Trouble setting up Wireguard

I’m trying to setup wireguard. The problem is, I can’t connect to any remote IPs if my Wireguard NetworkManager profile is active. ping fails. Pinging my server’s local IP does work though.



Address    =, fd00:7::1/48
PostUp     = firewall-cmd --zone=public --add-port 51820/udp && firewall-cmd --zone=public --add-masquerade
PostDown   = firewall-cmd --zone=public --remove-port 51820/udp && firewall-cmd --zone=public --remove-masquerade
ListenPort = 51820
DNS        =,

PublicKey    = <CLIENT_PUBLIC_KEY>
PresharedKey = <PRESHARED_KEY>
AllowedIPs   =

This is the output of systemctl status wg-quick@wg0.service:

● wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0
     Loaded: loaded (/usr/lib/systemd/system/wg-quick@.service; disabled; preset: disabled)
    Drop-In: /usr/lib/systemd/system/service.d
     Active: active (exited) since Thu 2023-11-02 21:19:48 PDT; 8min ago
       Docs: man:wg-quick(8)
    Process: 56215 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=0/SUCCESS)
   Main PID: 56215 (code=exited, status=0/SUCCESS)
        CPU: 199ms

Nov 02 21:19:48 haddock wg-quick[56227]: Warning: AllowedIP has nonzero host part:
Nov 02 21:19:48 haddock wg-quick[56215]: [#] ip -4 address add dev wg0
Nov 02 21:19:48 haddock wg-quick[56215]: [#] ip -6 address add fd00:7::1/48 dev wg0
Nov 02 21:19:48 haddock wg-quick[56215]: [#] ip link set mtu 1420 up dev wg0
Nov 02 21:19:48 haddock wg-quick[56238]: [#] resolvconf -a wg0 -m 0 -x
Nov 02 21:19:48 haddock wg-quick[56215]: [#] ip -4 route add dev wg0
Nov 02 21:19:48 haddock wg-quick[56215]: [#] firewall-cmd --zone=public --add-port 51820/udp && firewall-cmd --zone=public --add-masquerade
Nov 02 21:19:48 haddock wg-quick[56255]: success
Nov 02 21:19:48 haddock wg-quick[56257]: success
Nov 02 21:19:48 haddock systemd[1]: Finished wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0.

I have this in /etc/sysctl.d/wireguard-packet-forwarding.conf:


Output of ip route:

default via dev enp37s0 proto dhcp src metric 100 dev wg0 scope link dev enp37s0 proto kernel scope link src metric 100 dev wg0 proto kernel scope link src


