What to look for in "wg show" output?
This is an example wg show
output:
interface: MyVPN
public key: xJ+A//t9RbOU4ISIr61tsZwc8SPLbLONXhknnU1QvBQ=
private key: (hidden)
listening port: 12073
peer: xgmml6wPoe9auL5oGhqScQXLByfrI/1xq3sOJzYaNhE=
endpoint: 77.55.81.22:23711
allowed ips: 10.178.212.1/32, 10.39.24.0/24
latest handshake: 37 seconds ago
transfer: 948 B received, 1.40 KiB sent
persistent keepalive: every 30 seconds
This is what I look for:
- Is the desired wireguard interface present? If not, this indicates that either the computer doesn’t even try to start the interface (e.g. because autostart is not enabled) or starting it fails, for example because the route is already defined
- Are the desired peers listed? If not, this is always a configuration error
- Is
persistent keepalive
enabled? Withoutpersistent keepalive
, you will not be able to properly debug Wireguard because no packets will be sent unless some traffic is going through the interface. Therefore, I strongly recommend to always enablepersistent keepalive
even if you plan to disable it later! - **Is
latest handshake
listed and recent?**Not being able to handshake with a remote peer typically indic-ates either a network problem or a configuration problem, but in some cases it’s also a system-related problem:- *System problems:*Is wireguard interface on the local & remote side up & configured?
- Networking problems: Port not forwarded to destination machine, TCP port instead of UDP port forwarded, local or remote internet access is firewalled, incorrect port given, incorrect IP address or hostname given, DynDNS hostname not updated, Wireguard tries to access IPv6 address but only IPv4 port is forwarded properly (check using
host
) - Wireguard configuration problem: Does the remote peer use the correct private key that matches the public key in the local configuration? Does the remote configuration have listed the local public key as peer at all? Does the local configuration have the correct private key that matches the public key listed in the remote config? Does the peer public key match the endpoint (if specified) or maybe the key doesn’t match the endpoint?
- **
transfer
should show >0 bytes received and sent!**This is typically equivalent to thelatest handshake
debugging method. Bytes being sent but no bytes being received typically indicates that the Wireguard interface is trying to perform an handshake but does not get any reply back.
Also see my WireguardConfig project which makes this kind of configuration much easier