Hello everyone, I have just installed wireguard so I apologies if some things I missed may be obvious. As a background: I have a working OpenVPN connection to my server and wanted to have a wireguard setup in parallel to compare both. The server is installed on a Ubuntu bionic (LTS) and the client is on a AWS machine (Ubuntu as well). Server perspective: root@srv /e/wireguard# wg show interface: wg0 public key: A7MreEBC3maH305tVrU0HEoQrBhy+An6KlvZ+z9KFRA= private key: (hidden) listening port: 51820 peer: 2At7asuH2ay1vMvg9H8BZvUU5mnJ97VGlDwQWT1l1C8= preshared key: (hidden) allowed ips: 0.0.0.0/0 Client perspective (X.X.X.X is my Internet-facing IP): # wg show interface: wg0 public key: 2At7asuH2ay1vMvg9H8BZvUU5mnJ97VGlDwQWT1l1C8= private key: (hidden) listening port: 33960 peer: YUd1mFAOyn01G2/n942hk9LZ0mfhUm4nHb/3xMVSETc= preshared key: (hidden) endpoint: X.X.X.X:51820 allowed ips: 0.0.0.0/0 transfer: 0 B received, 98.86 KiB sent persistent keepalive: every 10 seconds On the server, the traffic to wg0 is redirected (to wg0) for port 51820. I am surprised that there is no actual service listening to 51820 (as seen by lsof or netstat) but I assume this is some wireguard voodoo (such as "if a packet directed to port 51820 gets to me(wg0) tehn I will be correctly dealing with it). I then tried to ping: - on the client: the IP of its own wg0 (10.250.0.1): OK - on the server: the IP of its own wg0 (10.250.0.254): OK - on the client: 10.250.0.254 (the IP of the other side of the VPN = on the server): KO = nothing happens (ICMP echo is sent, as seen on tcpdump) - on the server: 10.250.0.1 (the IP of the other side of the VPN = on the client): KO = root@srv ~# ping 10.250.0.1 PING 10.250.0.1 (10.250.0.1) 56(84) bytes of data. From 10.250.0.254 icmp_seq=1 Destination Host Unreachable ping: sendmsg: Destination address required ping: sendmsg: Destination address required From 10.250.0.254 icmp_seq=2 Destination Host Unreachable ping: sendmsg: Destination address required From 10.250.0.254 icmp_seq=3 Destination Host Unreachable From 10.250.0.254 icmp_seq=4 Destination Host Unreachable I had a look at my internet interface (tcpdump filtered on port 51820) and I see, every 10 seconds, a UDP packet coming in (192.168.0.10 is the IP of the internet-exposed dev): root@srv ~# tcpdump -i any port 51820 -nn tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 21:15:41.944090 IP 35.180.168.248.33960 > 192.168.0.10.51820: UDP, length 148 21:15:47.320081 IP 35.180.168.248.33960 > 192.168.0.10.51820: UDP, length 148 So this means that the client sends a UDP packet to the external IP (X.X.X.X), to port 51820. This packet is then forwarded to interface wg0. Is there a way to check with wireguard that a connection is established (= that the server receives data, or a connection attempt (even unsuccessful) is being done)?