Monitoring & Alerting for WireGuard VPN
Introduction
WireGuard is a fast, modern, and secure VPN tunnel software by Jason A. Donenfeld. It aims to be faster, simpler, leaner, and more useful than IPsec or considerably more performant than OpenVPN.
Wireguard is “work of art” — Linus Torvalds
When you have a WireGuard VPN tunnel powering critical services, it’s important to monitor the VPN tunnel's health and set up an alert.
In this article, we’ll set up the Prometheus WireGuard exporter, Grafana Dashboard, and Alerts Manager.
WireGuard Prometheus Exporter
Firstly, we’ll install WireGuard Prometheus exporter on the WireGuard instance. Basically, the exporter exposes wg show all dump
results in a format Prometheus understands.
The exporter is written in Rust and is very light on server resources, both in terms of memory and CPU usage.
For the moment, there are no pre-built binaries for the exporter. Thus, we’ll have to build it. Since it’s written in Rust, it’s fairly straightforward.
NOTE: yum
is used, you can any package manager.
1. Build and install wireguard prometheus exporter
$ yum install cargo # RedHat-based
$ cargo install prometheus_wireguard_exporter
$ install -m755 /root/.cargo/bin/prometheus_wireguard_exporter /usr/local/bin/
$ yum remove cargo
2. Install systemd service for the exporter
NOTE: If you’re using custom WireGuard configuration, specify that in-place of /etc/wireguard/wg0.conf
$ cat <<EOF > /etc/systemd/system/prometheus-wireguard-exporter.service
[Unit]
Description=Prometheus WireGuard Exporter
Wants=network-online.target
After=network-online.target
[Service]
User=root
Group=root
Type=simple
ExecStart=/usr/local/bin/prometheus_wireguard_exporter -n /etc/wireguard/wg0.conf
[Install]
WantedBy=multi-user.target
EOF
And enable the exporter service by running the following command:
$ systemctl enable --now prometheus-wireguard-exporter.service
3. Verify exporter service is running
$ curl localhost:9586/metrics
Configure Prometheus
Next, we’ll configure Prometheus to scrape the Wireguard exporter metrics.
Add the following scape config job to /etc/prometheus/prometheus.yaml
- job_name: wireguard-exporter
static_configs:
- labels:
instance: my-wireguard-tunnel
targets:
- IP_OF_EXPORTER:9586
And reload the prometheus service
$ systemctl reload prometheus
Wireguard Grafana Dashboard
- Login to your Grafana UI
- Download the following JSON file and import dashboard as JSON file
3. Finally, hit import.
Now, duplicate the“Last Handshake” panel and customize it so we can create alerts on it.
- Create a duplicate panel of “Last Handshake”
2. Edit the duplicate panel
3. Modify the metrics to the following:
time() - wireguard_latest_handshake_seconds
3. Set the Legend to {{instance}}
4. Turn off the Instant
metrics.
3. Choose the Graph Visualization from the Panel tab
4. From theField
tab and change Unit to short
from From Now
5. Finally, click Save
Alert Manager
Now, let’s create alerts if the WireGuard connection is lost.
- Edit the panel
2. Click on the Alerts tab and click “Create Alert”
3. Set the condition as WHEN avg() OF query(A, 1m, now) IS ABOVE 180
NOTICE: Alert threshold bar should appear in the dashboard.
4. Create Pagerduty alert or Slack alert
5. Finally click “Save”
NOTE: Normally WireGuard sends a health check every 2 minutes, so it’s safe to keep 3 minutes, i.e, 180 seconds as alerting threshold.
Conclusion
Alongside WireGuard tunnel monitoring, it’s important to monitor WireGuard tunnel instances as well, which is not covered in this article.
I hope you found this article helpful — Stay safe👋