Update #2: After a power outtage my host was restarted and now WG is back online - i didn’t change the config one bit (router was using a different power line so it wasn’t affected, only the host restarted). I have absolutely no idea what was going on, i’ll keep using it for a while to see if it gonna stay working.
Update: To my curiosity, i reverted back to the latest snapshot once more, trying to figure what’s wrong. When running tcpdump -i enp0s3 (not wg0, enp0s3 is the one that listening for handshake) all of a sudden my wireguard is came back to life. And now all of my devices can connected back to VPN. While a few hours ago it still dead (all UDP ports was functional during all this time, confirmed with nc).It works for 10 minutes or so, and then stop working again 
This never happen with OpenVPN so i’m 100% this has nothing to do with network/ISP or my host and VM. Deffinately a WG thing
This is the output of tcpdump from enp0s3. The VM is a virtualbox, which is using NAT interface (not Nat Network)
I’ve been using wireguard on Debian bullseye for over 6 months. 3 days ago it stopped working all of a sudden (i did run an upgrade prior to the incident).Restore a VM snapshot to the nearest point when wireguard were still working (before upgrading) didn’t help. So i process to reinstall wireguard using pivpn https://github.com/angristan/wireguard-install and wireguard-install script https://github.com/angristan/wireguard-install to no avail (install procedures are identical to the last time).
Wireguard server is running in a Debian VM and has listening port fowarded to the Internet.Clients include an Android Phone and a Laptop running Ubuntu 22.04 LTS. Both clients fail to establish connection using old and new profile after server reinstallation.
systemctl status wg-quick@wg0
Quick test with nc shows listening UDP port can be reached from the Internet
server wg0 profile
#wg show
Android phone client profile
Using pivpn script to install OpenVPN instead of Wireguard (same UDP port, same VM, same host) i’m now having access to my local system. But this is only temporary as Ovpn is very CPU taxing. Downloading a large file would overheat my hardware very fast, up to 80-90 Celcius! While with WG it’s only 70C max, so i would like to get my wireguard back as fast as possible. It’s just an old laptop, not a dedicated server but it get the job done
Just recently did this to me too. Check MTU. I had to see it to 1280 in the config file.
edit:
did this to me too = it worked and one day it decided it does not work. ICMP was fine (ping), but to TCP or UDP traffic (timeout).
This is the article I found when I tried to fix it: WireGuard MTU fixes - Kerem Erkan
Pardon me but how is that relevant? Is wireguard require a working visa or something ;/ ?
Unfortunately modifying MTU value doesn’t help.
To my understanding when WG server is behind NAT and has it’s listening port fowarded to the Internet, the server conf file need to have PersistentKeepAlive set, else it will stop working after just a few minutes (This happened to me last time i setup mine). But recently it doesn’t help anymore
The article you mention 1280 for IPv6, but I’m using only IPv4 (my ISP doesn’t support IPv6).
wireguard has been blocked for example in Russia in recent weeks
How is that even possible? Wireguard is open source. If there’s some line of code to prevent the user from using it based on region, anyone should be able to remove it. Or a lazier method to just switch the OS region to another country. Maybe you mean some VPN provider like NordVPN which is using wireguard protocol, and they refuse to provide service to Russian? Then it still has nothing to do with my wireguard server residing in my own house, hosting by my own network.
Anw I’m no where near Russia, and has nothing to do with the on going war, so i don’t think that’s the root cause
wireguard has an easy-to-track protocol for DPI systems https://en.wikipedia.org/wiki/Deep\_packet\_inspection. It is very easy to block it at the provider level
> Anw I’m no where near Russia, and has nothing to do with the on going war, so i don’t think that’s the root cause
ok, but blocking in Russia looks exactly like this: an open port, but the handshake is not successful
Wireguard has a distinct packet format outside of the encypted payload.
So you need to be certified to manage your own network, in your own house now adays? Should i pay 2000 dollars to get a security team to look over my home router too?
I’m no where near your level of super haxor, go hack NASA or something and leave me be. I’m sure you are capable of that 
You said “blocked at provider level”. Do you mean blocked by the ISP? So if i understand you correctly in this case the goverment of Russia is blocking its own people from using wireguard? Or do you mean when a user from European countries trying to connect to a wireguard server within Russia, the European country ISP will block its users from handshaking.
In the latter scenario, WG client from within Russia should be able to connect to a WG server also reside in Russia with no problem (Assuming both clients and server are using Russia domestic ISP)?
> Do you mean blocked by the ISP
yes
> the goverment of Russia is blocking its own people from using wireguard
> WG client from within Russia should be able to connect to a WG server also reside in Russia with no problem
both sentences are correct
> the goverment of Russia is blocking its own people from using wireguard
> WG client from within Russia should be able to connect to a WG server also reside in Russia with no problem
both sentences are correct
If the Russian goverment is blocking Wireguard, then how can the clients and server from within Russia can connect to each other? Or they only block outbound connection to another country (Russian client trying to connect to a WG server in German for example)?
Does Open VPN suffered from this Russia censorship?
they only block outbound connection to another country
yes
they block both protocols (wg, openvpn)
This never happen with OpenVPN so i’m 100% this has nothing to do with network/ISP or my host and VM. Deffinately a WG thing
