WireGuard VPN Troubleshooting Guide
Common problems and solutions for your WireGuard VPN setup
Frequently Asked Questions
Why can't I connect to my WireGuard VPN?
If you're unable to connect, check these common issues:
- Check if WireGuard service is running:
sudo systemctl status wg-quick@wg0
- Verify the server is listening on the correct port:
sudo netstat -ulnp | grep 51820
- Check firewall rules:
sudo ufw status
- Verify IP forwarding is enabled:
Should returncat /proc/sys/net/ipv4/ip_forward
1
My VPN connection keeps dropping. How do I fix it?
Connection drops are often caused by NAT timeout or firewall issues:
- Add PersistentKeepalive to client config:
PersistentKeepalive = 25
- Check server logs for errors:
sudo journalctl -u wg-quick@wg0 -f
- Verify MTU settings match on both server and client (recommended: 1420)
- Check if your router/firewall is blocking UDP port 51820
I'm getting "wg0 already exists" error. What should I do?
This error occurs when the interface is already active. Fix it with:
sudo wg-quick up wg0
Or restart the service:
My VPN is slow. How can I improve speed?
Several factors can affect VPN speed:
- Server location: Choose a server closer to your physical location
- Server resources: Ensure your VPS has adequate CPU and bandwidth
- Network optimization: Follow our VPN Tunes Up guide for performance optimizations
- MTU size: Set MTU to 1420 to avoid packet fragmentation
- BBR congestion control: Enable BBR for better throughput
How do I add multiple users/peers to my WireGuard VPN?
To add additional peers:
- Generate keys for the new peer (on client device):
wg genkey | tee privatekey | wg pubkey > publickey
- Add peer to server configuration:
sudo wg set wg0 peer <PEER_PUBLIC_KEY> allowed-ips 10.8.0.X/32
- Save configuration:
sudo wg-quick save wg0
Can't access internet when connected to VPN. What's wrong?
This usually indicates a routing or NAT issue:
- Verify IP forwarding is enabled:
cat /proc/sys/net/ipv4/ip_forward
- Check iptables NAT rules:
sudo iptables -t nat -L -n -v
- Verify PostUp rules in server config include MASQUERADE
- Check if client config has correct AllowedIPs (use 0.0.0.0/0 for all traffic)
How do I check if my VPN is working correctly?
Use these commands to verify your VPN:
- Check WireGuard status:
sudo wg show
- Test connection from client:
ping 10.8.0.1
- Check your public IP (should show server IP when connected):
curl ifconfig.me
- Test DNS resolution:
nslookup google.com
How do I change the WireGuard port?
To change the listening port:
- Edit server configuration:
sudo nano /etc/wireguard/wg0.conf
- Change ListenPort to your desired port (e.g., 51821)
- Update firewall rules:
sudo ufw allow 51821/udp
- Restart WireGuard:
sudo systemctl restart wg-quick@wg0
- Update client config with new port in Endpoint
How do I remove or revoke a peer's access?
To remove a peer from your VPN:
sudo wg-quick save wg0
Or edit the config file directly and remove the peer section, then restart the service.
Common Error Messages
Error: "RTNETLINK answers: File exists"
Solution: The interface already exists. Bring it down first:
sudo wg-quick up wg0
Error: "Unable to access interface: Protocol not supported"
Solution: WireGuard kernel module is not loaded. Install WireGuard:
sudo apt install wireguard wireguard-tools
Error: "iptables: No chain/target/match by that name"
Solution: iptables modules are missing. Load them:
sudo modprobe ip6table_nat
Error: "Invalid key" or "Key is wrong size"
Solution: Regenerate keys using the correct method:
Ensure keys are base64 encoded and exactly 44 characters long (including padding).