I think wg-quick@wg0 is a duplicate from the older version, it is safe to remove from the admin panel. 
Regarding the lack of handshake, can you check that your main network interface is indeed enp4s0 and that the firewall is opened for WireGuard’s port?
safe to remove from the admin panel
I stopped the wg-quick service in the Admin UI, but that stops both wg-quick and wireguard service. They seem linked somehow.
I didn’t do any configuration changes other than update the app.
Main interface is enp4s0.
$ ip a
2: enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether MACADDRESS
inet 192.168.15.228/24 brd 192.168.15.255 scope global noprefixroute enp4s0
valid_lft forever preferred_lft forever
inet6 fd83:1775:7776:0:c1cc:163d:1ca:95ae/64 scope global mngtmpaddr noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::ae77:cee8:b018:1c49/64 scope link
valid_lft forever preferred_lft forever
Firewall is opened on Yunohost and my router. I didn’t make any changes.
$ sudo yunohost firewall list
opened_ports:
(many ports)
- 8096
I am poking around and looking in the systemctl stuff…maybe this gives us some clues.
$ sudo systemctl list-units --all
wg-quick@wg0.service loaded active exited WireGuard via wg-quick(8)
● wireguard.service not-found inactive dead wireguard.service
wireguard@wg0.service loaded active exited WireGuard on wg0
wireguard_ui.service loaded active running WireGuard UI
● wireguard_ui_conf.service not-found failed failed wireguard_ui_conf.service
I meant removing: yunohost service remove wg-quick@wg0
Unfortunately no, the not-found services were removed upon last upgrade, they may still figure in some logs somewhere, but that’s not the issue. 
Hmm ok.
Removed wg-quick@wg0.
Restarted wireguard@wg0.
No handshake.
I also tried creating a new client in the wireguard UI and connecting to that.
No handshake.
I could just reinstall the app because it sounds like people are having success with a fresh install.
hello, I am very impatient that the app is functional, currently I have it on a proxmox container and it works niquel, just the management of clients.
Small question, in a future version it will also be possible to manage the iptable by client?
Thanks, good job anyway.
Ok just popping in her with positive information for the developers of this app and others…
I recently had problems with my server (dnsmasq, wireguard, pihole) and did a full reinstall.
I installed wireguard on a clean system and it works marvelously. There must’ve been some weird stuff with how those programs all reacted with each other - especially Pihole!
New install fixed the last problems I had with wireguard in the past:
So lots of praise to the wireguard team. The latest updates really make wireguard a breeze to install and use immediately. I didn’t even install the Wireguard headers before the install. The installer handled it well. 
We will depend on the upstream WireGuard UI app for that, which does not have this feature. If you want to do it manually, check WireGuard’s documentation (I’m not sure it’s possible, actually). I have enough problems with the current feature, I cannot help you further, sorry.
No problem don’t worry, it was just a question keep going
Has anybody’s Wireguard stopped working suddenly? or is it just my setting?
From this morning, about 12 hours ago, I can’t get a handshake with my client to Yunohost. I didn’t do anything recently to change settings.
This was the last thing I upgraded but it was working for a whole day after this.
description: Upgrade system packages
name: 20220314-064916-tools_upgrade
path: /var/log/yunohost/categories/operation/20220314-064916-tools_upgrade.yml
started_at: 2022-03-14 14:49:16
Things I tried:
sudo journalctl -u wg-quick@wg0 | tail -n 50
-- Logs begin at Tue 2022-03-15 18:11:35 CST, end at Tue 2022-03-15 18:26:26 CST. --
Mar 15 18:11:47 arkadi.one systemd[1]: Starting WireGuard via wg-quick(8) for wg0...
