First handshake successful, all others not

[FIrEwaFfFLe]

First handshake succeeds, all others fail

Summary
I’m running Ubuntu 24.04 on a VPS at Cherry Servers (Stockholm) and using [angristan/wireguard-install](https://github.com/angristan/wireguard-install). No matter which way I install (manual or via script), WireGuard behaves the same:

• The first handshake between client and server completes successfully (both sides see it).
• Subsequent handshakes travel from client → server (visible in tcpdump -i eth0 udp port <WG-PORT>), but the server’s responses are never delivered back to the client.
• ICMP (“ping”) from client to the WireGuard interface IP never arrives at the server’s wg0 interface (tcpdump -i wg0 icmp shows nothing).

---

Environment

• OS: Ubuntu 24.04.2 LTS, kernel 6.8.0-62-generic

• Host: Cherry Servers Cloud VPS (Stockholm, shared-vCPU)

• WireGuard port: script default was 63627/UDP

• WG network: 10.66.66.0/24 (server 10.66.66.1, client 10.66.66.2)

• Firewall: UFW disabled; no other OS-level firewalls

• IP forwarding: net.ipv4.ip_forward = 1

• rp_filter: all interfaces set to 0

• iptables-save:

  *filter
  :INPUT ACCEPT [0:0]
  :FORWARD ACCEPT [0:0]
  :OUTPUT ACCEPT [0:0]
  -A INPUT   -p udp --dport 63627 -j ACCEPT
  -A FORWARD -i wg0               -j ACCEPT
  -A FORWARD -i eth0 -o wg0       -j ACCEPT
  COMMIT
  
  *nat
  :PREROUTING ACCEPT [0:0]
  :OUTPUT ACCEPT [0:0]
  :POSTROUTING ACCEPT [0:0]
  -A POSTROUTING -s 10.66.66.0/24 -o eth0 -j MASQUERADE
  COMMIT

• wg-quick@wg0.service shows Active: active (exited) with the correct PostUp/PostDown steps.

---

Reproduction Steps (how it was for me)

1. Install WireGuard (either manually or via the angristan script).

2. Use defaults (public IP, eth0, wg0, 10.66.66.1/32 for server, random port).

3. Generate one client (10.66.66.2).

4. Import the client config on any device (macOS, Windows, Android).

5. Activate the tunnel:

   # Client
   wg-quick up client.conf
   ping 10.66.66.1    # fails, never reaches wg0
   
   # Server
   tcpdump -ni eth0 udp port 63627 
   tcpdump -ni wg0 icmp

6. Observe in eth0 capture: first handshake in both directions, then further client-to-server handshakes but no server-to-client replies.

7. Observe in wg show on server: only initial handshake, no transfer counter increment for ICMP.

---

Expected

• Every handshake attempt should be replied to by the server.
• ICMP pings to the WG interface IP (10.66.66.1) should arrive on wg0 and be forwarded/NAT’d to the client.

---

What’s been tried

• Disabling UFW entirely
• Verifying net.ipv4.ip_forward=1 and rp_filter=0 on all interfaces
• Explicit iptables -I INPUT -p udp --dport 63627 -j ACCEPT
• Reboot after kernel update
• Testing with several clients (Windows, macOS, Android)
• Manually comparing with other VPS providers (no issues elsewhere)

---

Any pointers on why the server sees the client’s repeated handshake packets on eth0 but never processes or replies to them on wg0? Or how to debug further? Thanks in advance!

[ivturbin]

Switching the client to Amnesia and enabling traffic obfuscation solved the issue, without requiring any changes to the angristan's WireGuard server configuration.

[longweihk]

yes few hours works after ot works