WireGuard VPN Handshake Timeout — Peer Connection Failure and No Traffic
About WireGuard VPN Handshake Timeout
Fix WireGuard VPN handshake timeouts where peers cannot establish a connection, showing no recent handshake or transfer in wg show output. This guide covers everything you need to know about this topic, including common causes, step-by-step solutions, and answers to frequently asked questions.
Here are the key things to understand: WireGuard uses a cryptokey routing model where each peer has a public key and allowed IPs. A successful handshake should appear within seconds of initiating a connection. wg show displays handshake time and transfer stats — no handshake means the connection failed. WireGuard uses UDP (default port 51820) which must be allowed through all firewalls. Unlike OpenVPN, WireGuard does not negotiate — both sides must have matching configurations. Understanding these fundamentals will help you diagnose and resolve this issue more effectively.
The most common reasons this occurs include: Firewall blocking UDP port 51820 (or custom port) on the server or client side. Incorrect peer public key — even one character wrong prevents handshake. Endpoint address incorrect or DNS not resolving the server hostname. AllowedIPs configuration mismatch preventing traffic from being routed through the tunnel. Identifying the root cause is the first step toward finding the right solution.
To resolve this, follow these recommended steps: Check WireGuard status: 'sudo wg show' — look for 'latest handshake' and 'transfer' values. Verify the server firewall allows UDP on the WireGuard port: ufw allow 51820/udp. Confirm peer public keys match: the server's peer section must have the client's public key and vice versa. Test UDP connectivity: 'nc -zuv server-ip 51820' to verify the port is reachable. Check AllowedIPs: server should have client's tunnel IP, client should have 0.0.0.0/0 for full tunnel. If these steps do not resolve the issue, consider consulting additional resources or a qualified professional.
This article is part of our Linux Error Codes collection on Error Codes Wiki. We provide comprehensive, up-to-date information to help you find solutions quickly.
Quick Answer
How do I know if the handshake succeeded?
Run 'sudo wg show'. A successful connection shows 'latest handshake: X seconds/minutes ago' and non-zero transfer values. No handshake or handshake older than 2 minutes indicates a connection problem.
Overview
Fix WireGuard VPN handshake timeouts where peers cannot establish a connection, showing no recent handshake or transfer in wg show output.
Key Details
- WireGuard uses a cryptokey routing model where each peer has a public key and allowed IPs
- A successful handshake should appear within seconds of initiating a connection
- wg show displays handshake time and transfer stats — no handshake means the connection failed
- WireGuard uses UDP (default port 51820) which must be allowed through all firewalls
- Unlike OpenVPN, WireGuard does not negotiate — both sides must have matching configurations
Common Causes
- Firewall blocking UDP port 51820 (or custom port) on the server or client side
- Incorrect peer public key — even one character wrong prevents handshake
- Endpoint address incorrect or DNS not resolving the server hostname
- AllowedIPs configuration mismatch preventing traffic from being routed through the tunnel
Steps
- 1Check WireGuard status: 'sudo wg show' — look for 'latest handshake' and 'transfer' values
- 2Verify the server firewall allows UDP on the WireGuard port: ufw allow 51820/udp
- 3Confirm peer public keys match: the server's peer section must have the client's public key and vice versa
- 4Test UDP connectivity: 'nc -zuv server-ip 51820' to verify the port is reachable
- 5Check AllowedIPs: server should have client's tunnel IP, client should have 0.0.0.0/0 for full tunnel