Mar 15 18:11:48 arkadi.one wg-quick[725]: [#] ip link add wg0 type wireguard
Mar 15 18:11:48 arkadi.one wg-quick[725]: [#] wg setconf wg0 /dev/fd/63
Mar 15 18:11:49 arkadi.one wg-quick[725]: Warning: AllowedIP has nonzero host part: fd42::1/32
Mar 15 18:11:49 arkadi.one wg-quick[725]: Warning: AllowedIP has nonzero host part: fd42::2/32
Mar 15 18:11:49 arkadi.one wg-quick[725]: Warning: AllowedIP has nonzero host part: fd42::3/32
Mar 15 18:11:49 arkadi.one wg-quick[725]: Warning: AllowedIP has nonzero host part: fd42::4/32
Mar 15 18:11:49 arkadi.one wg-quick[725]: [#] ip -4 address add 10.10.10.0/24 dev wg0
Mar 15 18:11:49 arkadi.one wg-quick[725]: [#] ip -6 address add fd42::/112 dev wg0
Mar 15 18:11:49 arkadi.one wg-quick[725]: [#] ip link set mtu 1450 up dev wg0
Mar 15 18:11:49 arkadi.one wg-quick[725]: [#] ip -6 route add fd42::/32 dev wg0
Mar 15 18:11:49 arkadi.one wg-quick[725]: [#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat
-A POSTROUTING -o enp4s0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -A FORWARD -o wg0 -j ACCEPT; ip6tables -t nat -
A POSTROUTING -o enp4s0 -j MASQUERADE; ip link set multicast on dev wg0
Mar 15 18:11:52 arkadi.one systemd[1]: Started WireGuard via wg-quick(8) for wg0.
Mar 15 18:17:43 arkadi.one systemd[1]: Stopping WireGuard via wg-quick(8) for wg0...
Mar 15 18:17:43 arkadi.one wg-quick[2548]: [#] ip link delete dev wg0
Mar 15 18:17:43 arkadi.one wg-quick[2548]: [#] iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t na
t -D POSTROUTING -o enp4s0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -D FORWARD -o wg0 -j ACCEPT; ip6tables -t nat
-D POSTROUTING -o enp4s0 -j MASQUERADE
Mar 15 18:17:43 arkadi.one wg-quick[2548]: iptables: Bad rule (does a matching rule exist in that chain?).
Mar 15 18:17:43 arkadi.one systemd[1]: wg-quick@wg0.service: Control process exited, code=exited, status=1/FAILURE
Mar 15 18:17:43 arkadi.one systemd[1]: wg-quick@wg0.service: Failed with result 'exit-code'.
Mar 15 18:17:43 arkadi.one systemd[1]: Stopped WireGuard via wg-quick(8) for wg0.
Mar 15 18:17:43 arkadi.one systemd[1]: Starting WireGuard via wg-quick(8) for wg0...
Mar 15 18:17:43 arkadi.one wg-quick[2565]: [#] ip link add wg0 type wireguard
Mar 15 18:17:43 arkadi.one wg-quick[2565]: [#] wg setconf wg0 /dev/fd/63
Mar 15 18:17:43 arkadi.one wg-quick[2565]: Warning: AllowedIP has nonzero host part: fd42::1/32
Mar 15 18:17:43 arkadi.one wg-quick[2565]: Warning: AllowedIP has nonzero host part: fd42::2/32
Mar 15 18:17:43 arkadi.one wg-quick[2565]: Warning: AllowedIP has nonzero host part: fd42::3/32
Mar 15 18:17:43 arkadi.one wg-quick[2565]: Warning: AllowedIP has nonzero host part: fd42::4/32
Mar 15 18:17:43 arkadi.one wg-quick[2565]: [#] ip -4 address add 10.10.10.0/24 dev wg0
Mar 15 18:17:43 arkadi.one wg-quick[2565]: [#] ip -6 address add fd42::/112 dev wg0
Mar 15 18:17:43 arkadi.one wg-quick[2565]: [#] ip link set mtu 1450 up dev wg0
Mar 15 18:17:43 arkadi.one wg-quick[2565]: [#] ip -6 route add fd42::/32 dev wg0
Mar 15 18:17:43 arkadi.one wg-quick[2565]: [#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t na
t -A POSTROUTING -o enp4s0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -A FORWARD -o wg0 -j ACCEPT; ip6tables -t nat
-A POSTROUTING -o enp4s0 -j MASQUERADE; ip link set multicast on dev wg0
Mar 15 18:17:44 arkadi.one systemd[1]: Started WireGuard via wg-quick(8) for wg0.