I have this for my NetworkManager profile configuration:                          wg0
connection.uuid:                        1ddef818-1b7a-4ab3-9658-e87dc9e24662
connection.stable-id:                   --
connection.type:                        wireguard
connection.interface-name:              wg0
connection.autoconnect:                 no
connection.autoconnect-priority:        0
connection.autoconnect-retries:         -1 (default)
connection.multi-connect:               0 (default)
connection.auth-retries:                -1
connection.timestamp:                   1698985289                   no
connection.permissions:                 --                        --
connection.master:                      --
connection.slave-type:                  --
connection.autoconnect-slaves:          -1 (default)
connection.secondaries:                 --
connection.gateway-ping-timeout:        0
connection.metered:                     unknown
connection.lldp:                        default
connection.mdns:                        -1 (default)
connection.llmnr:                       -1 (default)
connection.dns-over-tls:                -1 (default)
connection.mptcp-flags:                 0x0 (default)
connection.wait-device-timeout:         -1
connection.wait-activation-delay:       -1
ipv4.method:                            manual
ipv4.dns-search:                        --
ipv4.dns-options:                       --
ipv4.dns-priority:                      0
ipv4.gateway:                           --
ipv4.routes:                            --
ipv4.route-metric:                      -1
ipv4.route-table:                       0 (unspec)
ipv4.routing-rules:                     --
ipv4.replace-local-rule:                -1 (default)
ipv4.ignore-auto-routes:                no
ipv4.ignore-auto-dns:                   no
ipv4.dhcp-client-id:                    --
ipv4.dhcp-iaid:                         --
ipv4.dhcp-timeout:                      0 (default)
ipv4.dhcp-send-hostname:                yes
ipv4.dhcp-hostname:                     --
ipv4.dhcp-fqdn:                         --
ipv4.dhcp-hostname-flags:               0x0 (none)
ipv4.never-default:                     no
ipv4.may-fail:                          yes
ipv4.required-timeout:                  -1 (default)                       -1 (default)
ipv4.dhcp-vendor-class-identifier:      --                        0 (default)
ipv4.dhcp-reject-servers:               --                 -1 (default)
ipv6.method:                            manual
ipv6.dns:                               --
ipv6.dns-search:                        --
ipv6.dns-options:                       --
ipv6.dns-priority:                      0
ipv6.addresses:                         fd00:7::2/48
ipv6.gateway:                           --
ipv6.routes:                            --
ipv6.route-metric:                      -1
ipv6.route-table:                       0 (unspec)
ipv6.routing-rules:                     --
ipv6.replace-local-rule:                -1 (default)
ipv6.ignore-auto-routes:                no
ipv6.ignore-auto-dns:                   no
ipv6.never-default:                     no
ipv6.may-fail:                          yes
ipv6.required-timeout:                  -1 (default)
ipv6.ip6-privacy:                       -1 (unknown)
ipv6.addr-gen-mode:                     default
ipv6.ra-timeout:                        0 (default)
ipv6.mtu:                               auto
ipv6.dhcp-duid:                         --
ipv6.dhcp-iaid:                         --
ipv6.dhcp-timeout:                      0 (default)
ipv6.dhcp-send-hostname:                yes
ipv6.dhcp-hostname:                     --
ipv6.dhcp-hostname-flags:               0x0 (none)                 -1 (default)
ipv6.token:                             --
wireguard.private-key:                  <hidden>
wireguard.private-key-flags:            0 (none)
wireguard.listen-port:                  0
wireguard.fwmark:                       0x0
wireguard.peer-routes:                  yes
wireguard.mtu:                          0
wireguard.ip4-auto-default-route:       -1 (default)
wireguard.ip6-auto-default-route:       -1 (default)
proxy.method:                           none
proxy.browser-only:                     no
proxy.pac-url:                          --
proxy.pac-script:                       --

Output of ip route:

default via dev wlp170s0 proto dhcp src metric 600 dev wlp170s0 proto kernel scope link src metric 600

I tried disabling firewalld

Try connecting and check the output:

sudo wg show



interface: wg0
  public key: E8P0gHX0wJpBorjKK7i2mdWI9S7ZcW7XZt5ebf+Ve3I=
  private key: (hidden)
  listening port: 51820

peer: 4nP2TLM5fOwWIbnKXRTIwtCAP6MS9vQkWgR7pH650zY=
  preshared key: (hidden)
  allowed ips:
  latest handshake: 23 seconds ago
  transfer: 2.29 KiB received, 3.01 KiB sent


interface: wg0
  public key: 4nP2TLM5fOwWIbnKXRTIwtCAP6MS9vQkWgR7pH650zY=
  private key: (hidden)
  listening port: 45341
  fwmark: 0xcc3d

peer: E8P0gHX0wJpBorjKK7i2mdWI9S7ZcW7XZt5ebf+Ve3I=
  preshared key: (hidden)
  allowed ips:, ::/0
  latest handshake: 17 seconds ago
  transfer: 124 B received, 46.64 KiB sent
  persistent keepalive: every 30 seconds

What command output that info on wg0? Its not wg show.

I typed sudo wg show on both my client and server, and this is exactly what it output.

Interesting I do not see anything like that on my f38 system with wireguard.

What I get is this (I replace the keys with ).

$ wg show
interface: wg0
  public key: <key>
  private key: (hidden)
  listening port: 51820

peer: <key>
  allowed ips:

peer: <key>
  allowed ips:

peer: <key>
  allowed ips:

peer: <key>
  allowed ips:

peer: <key>
  allowed ips:

And this is the RPM that wg comes from.

$ rpm -qf /usr/bin/wg

Do you have wg from somewhere else?

Is that your server or client? I just installed wireguard-tools and that’s what I got wg from. I’m on Fedora 38 as well.

Change it like this:

AllowedIPs =

It was on my server.

Reading the man page I wonder if the difference is that wg show only shows properties that have been setup in config.

That fixed it it, thanks! Do you know why that fixed it?

The AllowedIPs must cover the Address of the respective peer or the network behind it.
This is necessary for WireGuard cryptokey routing to work correctly.

1 Like