Excessive network activity with WireGuard

[Chubru]

Operating system

linux

System version

ubuntu 24.10

Installation type

Original sing-box Command Line

If you are using a graphical client, please provide the version of the client.

Version

v1.12.23

Description

The WireGuard server implementation inside sing-box generates empty packets even when no actual traffic is being transmitted.

Under the same conditions, the official WireGuard server does not produce this background traffic.

This is especially problematic for mobile devices, because it prevents the network from entering an idle state and leads to increased battery drain.

I suspect this behavior may be caused by an overly short TCP keepalive interval in sing-box for TCP connections running inside the WireGuard tunnel.

Reproduction

1)Start sing-box with the minimal WireGuard server configuration
sing-box config

{
  "endpoints": [
    {
      "address": [
        "10.67.0.1/24"
      ],
      "listen_port": 51820,
      "peers": [
        {
          "allowed_ips": [
            "10.67.0.2/32"
          ],
          "public_key": "="
        }
      ],
      "private_key": "=",
      "tag": "wg-ep",
      "type": "wireguard"
    }
  ],
  "log": {
    "level": "trace",
    "timestamp": true
  },
  "outbounds": [
    {
      "tag": "direct",
      "type": "direct"
    },
    {
      "tag": "block",
      "type": "block"
    }
  ],
  "route": {
    "final": "direct",
    "rules": [
      {
        "action": "route",
        "outbound": "direct",
        "source_ip_cidr": [
          "10.67.0.0/24"
        ],
        "udp_timeout": "1200s"
      }
    ]
  }
}

2. Import the client configuration into the Android WireGuard app.

3. Connect the phone to the VPN.

4. Put the phone into sleep / standby mode.

5. Wait for 2-3 minutes.

6. Capture traffic between phone and sing box.

Even while the phone is idle, the server continues to send packets to the client approximately every 2-3 seconds.

These packets are not WireGuard keepalive packets. Based on additional logging, they correspond to empty TCP ACK traffic for long-lived TCP sessions inside the tunnel.

