Error Medic

Fixing 'WireGuard Connection Refused': A Comprehensive Troubleshooting Guide

Resolve WireGuard connection refused, high latency, and packet loss errors. Step-by-step fixes for blocked ports, MTU mismatch, and firewall misconfigurations.

Last updated:
Last verified:
1,628 words
Key Takeaways
  • Verify UDP port 51820 (or your custom port) is open on all firewalls and security groups.
  • Check for Endpoint IP/Port mismatches and ensure keys (Public/Private) are correctly paired.
  • Fix packet loss and high latency by adjusting the MTU size (typically lowering to 1360 or 1420).
  • Ensure IP forwarding is enabled on the server (`net.ipv4.ip_forward=1`).
  • Use `wg show` and `tcpdump` to diagnose handshake failures.
WireGuard Fix Approaches Compared
MethodWhen to UseTimeRisk
Open UDP Port in FirewallWhen `wg show` shows no latest handshake and packets are dropped.5 minsLow
Lower MTU SizeWhen handshakes complete but SSH/HTTPS hangs, or high latency/packet loss occurs.5 minsLow
Enable IP ForwardingWhen clients can connect to the VPN server but cannot reach the internet or LAN.2 minsLow
Regenerate KeysWhen connection is refused immediately and keys might be mismatched.10 minsMedium

Understanding the Error

When configuring a WireGuard VPN, encountering a 'connection refused', 'handshake did not complete', or dealing with severe packet loss can be incredibly frustrating. Unlike traditional VPN protocols like OpenVPN or IPsec, WireGuard is "stealthy" by design. It does not respond to unauthenticated packets, meaning that if your keys are wrong or a port is blocked, WireGuard will simply drop the packets silently. This design makes scanning for open WireGuard ports difficult, but it also means you won't get a helpful 'connection rejected' error directly from the protocol.

Usually, when a user says 'WireGuard connection refused', they are either seeing a timeout, a complete lack of data transfer after the interface comes up, or their client application (like the Windows or macOS GUI) is reporting a failure to establish the tunnel.

Related symptoms often include:

  • High Latency & Packet Loss: The connection establishes, but ping times are erratic, and large file transfers fail.
  • Port Blocked: ISP or cloud provider firewalls dropping UDP packets on port 51820.
  • Unreachable LAN/Internet: The tunnel is up, wg show reports a recent handshake, but you cannot ping 8.8.8.8 or internal servers.

Let's break down the diagnostic process and the definitive fixes for these issues.

Step 1: Diagnose Handshake Failures

The first and most crucial step in troubleshooting WireGuard is verifying if a cryptographic handshake is actually occurring.

Run the following command on your WireGuard server (and client, if running Linux):

sudo wg show

Look for the latest handshake field under the peer section.

  • If you see latest handshake: 1 minute, 12 seconds ago (or similar): Your keys are correct, and the UDP port is reachable. Your issue is likely routing, IP forwarding, or MTU related.
  • If the latest handshake field is missing entirely, or is hours/days old: The peers cannot communicate. This points to a blocked port, incorrect endpoint IP, or mismatched cryptographic keys.
Verifying Network Traffic with tcpdump

If the handshake is failing, you need to know if the packets are even reaching the server. Use tcpdump on the server to listen on the WireGuard port (default 51820):

sudo tcpdump -n -i eth0 udp port 51820

(Replace eth0 with your actual public-facing network interface).

Now, try to connect from the client.

  • If you see incoming UDP packets but no outgoing packets: The firewall is allowing traffic, but WireGuard is ignoring it. This almost always means the client's public key configured on the server does not match the client's actual private key, or the AllowedIPs are misconfigured.
  • If you see NO incoming packets: The traffic is being blocked upstream. Check your cloud provider's security groups (AWS, GCP, Azure), your router's port forwarding, and the server's local firewall (UFW, iptables, firewalld).

Step 2: Fix Firewall and Port Blocking Issues

WireGuard requires UDP. TCP will not work. A common mistake is opening TCP port 51820 instead of UDP.

For UFW (Ubuntu/Debian): sudo ufw allow 51820/udp

For firewalld (CentOS/RHEL): sudo firewall-cmd --add-port=51820/udp --permanent sudo firewall-cmd --reload

Cloud Providers: If you are hosting the server on AWS EC2, you must edit the Security Group attached to the instance and add an Inbound Rule: Type: Custom UDP, Port Range: 51820, Source: 0.0.0.0/0 (or restrict to your specific client IPs).

Step 3: Resolve Routing and IP Forwarding (Internet Access Fails)

If wg show confirms a successful handshake, but the client has no internet access or cannot reach the server's LAN, the server is likely not forwarding packets.

