Can't handshake without an endpoint on server side on Wireguard

truonga · 2026-04-26 22:01:44

Hello everyone,

I'm kinda new with Wireguard and i have an issue with it. Like the topic, if i dont add the endpoint in my [Peer] section for the wireguard configuration side, I cannot do a ping from my laptop (client) to my server. I'll live my configuration as below, and I can add more if u guys need. Thanks alot for ur guys help.

On my server side:

[Interface]
Address = 10.0.0.1/32
MTU = 1280
SaveConfig = true
PostUp=iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;
PostDown=iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;
ListenPort = 51820
PrivateKey = my_server_private_key

[Peer]
PublicKey = my_laptop_public_key
AllowedIPs = 10.0.0.5/32

On my laptop side:

[Interface]
Address = 10.0.0.5/32
SaveConfig = true
ListenPort = 37921
FwMark = 0xca6c
PrivateKey = my_laptop_priv_key

[Peer]
PublicKey = my_serveur_public_key
AllowedIPs = 0.0.0.0/0
Endpoint = public_ip_addr_of_my_sv:51820
PersistentKeepalive = 30

Thanks !

Last edited by truonga (2026-04-27 07:31:14)

-thc · 2026-04-27 06:34:38

Please use "code" tags to format your post.

Sanity check of your configuration:
- Please remove the "SaveConfig" parameters
- Please remove the "ListenPort" on your client
- If you have to set a lower MTU (server) try specifying the same MTU on the client

truonga · 2026-04-27 19:33:29

Hi, I just did everything you said, including checking the public keys on both side to make sure i make no mistake copying and pasting the keys, it didn't work and i also generated new keys to check but it also didn't work, i also deleted the MTU package

stu · 2026-04-27 20:17:47

Comparing this to my config, it should probably be:

Address = 10.0.0.1/24

With a "/32" you create a single host network, which can only communicate with itself.
Same on the client.

Last edited by stu (2026-04-27 20:18:15)

-thc · 2026-04-27 20:47:13

@stu: As long as the peers don't need "peer-to-peer" communication it should work anyway (I've tested it).

@truonga: Is it possible that your server has no "own/real" public IP address (is behind a CG-NAT)?

truonga · 2026-04-27 21:34:47

Hi, seems like i solved the problem with the no handshake without specifying the endpoint. The problem is that at some point, i installed firewalld and i forgot to configure to allow the port 51820 so that's why it blocked my ping (I guess). That explains why Wireguards was working then suddenly stopped working, I fixed it by:

sudo firewall-cmd --permanent --add-port=51820/udp
sudo firewall-cmd --permanent --add-masquerade
sudo firewall-cmd --reload

No my laptop and my phone can handshake to my serveur. Yayyy!

And then there's another problem, i dont have internet on my phone's 4G/5G, and i think the problem is Docker intercepts my traffic and drops packages

sudo iptables -L FORWARD -n -v
Chain FORWARD (policy DROP 11053 packets, 2732K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 149K  586M DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 149K  586M DOCKER-FORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  701  228K ACCEPT     all  --  wg0    *       0.0.0.0/0            0.0.0.0/0

So i fixed it by:

sudo iptables -I DOCKER-USER -i wg0 -j ACCEPT
sudo iptables -I DOCKER-USER -o wg0 -j ACCEPT

And it seems to work now, i have connection back on my phone. So i think i will make it permanently in my config:

PostUp = iptables -I DOCKER-USER -i wg0 -j ACCEPT; iptables -I DOCKER-USER -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o enp2s0 -j MASQUERADE
PreDown = iptables -D DOCKER-USER -i wg0 -j ACCEPT; iptables -D DOCKER-USER -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o enp2s0 -j MASQUERADE

I dont know if it's the proper way to fix it. And i appreciate any helps. Thank you !

Arch Linux

#1 2026-04-26 22:01:44

Can't handshake without an endpoint on server side on Wireguard

#2 2026-04-27 06:34:38

Re: Can't handshake without an endpoint on server side on Wireguard

#3 2026-04-27 19:33:29

Re: Can't handshake without an endpoint on server side on Wireguard

#4 2026-04-27 20:17:47

Re: Can't handshake without an endpoint on server side on Wireguard

#5 2026-04-27 20:47:13

Re: Can't handshake without an endpoint on server side on Wireguard

#6 2026-04-27 21:34:47

Re: Can't handshake without an endpoint on server side on Wireguard

Board footer