Any suggestions? 
The allowed IP warning seems ominous…but not sure how to fix that.
I cannot comment on the sudden change, sorry.
That one may have been due to an unprocessed Post Down script. The next service start does not complain about this rule.
AllowedIP determines on which IPs the client wireguard interface can connect.
It should be something like fd42::/32 if the client is only allowed to connect to the VPN’s network while in IPv6. Can you check the settings of your clients?
However this /32 mask would cover this IP range:
Start IP: fd42:0000:0000:0000:0000:0000:0000:0000
End IP: fd42:0000:ffff:ffff:ffff:ffff:ffff:ffff
(calculated with IPv6 CIDR Calculator)
If you don’t need a network that large, you could aim at /96 or /112 to get End IP: fd42:0000:0000:0000:0000:0000:ffff:ffff and End IP: fd42:0000:0000:0000:0000:0000:0000:ffff, respectively.
However, if you want them to connect to the Internet through the VPN, then it should be ::/0, 0.0.0.0/0 for example.
I thought those network masks are weird but I’ve never changed them myself. It feels like Wireguard changed them at some point.
I just made a new client in the Wireguard UI and the network mask is now fd42::5/128
Also the UI looks a bit weird, is there not supposed to be a code to scan to the left of the clients?
It does not look like it, it’s the allocated IPv6 you are mentioning. However, can you share the confguration file you can download, anonymized with the private and public keys removed, as well as your server address?
In the latest version, the QR code will appear if you click the gray Scan button.
[Interface]
Address = 10.10.10.2/32,fd42::2/32
PrivateKey = [PRIVATE KEY]
[Peer]
PublicKey = [PUBLIC KEY]
PresharedKey = [PRESHARED KEY]
AllowedIPs = 0.0.0.0/0
Endpoint = SERVERIP:8095
PersistentKeepalive = 15
Mmmh, /32 is OK for allocating only one address in IPv4. However for IPv6 it should be /128. That may be the issue.
As to why it displays /128 in the UI and /32 in the downloaded file… 
Ok so I got rid of the AllowedIPs error by changing all clients to have fd42::#/128. I added allowed ip of ::/0 too.
sudo journalctl -u wg-quick@wg0
Mar 16 11:03:50 arkadi.one systemd[1]: Starting WireGuard via wg-quick(8) for wg0...
Mar 16 11:03:51 arkadi.one wg-quick[12075]: [#] ip link add wg0 type wireguard
Mar 16 11:03:51 arkadi.one wg-quick[12075]: [#] wg setconf wg0 /dev/fd/63
Mar 16 11:03:51 arkadi.one wg-quick[12075]: [#] ip -4 address add 10.10.10.0/24 dev wg0
Mar 16 11:03:51 arkadi.one wg-quick[12075]: [#] ip -6 address add fd42::/112 dev wg0
Mar 16 11:03:51 arkadi.one wg-quick[12075]: [#] ip link set mtu 1450 up dev wg0
Mar 16 11:03:51 arkadi.one wg-quick[12075]: [#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTI
Mar 16 11:03:51 arkadi.one systemd[1]: Started WireGuard via wg-quick(8) for wg0.
But is the ip -6 address supposed to be fd42::/112
Still no handshakes from Android or Linux client.
