Русский
AED EUR
Knowledge Base
Live-chat
Contacts
0 Register Login

VPN not working — step-by-step diagnostics

12.03.2026
Print Version
Complexity
min.

Summary

If your VPN connection stopped working or won't establish: check the service status, port availability, routes, and logs. Below is a universal diagnostic procedure for WireGuard and OpenVPN.

Applies to:
✔ VPS
✔ Dedicated servers
✔ WireGuard, OpenVPN

Step 1: check VPN service status

WireGuard

systemctl status wg-quick@wg0

If the service is not running:

systemctl start wg-quick@wg0

OpenVPN

systemctl status openvpn@server

If the service is not running:

systemctl start openvpn@server

Step 2: check if the port is listening

Make sure the VPN server is listening on the correct port:

ss -ulnp | grep 51820

For OpenVPN (default UDP 1194):

ss -ulnp | grep 1194

If the port is not shown, the service is not running or uses a different port. Check the configuration.

Step 3: check the firewall

The VPN port must be open in the firewall:

iptables -L -n | grep 51820

If no rule exists, add one:

iptables -A INPUT -p udp --dport 51820 -j ACCEPT

For UFW:

ufw allow 51820/udp

Step 4: check routes on the server

Make sure IP forwarding is enabled:

sysctl net.ipv4.ip_forward

Expected result: net.ipv4.ip_forward = 1

If the value is 0, enable it:

sysctl -w net.ipv4.ip_forward=1

To persist after reboot, add to /etc/sysctl.conf:

net.ipv4.ip_forward = 1

Step 5: check NAT (masquerade)

Without NAT, VPN clients won't have internet access:

iptables -t nat -L POSTROUTING -v

There should be a MASQUERADE rule for the VPN subnet. If missing:

iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE

Replace 10.0.0.0/24 with your VPN subnet and eth0 with your main network interface.

Step 6: check the logs

WireGuard

dmesg | grep wireguard

For more detailed logging:

echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control

OpenVPN

tail -50 /var/log/openvpn/openvpn.log

Or via journalctl:

journalctl -u openvpn@server --no-pager -n 50

Step 7: check the connection from the client side

Make sure the client uses the correct server IP address and port.

Check port availability from the client machine:

nc -zvu SERVER_IP 51820

If the port is unreachable, the issue is at the network or firewall level.

WireGuard: no handshake

Check peer status:

wg show

If the latest handshake field is empty, the client cannot reach the server. Check:

  • Server public key in the client config is correct
  • Endpoint (IP:port) is correct
  • UDP port is reachable

Verification

After fixing the issue, verify the connection:

ping -c 4 10.0.0.1

Where 10.0.0.1 is the VPN server's tunnel address.

Check that traffic goes through the VPN:

curl ifconfig.me

The IP address should match the VPN server.

If VPN still doesn't work after all checks, open a support ticket. Include:
- VPN type (WireGuard/OpenVPN)
- output of systemctl status
- output of ss -ulnp
- last 50 lines of logs
Was this information helpful?
Yes   No
 
Windows
By continuing to use this website you will be agreeing to the website Acceptable Use Policy and the Use of Cookies while using the website and our services. Please also read our Privacy Policy under which, to the extent stated, you consent to the processing of your personal data.