WireGuard VPN Handshake Timeout — Peer Connection Failure and No Traffic

Overview

Fix WireGuard VPN handshake timeouts where peers cannot establish a connection, showing no recent handshake or transfer in wg show output.

Key Details

• WireGuard uses a cryptokey routing model where each peer has a public key and allowed IPs
• A successful handshake should appear within seconds of initiating a connection
• wg show displays handshake time and transfer stats — no handshake means the connection failed
• WireGuard uses UDP (default port 51820) which must be allowed through all firewalls
• Unlike OpenVPN, WireGuard does not negotiate — both sides must have matching configurations

Common Causes

• Firewall blocking UDP port 51820 (or custom port) on the server or client side
• Incorrect peer public key — even one character wrong prevents handshake
• Endpoint address incorrect or DNS not resolving the server hostname
• AllowedIPs configuration mismatch preventing traffic from being routed through the tunnel

Steps

1. 1Check WireGuard status: 'sudo wg show' — look for 'latest handshake' and 'transfer' values
2. 2Verify the server firewall allows UDP on the WireGuard port: ufw allow 51820/udp
3. 3Confirm peer public keys match: the server's peer section must have the client's public key and vice versa
4. 4Test UDP connectivity: 'nc -zuv server-ip 51820' to verify the port is reachable
5. 5Check AllowedIPs: server should have client's tunnel IP, client should have 0.0.0.0/0 for full tunnel

Tags

Related Items

More in Network

Frequently Asked Questions