+0300 2026-03-31 11:41:30 DEBUG endpoint/wireguard[wg-ep]: peer(EJSZ…gz1E) - received handshake initiation
+0300 2026-03-31 11:41:30 DEBUG endpoint/wireguard[wg-ep]: peer(EJSZ…gz1E) - sending handshake response
+0300 2026-03-31 11:41:30 DEBUG endpoint/wireguard[wg-ep]: peer(EJSZ…gz1E) - receiving keepalive packet
+0300 2026-03-31 11:41:34 INFO endpoint/wireguard[wg-ep]: [wireguard packet device->wg] ipv4 tcp 64.233.162.188:5228 -> 10.67.0.2:38522 len=52 payload=0 flags=ACK seq=2243340324 ack=2685996765 win=2048
+0300 2026-03-31 11:41:34 INFO endpoint/wireguard[wg-ep]: [wireguard packet wg->device] ipv4 tcp 10.67.0.2:38522 -> 64.233.162.188:5228 len=52 payload=0 flags=ACK seq=2685996765 ack=2243340325 win=157
+0300 2026-03-31 11:41:35 INFO endpoint/wireguard[wg-ep]: [wireguard packet device->wg] ipv4 tcp 64.233.162.188:5228 -> 10.67.0.2:38528 len=52 payload=0 flags=ACK seq=1120321292 ack=32595047 win=2048
+0300 2026-03-31 11:41:35 INFO endpoint/wireguard[wg-ep]: [wireguard packet wg->device] ipv4 tcp 10.67.0.2:38528 -> 64.233.162.188:5228 len=52 payload=0 flags=ACK seq=32595047 ack=1120321293 win=133
+0300 2026-03-31 11:41:35 INFO endpoint/wireguard[wg-ep]: [wireguard packet device->wg] ipv4 tcp 173.194.73.95:443 -> 10.67.0.2:42768 len=52 payload=0 flags=ACK seq=3774799786 ack=1424350760 win=2048
+0300 2026-03-31 11:41:36 INFO endpoint/wireguard[wg-ep]: [wireguard packet wg->device] ipv4 tcp 10.67.0.2:42768 -> 173.194.73.95:443 len=52 payload=0 flags=ACK seq=1424350760 ack=3774799787 win=161
+0300 2026-03-31 11:41:45 INFO endpoint/wireguard[wg-ep]: [wireguard packet device->wg] ipv4 tcp 211.249.222.161:443 -> 10.67.0.2:40536 len=52 payload=0 flags=ACK seq=192063958 ack=1308101612 win=2048
+0300 2026-03-31 11:41:45 INFO endpoint/wireguard[wg-ep]: [wireguard packet device->wg] ipv4 tcp 203.133.187.83:995 -> 10.67.0.2:43226 len=52 payload=0 flags=ACK seq=1105610834 ack=1670192017 win=2048
+0300 2026-03-31 11:41:45 INFO endpoint/wireguard[wg-ep]: [wireguard packet wg->device] ipv4 tcp 10.67.0.2:40536 -> 211.249.222.161:443 len=52 payload=0 flags=ACK seq=1308101612 ack=192063959 win=152
+0300 2026-03-31 11:41:45 INFO endpoint/wireguard[wg-ep]: [wireguard packet wg->device] ipv4 tcp 10.67.0.2:43226 -> 203.133.187.83:995 len=52 payload=0 flags=ACK seq=1670192017 ack=1105610835 win=133
+0300 2026-03-31 11:41:49 INFO endpoint/wireguard[wg-ep]: [wireguard packet device->wg] ipv4 tcp 64.233.162.188:5228 -> 10.67.0.2:38522 len=52 payload=0 flags=ACK seq=2243340324 ack=2685996765 win=2048
+0300 2026-03-31 11:41:49 INFO endpoint/wireguard[wg-ep]: [wireguard packet device->wg] ipv4 tcp 173.194.73.95:443 -> 10.67.0.2:42768 len=125 payload=73 flags=ACK,PSH seq=3774799787 ack=1424350760 win=2048
+0300 2026-03-31 11:41:49 INFO endpoint/wireguard[wg-ep]: [wireguard packet wg->device] ipv4 tcp 10.67.0.2:38522 -> 64.233.162.188:5228 len=52 payload=0 flags=ACK seq=2685996765 ack=2243340325 win=157
+0300 2026-03-31 11:41:49 INFO endpoint/wireguard[wg-ep]: [wireguard packet wg->device] ipv4 tcp 10.67.0.2:42768 -> 173.194.73.95:443 len=52 payload=0 flags=ACK,FIN seq=1424350760 ack=3774799860 win=161
+0300 2026-03-31 11:41:49 DEBUG connection: connection upload finished
+0300 2026-03-31 11:41:49 INFO endpoint/wireguard[wg-ep]: [wireguard packet device->wg] ipv4 tcp 173.194.73.95:443 -> 10.67.0.2:42768 len=52 payload=0 flags=ACK seq=3774799860 ack=1424350761 win=2047
+0300 2026-03-31 11:41:49 DEBUG connection: connection download finished
+0300 2026-03-31 11:41:49 INFO endpoint/wireguard[wg-ep]: [wireguard packet device->wg] ipv4 tcp 173.194.73.95:443 -> 10.67.0.2:42768 len=52 payload=0 flags=ACK,FIN seq=3774799860 ack=1424350761 win=2048
+0300 2026-03-31 11:41:49 INFO endpoint/wireguard[wg-ep]: [wireguard packet wg->device] ipv4 tcp 10.67.0.2:42768 -> 173.194.73.95:443 len=52 payload=0 flags=ACK seq=1424350761 ack=3774799861 win=161
