Hello,
I’m having an issue connecting WireGuard from CachyOS (Arch-based) to a
Windows Server 2019 acting as WireGuard server.
Setup
- Client: CachyOS Linux (kernel 6.x), WireGuard via wg-quick
- Server: Windows Server 2019 with WireGuard for Windows
- Network: Client behind NAT (home router), server behind FortiGate 50E
- Server port: UDP 4444 with port forwarding configured
Problem
The handshake never completes. On the server log I see:
[TUN] [WG-TESLA] Invalid MAC of handshake, dropping packet from X.X.X.X:XXXXX
The tcpdump on CachyOS shows packets going OUT but never receiving a response:
wlan0 Out IP 192.168.0.231.41194 > X.X.X.X.4444: UDP, length 148
What works
- Windows 11 clients connect successfully from the same network and same
public IP as CachyOS - Android clients connect successfully
- The server receives the packets (confirmed via Windows WireGuard log)
What I already tried
- Regenerated keys multiple times (confirmed they match on both sides)
- Verified system time is synchronized (NTP active)
- Disabled UFW firewall on CachyOS
- Set rp_filter to 0
- Disabled NAT on FortiGate policy
- Disabled IPS and SSL Inspection on FortiGate
- Changed MTU to 1280
- Tested from different networks (home, mobile data)
- Reloaded wireguard kernel module
- Used NetworkManager instead of wg-quick
- Added fixed ListenPort
Config (CachyOS client)
[Interface]
Address = 10.0.0.3/32
ListenPort = 41194
[Peer]
PublicKey = <server_public_key>
Endpoint = X.X.X.X:4444
AllowedIPs = 10.0.0.0/24, 192.168.2.0/24
PersistentKeepalive = 25
Kernel log
wireguard: wg-tesla: Handshake for peer 3 did not complete after 5 seconds, retrying
Any help would be appreciated. Thank you.