Troubleshooting
Diagnose and resolve common Baseguard issues
Quick Diagnostics
# Check connection and nodes
baseguard status
# Verify daemon is running
sudo systemctl status baseguard # Linux
sudo launchctl list | grep baseguard # macOS
# Test connectivity to another node
ping 100.64.0.5
nc -zv 100.64.0.5 22Installation & Daemon Issues
Daemon not running
Start the daemon manually:
| Platform | Start Command | Logs |
|---|---|---|
| Linux | sudo systemctl start baseguard | sudo journalctl -u baseguard -f |
| macOS | sudo launchctl bootstrap system /Library/LaunchDaemons/net.baseguard.daemon.plist | |
| Windows | Start-Service baseguard | %PROGRAMDATA%\baseguard |
TUN device not available (Linux)
Minimal or container environments may need the TUN kernel module enabled:
sudo modprobe tunConnection & Network Issues
Can't connect at all
- Ensure daemon is running (see above)
- Verify HTTPS (443) outbound is allowed — required for control plane
- Verify DNS resolves the control plane hostname
- Check firewall allows outbound UDP on port 42273 — required for WireGuard
Can't see other nodes
- Confirm other devices are connected (
baseguard statuson those devices) - Check ACL rules allow traffic between them
- Verify you're in the same organization
All connections using relay
Relay means P2P failed. Common causes:
| Cause | Solution |
|---|---|
| Firewall blocking UDP | Open outbound UDP, ideally port 42273 |
| Symmetric NAT | Relay is expected — traffic is still E2E encrypted |
| Strict corporate firewall | Relay is expected |
# Open UDP port (Linux)
sudo ufw allow 42273/udp
# Force reconnection to retry P2P
baseguard disconnect && baseguard connectDNS Issues
DNS resolution fails
- Ensure DNS is enabled in Settings > DNS
- Verify Baseguard is connected
- Try using the overlay IP directly to isolate DNS from connectivity issues
External DNS broken after enabling Baseguard DNS
- Check for conflicts with system DNS configuration
- Try disabling Baseguard DNS in Settings > DNS
Authentication & Login Issues
Authorization URL doesn't open
Copy the URL manually and paste it into your browser.
Authorization times out
- Check your internet connection
- Ensure you're logged into the console
- Try again with
baseguard login
Auth key rejected
- Verify the key is copied correctly (no trailing spaces)
- Check key hasn't expired or been revoked
- Ensure key hasn't reached its usage limit (single-use keys)
- Create a new auth key if needed
Device rejected
- Check if node approval is enabled — your device may be waiting for admin approval
- Verify user has organization membership
Credential problems
baseguard logout
baseguard loginOrganization Issues
"Organization not found" or not listed
# List your organizations
baseguard organizations
# Use the correct ID
baseguard connect --org-id <correct-id>If no organizations appear, re-login with baseguard login to refresh. If still empty, contact your organization admin for access.
Access Control Issues
Traffic blocked unexpectedly
- Verify source and destination nodes have the expected tags
- Check ACL rules cover the protocol and port
- Test from the source node:
nc -zv <overlay-ip> <port> # TCP
ping <overlay-ip> # ICMPTraffic allowed unexpectedly
- Look for rules with empty tags (matches all nodes)
- Review all ACLs — any matching rule permits traffic, regardless of order
Tags not applied from auth key
- Verify tags are configured on the auth key
- Check the tags exist in the organization
API Issues
| Error | Cause | Solution |
|---|---|---|
| 401 Unauthorized | Invalid or expired API key | Verify key, check Bearer prefix |
| 403 Forbidden | Wrong organization | Check x-bg-organization-id header |
| 404 Not Found | Wrong endpoint or resource | Verify URL and resource ID |
See API Reference for authentication details.
Getting Help
If you can't resolve an issue, contact support.
See Also
- FAQ — Frequently asked questions
- CLI Reference — Command-line interface