+0300 2026-03-31 11:41:50 INFO endpoint/wireguard[wg-ep]: [wireguard packet device->wg] ipv4 tcp 64.233.162.188:5228 -> 10.67.0.2:38528 len=52 payload=0 flags=ACK seq=1120321292 ack=32595047 win=2048
+0300 2026-03-31 11:41:50 INFO endpoint/wireguard[wg-ep]: [wireguard packet wg->device] ipv4 tcp 10.67.0.2:38528 -> 64.233.162.188:5228 len=52 payload=0 flags=ACK seq=32595047 ack=1120321293 win=133
+0300 2026-03-31 11:42:00 INFO endpoint/wireguard[wg-ep]: [wireguard packet device->wg] ipv4 tcp 211.249.222.161:443 -> 10.67.0.2:40536 len=52 payload=0 flags=ACK seq=192063958 ack=1308101612 win=2048
+0300 2026-03-31 11:42:00 INFO endpoint/wireguard[wg-ep]: [wireguard packet device->wg] ipv4 tcp 203.133.187.83:995 -> 10.67.0.2:43226 len=52 payload=0 flags=ACK seq=1105610834 ack=1670192017 win=2048
+0300 2026-03-31 11:42:00 INFO endpoint/wireguard[wg-ep]: [wireguard packet wg->device] ipv4 tcp 10.67.0.2:40536 -> 211.249.222.161:443 len=52 payload=0 flags=ACK seq=1308101612 ack=192063959 win=152
+0300 2026-03-31 11:42:00 INFO endpoint/wireguard[wg-ep]: [wireguard packet wg->device] ipv4 tcp 10.67.0.2:43226 -> 203.133.187.83:995 len=52 payload=0 flags=ACK seq=1670192017 ack=1105610835 win=133
+0300 2026-03-31 11:42:04 INFO endpoint/wireguard[wg-ep]: [wireguard packet device->wg] ipv4 tcp 64.233.162.188:5228 -> 10.67.0.2:38522 len=52 payload=0 flags=ACK seq=2243340324 ack=2685996765 win=2048
+0300 2026-03-31 11:42:04 INFO endpoint/wireguard[wg-ep]: [wireguard packet wg->device] ipv4 tcp 10.67.0.2:38522 -> 64.233.162.188:5228 len=52 payload=0 flags=ACK seq=2685996765 ack=2243340325 win=157
+0300 2026-03-31 11:42:05 INFO endpoint/wireguard[wg-ep]: [wireguard packet device->wg] ipv4 tcp 64.233.162.188:5228 -> 10.67.0.2:38528 len=52 payload=0 flags=ACK seq=1120321292 ack=32595047 win=2048
+0300 2026-03-31 11:42:05 INFO endpoint/wireguard[wg-ep]: [wireguard packet wg->device] ipv4 tcp 10.67.0.2:38528 -> 64.233.162.188:5228 len=52 payload=0 flags=ACK seq=32595047 ack=1120321293 win=133
+0300 2026-03-31 11:42:15 INFO endpoint/wireguard[wg-ep]: [wireguard packet device->wg] ipv4 tcp 211.249.222.161:443 -> 10.67.0.2:40536 len=52 payload=0 flags=ACK seq=192063958 ack=1308101612 win=2048
+0300 2026-03-31 11:42:15 INFO endpoint/wireguard[wg-ep]: [wireguard packet device->wg] ipv4 tcp 203.133.187.83:995 -> 10.67.0.2:43226 len=52 payload=0 flags=ACK seq=1105610834 ack=1670192017 win=2048
+0300 2026-03-31 11:42:15 INFO endpoint/wireguard[wg-ep]: [wireguard packet wg->device] ipv4 tcp 10.67.0.2:40536 -> 211.249.222.161:443 len=52 payload=0 flags=ACK seq=1308101612 ack=192063959 win=152
+0300 2026-03-31 11:42:15 INFO endpoint/wireguard[wg-ep]: [wireguard packet wg->device] ipv4 tcp 10.67.0.2:43226 -> 203.133.187.83:995 len=52 payload=0 flags=ACK seq=1670192017 ack=1105610835 win=133
+0300 2026-03-31 11:42:19 INFO endpoint/wireguard[wg-ep]: [wireguard packet device->wg] ipv4 tcp 64.233.162.188:5228 -> 10.67.0.2:38522 len=52 payload=0 flags=ACK seq=2243340324 ack=2685996765 win=2048
+0300 2026-03-31 11:42:19 INFO endpoint/wireguard[wg-ep]: [wireguard packet wg->device] ipv4 tcp 10.67.0.2:38522 -> 64.233.162.188:5228 len=52 payload=0 flags=ACK seq=2685996765 ack=2243340325 win=157
+0300 2026-03-31 11:42:20 INFO endpoint/wireguard[wg-ep]: [wireguard packet device->wg] ipv4 tcp 64.233.162.188:5228 -> 10.67.0.2:38528 len=52 payload=0 flags=ACK seq=1120321292 ack=32595047 win=2048
+0300 2026-03-31 11:42:20 INFO endpoint/wireguard[wg-ep]: [wireguard packet wg->device] ipv4 tcp 10.67.0.2:38528 -> 64.233.162.188:5228 len=52 payload=0 flags=ACK seq=32595047 ack=1120321293 win=133
+0300 2026-03-31 11:42:30 INFO endpoint/wireguard[wg-ep]: [wireguard packet device->wg] ipv4 tcp 211.249.222.161:443 -> 10.67.0.2:40536 len=52 payload=0 flags=ACK seq=192063958 ack=1308101612 win=2048