Linux disables packet forwarding by default. To enable it temporarily, run: sudo sysctl -w net.ipv4.ip_forward=1

To make this persistent across reboots, edit /etc/sysctl.conf and uncomment or add: net.ipv4.ip_forward=1 Then apply with sudo sysctl -p.

Additionally, you must configure NAT (Network Address Translation) via iptables so that traffic originating from the WireGuard subnet (e.g., 10.66.66.0/24) is translated to the server's public IP when accessing the internet.

In your server's wg0.conf under the [Interface] section, add:

PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

(Ensure eth0 matches your actual public interface name).

Step 4: Fix High Latency, Packet Loss, and Hanging Connections (MTU)

If SSH connects but hangs after typing a command, or HTTPS sites partially load and then spin endlessly, you are almost certainly experiencing an MTU (Maximum Transmission Unit) blackhole.

WireGuard adds 60 bytes (for IPv4) or 80 bytes (for IPv6) of overhead to every packet. If your physical network interface has an MTU of 1500, and WireGuard is also set to 1500, the resulting packets will be 1560 bytes, causing fragmentation. If a router along the path drops fragmented packets (common), the connection hangs.

The standard fix is to explicitly set a lower MTU in the client and server wg0.conf files:

[Interface]
...
MTU = 1420

If you are on an internet connection that already uses PPPoE (like some DSL or Fiber connections), the base MTU might be 1492. In that case, you need to lower the WireGuard MTU further, to 1360 or 1280.

Restart the interface after changing the MTU: sudo wg-quick down wg0 && sudo wg-quick up wg0

Step 5: Address Endpoint IP and Roaming Issues

WireGuard is excellent at roaming (switching between WiFi and Cellular). However, if the server's IP address changes (dynamic IP) and the client is configured with a static Endpoint = IP:51820, the connection will silently fail until the client interface is restarted.

To fix this, use a Dynamic DNS (DDNS) hostname for the Endpoint in the client config instead of a hardcoded IP address. Endpoint = myvpn.example.com:51820

Keep in mind that WireGuard only resolves the DNS name when the tunnel is brought up. If the IP behind the DNS name changes while the tunnel is active, WireGuard won't automatically re-resolve it. You may need a watchdog script to ping an internal IP and restart the tunnel if pings fail.

Summary of Best Practices

  1. Always double-check keys: Ensure the PublicKey in the server's [Peer] block perfectly matches the client's generated public key, and vice versa.
  2. Check AllowedIPs: The AllowedIPs setting dictates routing. For a full-tunnel VPN, use AllowedIPs = 0.0.0.0/0, ::/0 on the client. On the server, the AllowedIPs for a peer must exactly match that peer's assigned inner-VPN IP (e.g., 10.66.66.2/32).
  3. Monitor logs: Use dmesg | grep wireguard on Linux to view kernel-level WireGuard debug messages if things are still failing.

Frequently Asked Questions

bash
# Diagnostic commands for WireGuard issues

# 1. Check if handshake is completing
sudo wg show

# 2. Monitor for incoming UDP packets on the VPN port (replace eth0 with your public interface)
sudo tcpdump -n -i eth0 udp port 51820

# 3. Enable IP forwarding on the server (temporary)
sudo sysctl -w net.ipv4.ip_forward=1

# 4. Check kernel logs for WireGuard errors
dmesg | grep wireguard

# 5. Example PostUp iptables rule for NAT (add to server wg0.conf [Interface] block)
# PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
E

Error Medic Editorial

Error Medic Editorial is a collective of senior DevOps and SRE professionals dedicated to demystifying complex networking, infrastructure, and cloud systems. With decades of combined experience managing high-traffic Linux environments, our goal is to provide actionable, no-nonsense troubleshooting guides.

Sources

Related Guides

WireGuard Connection Refused: Fix 'connection refused', High Latency, and Packet Loss
WireGuard connection refused? Fix port blocking, handshake failures, and packet loss with step-by-step commands for Linux, pfSense, and Docker.
AWS ALB 502 Bad Gateway & 504 Gateway Timeout: Complete Troubleshooting Guide
Fix AWS ALB 502 Bad Gateway and 504 timeout errors fast. Covers target health, keep-alive mismatches, idle timeout tuning, and exact CLI diagnostic commands.
Envoy 503 Service Unavailable: Complete Troubleshooting Guide
Fix Envoy 503 errors fast: diagnose no_healthy_upstream, circuit breaker trips, and health check failures using the Admin API and config tuning.
Envoy 503 Service Unavailable: Root Causes and Troubleshooting Guide
Fix Envoy 503 Service Unavailable errors. Learn how to diagnose upstream connection failures, connection pool exhaustion, and TLS issues with actionable steps.