiving handshake response from peer 2 (<server-ip>:<server-port>)
wireguard: wg0: Keypair 2 destroyed for peer 2
wireguard: wg0: Keypair 4 created for peer 2
wireguard: wg0: Sending keepalive packet to peer 2 (<server-ip>:<server-port>)
wireguard: wg0: Sending keepalive packet to peer 2 (<server-ip>:<server-port>)

Handshake (receiver):

wireguard: wg0: Receiving handshake initiation from peer 2 (<client-ip>:<client-port>)
wireguard: wg0: Sending handshake response to peer 2 (<client-ip>:<client-port>)
wireguard: wg0: Keypair 3 created for peer 2
wireguard: wg0: Receiving keepalive packet from peer 2 (<client-ip>:<client-port>)

Keep-Alive packet:

wireguard: wg0: Receiving keepalive packet from peer 2 (<client/server-ip>:<client/server-port>)

Errors you can discover in the debugging log:

This section has some common error logs, that I have produced during testing. Most errors should be fairly easy to resolve with configuration settings. But it’s sometimes helpful to find out what’s going on when knowing which error produces which logline.

Allowed Client-IP mismatch:

wireguard: wg0: Packet has unallowed src IP (<client-ip>) from peer 3 (<client-ip>:<client-port>)

Key mismatch errors:

Key mismatch error simply occur, when adding the wrong private or public key in either the server’s or client’s configuration. So, better check them again and change them in the peers configuration file.

Client has wrong server public key:

wireguard: wg0: Invalid MAC of handshake, dropping packet from <client-ip>:<client-port>

Server has wrong client public key:

wireguard: wg0: Invalid handshake initiation from <client-ip>:<client-port>

Client private key mismatch:

wireguard: wg0: Invalid handshake initiation from <client-ip>:<client-port>

Leave a Comment

I accept the Privacy Policy