+0300 2026-03-31 11:42:30 INFO endpoint/wireguard[wg-ep]: [wireguard packet device->wg] ipv4 tcp 203.133.187.83:995 -> 10.67.0.2:43226 len=52 payload=0 flags=ACK seq=1105610834 ack=1670192017 win=2048
+0300 2026-03-31 11:42:30 INFO endpoint/wireguard[wg-ep]: [wireguard packet wg->device] ipv4 tcp 10.67.0.2:40536 -> 211.249.222.161:443 len=52 payload=0 flags=ACK seq=1308101612 ack=192063959 win=152
+0300 2026-03-31 11:42:30 INFO endpoint/wireguard[wg-ep]: [wireguard packet wg->device] ipv4 tcp 10.67.0.2:43226 -> 203.133.187.83:995 len=52 payload=0 flags=ACK seq=1670192017 ack=1105610835 win=133
+0300 2026-03-31 11:42:34 INFO endpoint/wireguard[wg-ep]: [wireguard packet device->wg] ipv4 tcp 64.233.162.188:5228 -> 10.67.0.2:38522 len=52 payload=0 flags=ACK seq=2243340324 ack=2685996765 win=2048
+0300 2026-03-31 11:42:34 INFO endpoint/wireguard[wg-ep]: [wireguard packet wg->device] ipv4 tcp 10.67.0.2:38522 -> 64.233.162.188:5228 len=52 payload=0 flags=ACK seq=2685996765 ack=2243340325 win=157
+0300 2026-03-31 11:42:35 INFO endpoint/wireguard[wg-ep]: [wireguard packet device->wg] ipv4 tcp 64.233.162.188:5228 -> 10.67.0.2:38528 len=52 payload=0 flags=ACK seq=1120321292 ack=32595047 win=2048
+0300 2026-03-31 11:42:35 INFO endpoint/wireguard[wg-ep]: [wireguard packet wg->device] ipv4 tcp 10.67.0.2:38528 -> 64.233.162.188:5228 len=52 payload=0 flags=ACK seq=32595047 ack=1120321293 win=133
+0300 2026-03-31 11:42:45 INFO endpoint/wireguard[wg-ep]: [wireguard packet device->wg] ipv4 tcp 211.249.222.161:443 -> 10.67.0.2:40536 len=52 payload=0 flags=ACK seq=192063958 ack=1308101612 win=2048
+0300 2026-03-31 11:42:45 INFO endpoint/wireguard[wg-ep]: [wireguard packet device->wg] ipv4 tcp 203.133.187.83:995 -> 10.67.0.2:43226 len=52 payload=0 flags=ACK seq=1105610834 ack=1670192017 win=2048
+0300 2026-03-31 11:42:45 INFO endpoint/wireguard[wg-ep]: [wireguard packet wg->device] ipv4 tcp 10.67.0.2:40536 -> 211.249.222.161:443 len=52 payload=0 flags=ACK seq=1308101612 ack=192063959 win=152
+0300 2026-03-31 11:42:45 INFO endpoint/wireguard[wg-ep]: [wireguard packet wg->device] ipv4 tcp 10.67.0.2:43226 -> 203.133.187.83:995 len=52 payload=0 flags=ACK seq=1670192017 ack=1105610835 win=133
+0300 2026-03-31 11:42:49 INFO endpoint/wireguard[wg-ep]: [wireguard packet device->wg] ipv4 tcp 64.233.162.188:5228 -> 10.67.0.2:38522 len=52 payload=0 flags=ACK seq=2243340324 ack=2685996765 win=2048
+0300 2026-03-31 11:42:49 INFO endpoint/wireguard[wg-ep]: [wireguard packet wg->device] ipv4 tcp 10.67.0.2:38522 -> 64.233.162.188:5228 len=52 payload=0 flags=ACK seq=2685996765 ack=2243340325 win=157
+0300 2026-03-31 11:42:50 INFO endpoint/wireguard[wg-ep]: [wireguard packet device->wg] ipv4 tcp 64.233.162.188:5228 -> 10.67.0.2:38528 len=52 payload=0 flags=ACK seq=1120321292 ack=32595047 win=2048
+0300 2026-03-31 11:42:50 INFO endpoint/wireguard[wg-ep]: [wireguard packet wg->device] ipv4 tcp 10.67.0.2:38528 -> 64.233.162.188:5228 len=52 payload=0 flags=ACK seq=32595047 ack=1120321293 win=133
+0300 2026-03-31 11:43:00 DEBUG endpoint/wireguard[wg-ep]: peer(EJSZ…gz1E) - sending keepalive packet

Logs

Supporter

• I am a sponsor

Integrity requirements

• I confirm that I have read the documentation, understand the meaning of all the configuration items I wrote, and did not pile up seemingly useful options or default values.
• I confirm that I have provided the server and client configuration files and process that can be reproduced locally, instead of a complicated client configuration file that has been stripped of sensitive data.
• I confirm that I have provided the simplest configuration that can be used to reproduce the error I reported, instead of depending on remote servers, TUN, graphical interface clients, or other closed-source software.
• I confirm that I have provided the complete configuration files and logs, rather than just providing parts I think are useful out of confidence in my own intelligence.