For some time now we've seen a recurring issue where WireGuard
handshakes start failing. Sometimes this affects only a few peers, but
often it affects all peers. These handshakes fail even when pings to
the peer public addresses succeed. These failures happen after the
peer DNS addresses have been resolved and the tunnel has been
functioning for some time.

Restarting the tunnel resolves the issue in nearly every case. An
example log from WireGuard for Windows 0.3.11 is attached. If left
alone for minutes or hours, sometimes the issue resolves itself given
time, but not always.

The logs I've seen include many lines like this one:

2021-04-22 11:44:57.635923: [TUN] [SCJ] peer(WBaN…k8hA) - Handshake
did not complete after 5 seconds, retrying (try 8)

With about 100 machines running WireGuard for Windows, this seems to
happen with weekly and sometimes daily frequency. We've seen it happen
on at least a dozen different Windows machines. This has been
happening at least since WireGuard for Windows 0.3.8, and possibly as
far back as 0.3.4 or longer.

Our use case is staff connecting to a set of office networks from
home, so the home network setup for some staff could be a factor. I'm
pretty sure it can happen without a laptop being physically relocated.
I'm pretty sure it has happened while staff were in the middle of
actively using the tunnel. I don't think it's limited to a single
internet service provider.

I realize handshakes can fail for a number of network-related reasons.
It might not be a WireGuard issue at all; there could be a firewall
somewhere along the way that is doing some chicanery with connection
tracking. I had hoped to narrow this down more before reporting it,
but so far I haven't been able to identify a common set of conditions.
This has happened often enough and in enough circumstances now that I
felt it was time to at least mention it on the list.

I would be happy to provide additional configuration details off-list.
If there is any other information we can collect that would be
helpful, we'd be happy to do investigative work on this.

Thanks!

Joshua Sjoding
SCJ Alliance
IT Specialist
www.scjalliance.com