Troubleshooting WireGuard VPN
Overview
WireGuard is intentionally lightweight and produces very little logging by default, which can make troubleshooting more challenging than with traditional VPN solutions such as OpenVPN.
This article describes the most useful commands for diagnosing WireGuard connectivity issues on Ubuntu Server.
1. Verify the WireGuard Interface
First, confirm that the WireGuard interface is running.
Verify that:
- The interface (for example
wg0) exists. - Peers are listed.
- A Latest Handshake timestamp appears after a successful connection.
- Traffic counters (
transfer) increase when data is exchanged.
For continuous monitoring, run:
This is one of the quickest ways to determine whether handshakes are occurring.
2. Check the WireGuard Service
If you are using wg-quick, verify that the service started successfully.
If the service failed to start, inspect the system journal:
To follow new log entries in real time:
3. Verify Network Configuration
Confirm that the interface has the expected IP address:
Verify that routes have been installed correctly:
If policy routing is used:
Incorrect routes or missing policy rules are among the most common causes of connectivity problems.
4. Enable WireGuard Kernel Debug Logging
WireGuard operates primarily inside the Linux kernel and therefore does not generate verbose application logs by default.
For deeper troubleshooting, Ubuntu allows enabling dynamic kernel debugging.
Step 4.1 – Enable debug logging
Step 4.2 – Watch kernel messages in real time
Open another terminal and run:
or
You should now see WireGuard kernel events, including handshake attempts, peer activity, and packet processing.
Step 4.3 – View historical kernel debug logs
To display previously recorded kernel messages:
To show only messages related to WireGuard:
To display kernel messages from the current boot only:
Note
Historical debug messages are only available if WireGuard dynamic debug was enabled when the events occurred and the system journal has retained the logs. Logs from previous boots are available only if persistent journaling is enabled.
Step 4.4 – Disable debug logging
Once troubleshooting is complete, disable verbose logging:
Note
On systems with Secure Boot enabled, Linux Kernel Lockdown may prevent dynamic debug from working. In that case, you may need to disable Secure Boot or boot the kernel with the
wireguard.dyndbg=+pkernel parameter.
5. Capture WireGuard Traffic
If no handshakes are visible, verify that UDP packets are reaching the server.
Replace 51820 with your WireGuard listening port if different.
You should observe incoming and outgoing UDP packets when a client attempts to connect.
If no packets are captured, investigate:
- Firewall rules
- NAT configuration
- Cloud security groups
- Internet connectivity
- Client endpoint configuration
6. Common Checks
Before investigating more complex issues, verify the following:
- Public and private keys match the correct peers.
AllowedIPsare configured correctly on every peer.- The endpoint address and port are correct.
- IP forwarding is enabled when routing traffic.
- Firewall rules allow UDP traffic on the WireGuard port.
- NAT (MASQUERADE/SNAT) rules are configured if clients require Internet access through the tunnel.