Tweet
Category: Security & Privacy Guides
Author: jmarket
Tags: VPN, WireGuard, IKEv2, Troubleshooting, Security, Networking
Introduction
Even the best VPN setups can run into connection or configuration issues.
This guide helps you quickly identify and resolve common problems with **WireGuard** and **IKEv2** self-hosted VPNs.
Each section lists symptoms, causes, and fixes — designed for both home and VPS-based servers.
⚙️ General VPN Checks
Before diving into protocol-specific fixes, start with these basics:
- 1. Check your firewall ports
- WireGuard: UDP 51820 must be open
- IKEv2: UDP 500 and 4500 must be open
- Confirm using:
Code:sudo ufw status sudo firewall-cmd --list-ports
- 2. Verify server IP and DNS resolution
- Ping your server’s IP or hostname.
- Example:
Code:ping your.server.ip nslookup vpn.example.com
- 3. Test connectivity
- Visit ipleak.net or dnsleaktest.com.
- If your public IP doesn’t change, the VPN tunnel isn’t active. - 4. Reboot the server
- Simple but effective. Restarting network services often clears stale connections.
🔒 WireGuard Issues & Fixes
- ❌ Problem: "Handshake did not complete"
Cause: Mismatched keys or incorrect configuration.
Fix:- Verify both server and client keys are correct.
- Ensure AllowedIPs in both configs match (`0.0.0.0/0` for full tunnel).
- Confirm the client’s Endpoint is your server’s public IP.
- ❌ Problem: "No Internet Access" after connecting
Cause: IP forwarding or NAT not configured.
Fix:- Enable IP forwarding:
Code:sudo sysctl -w net.ipv4.ip_forward=1
- Check for NAT rules in `/etc/wireguard/wg0.conf`:
Code:PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
- Enable IP forwarding:
- ❌ Problem: WireGuard starts but drops connection frequently
Cause: Missing keepalive or ISP blocking UDP.
Fix:- Add `PersistentKeepalive = 25` to your client config.
- Switch to a different port (e.g., UDP 443) if ISP filtering occurs.
- ❌ Problem: Can't start wg0 interface
Fix: Check for syntax errors in `/etc/wireguard/wg0.conf`.
Run:
Code:sudo wg-quick down wg0 sudo wg-quick up wg0 sudo wg
🔐 IKEv2 Issues & Fixes (strongSwan)
- ❌ Problem: "No proposal chosen"
Cause: Cipher mismatch between client and server.
Fix:- Edit `/etc/ipsec.conf` and use:
Code:ike=aes256-sha256-modp1024! esp=aes256-sha256!
- Restart the service:
Code:sudo systemctl restart strongswan
- Edit `/etc/ipsec.conf` and use:
- ❌ Problem: "Authentication failed"
Cause: Wrong username, password, or certificate.
Fix:- Check `/etc/ipsec.secrets` for typos.
- Reimport or regenerate certificates if expired.
- Ensure the device trusts your CA certificate.
- ❌ Problem: Connection times out on mobile devices
Cause: NAT traversal or UDP port blocking.
Fix:- Ensure UDP 500 and 4500 are open.
- Enable NAT-T (Network Address Translation Traversal) in strongSwan (enabled by default in recent builds).
- ❌ Problem: "No internet access" after connection
Cause: Missing IP forwarding or routing rules.
Fix:- Enable IP forwarding:
Code:sudo sysctl -w net.ipv4.ip_forward=1
- Add NAT rule:
Code:iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE
- Enable IP forwarding:
🌐 Common Client-Side Fixes
- Ensure your system clock is accurate — mismatched time can break certificates.
- Restart the VPN app or service.
- Disable and re-enable your network adapter.
- If DNS leaks occur, manually set your DNS to 1.1.1.1 or 9.9.9.9.
- Reboot your device after applying changes.
✅ Final Thoughts
Most VPN connection problems come down to simple misconfigurations — mismatched keys, firewall rules, or certificate issues.
Take a methodical approach: verify server connectivity, confirm credentials, and always test one change at a time.
With proper setup and maintenance, WireGuard and IKEv2 deliver reliable, high-performance VPN connections that rival commercial services — with total control in your hands.
🔗 Resources
- WireGuard Official Documentation
- strongSwan (IKEv2) Wiki
- Chris Titus Tech Tutorials
- IP Leak Test
- DNS Leak Test