From Linux laptop:
sudo wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.10.10.3/32 dev wg0
[#] ip -6 address add fd42::3/128 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] wg set wg0 fwmark 51820
[#] ip -6 route add ::/0 dev wg0 table 51820
[#] ip -6 rule add not fwmark 51820 table 51820
[#] ip -6 rule add table main suppress_prefixlength 0
[#] ip6tables-restore -n
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n
sudo wg (on Yunohost server)
interface: wg0
public key: PUB_KEY
private key: (hidden)
listening port: 8095
peer: PEER_NUMBER
preshared key: (hidden)
allowed ips: 10.10.10.1/32, fd42::1/128
peer: PEER_NUMBER
preshared key: (hidden)
allowed ips: 10.10.10.2/32, fd42::2/128
peer: PEER_NUMBER
preshared key: (hidden)
allowed ips: 10.10.10.3/32, fd42::3/128
peer: PEER_NUMBER
preshared key: (hidden)
allowed ips: 10.10.10.4/32, fd42::4/128
peer: PEER_NUMBER
preshared key: (hidden)
allowed ips: 10.10.10.5/32, fd42::5/128
SOLVED!
I reinstalled and it works fine. I’m not sure why it always gets like this every 3-6 months with updates.
During the installation it said this…
Warning: Packagers: ynh_add_app_dependencies is deprecated and is now only an alias to ynh_install_app_dependencies
Warning: wg-quick.target is a disabled or a static unit, not starting it.
Info: '/etc/apt/trusted.gpg.d/wireguard.asc' wasn't deleted because it doesn't exist.
It’s me again. I seem to always have problems with Wireguard.
I found this link that mentioned a way to test UDP connections between machines
I tried it out but can’t get UDP messages to get through.
On Yunohost I did this:
sudo systemctl stop wg-quick@wg0.service
sudo nc -vv -u -l 8095
On phone and another laptop (both different networks) I did this:
sudo nc -u <Yunohost_Public_IP> 8095
I tried sending some text both ways, but it fails. Is that the right way to test this? Does this mean UDP is not going through? Any suggestions of how to investigate further?
EDIT:
EDIT2:
Hey!
I tried to get wireguard work for the last 3 days, but I dont know what I do wrong.
Raspberry 4 - current Version
Webinstallation of Wireguard and only add a client, nothing else changed (yes I pressed apply and restarted the server 
)
Opened Port 8097 (UDP and TCP) on my FritzBox (router).
But my smartphone cannot connect => no handshake.
wg0 is up.
Please, be specific.
It’s a bit tricky to debug, let’s assess the situation. Can you report the output of the following commands?
uname -r
dkms status
wg #the command should hide sensitive information, but do a double-check still
dmesg | grep wireguard
Notably, make sure wg reports 8097 as listening port.
Regarding your smartphone, is it failing on both your local network and its data connection?
I installed a fresh Version on a thinclient, but the same behavior (this time the port is 8095):
> uname -r
5.10.0-16-amd64
dkms status
=> …nothing? Had to install it first
> wg
interface: wg0
public key: ZCkOibQOwplo5efAuMiMsD1VT690bQIQj4JHzt3CIl8=
private key: (hidden)
listening port: 8095
peer: *********************************** (removed it)
preshared key: (hidden)
allowed ips: 10.10.10.1/32, fd42::1/128
>dmesg | grep wireguard
[ 2.053734] systemd[1]: Configuration file /etc/systemd/system/wireguard_ui.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.
[ 2.067736] systemd[1]: Created slice system-wireguard.slice.
[ 3.164799] wireguard: WireGuard 1.0.0 loaded. See www.wireguard.com for information.
[ 3.164801] wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserv
> ip a
3: wg0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.10.10.0/24 scope global wg0
valid_lft forever preferred_lft forever
inet6 fd42::/112 scope global
valid_lft forever preferred_lft forever
=> and I dont have eth0 … there is eno1
Yes both.
Edit: is this normal?
No worries, it’s needed if kernel version is lower than 5.
Yes, this page needs the web UI to be run as root and… meh.
Is eno1 the interface mentioned in the PostUp and PostDown commands in the “WireGuard Server” section of the UI?
For example, I have eth0 so the PostUp command is
iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -A FORWARD -o %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip link set multicast on dev %i
and PostDown is
iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -D FORWARD -o %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
