Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Wireguard: how to log network activity?

Tags:

How to enable network activity logging in wireguard?

I searched for ways to view the logs on the server but don't see anything under /var/log.

As it's running as a systemd service I can see some minimal info with

sudo systemctl status wg-quick@wg0 

but this provides very little info.

Also tried:

journalctl -u wg-quick@wg0 

but this does not show much more than the previous command.

Ideally I would like to be able to see peer connections and (optionally) the requests that are being made.

So far the only helpful diagnostic command I've found is sudo wg show wg0 (or just sudo wg) but I wish there was a way to increase the verbosity level and have it display in real time.

Update:

It is possible to get some sense of what connections are initiated by using third-party network tools such as tcpdump | grep 10.66.66 (given that the tunnel is set up on 10.66.66.x) and nethogs, but that still does not answer the question how to do it directly via wireguard.

like image 666
ccpizza Avatar asked Apr 08 '20 20:04

ccpizza


People also ask

How do you check WireGuard logs?

If your system is set up with rsyslogd, journald, or a similar logging daemon, you can use it to see this logging. With rsyslogd, check the /var/log/kern. log or /var/log/messages file.

How do you monitor WireGuard traffic?

The simplest thing you can do is just SSH into each of the WireGuard hosts on your network, and use WireGuard's built-in status display to check the current status of each interface and peer.

Does WireGuard hide traffic?

WireGuard has forward secrecy of data packets, thanks to its handshake, but the handshake itself encrypts the sender's public key using the static public key of the responder, which means that a compromise of the responder's private key and a traffic log of previous handshakes would enable an attacker to figure out who ...

How do I check if my WireGuard is working?

Once WireGuard is installed, you can check that the installation succeeded by running: wg , if you get no output it's all good. In order to check that the WireGuard kernel module has loaded you can run sudo modprobe wireguard .


1 Answers

If all you need is peer "connection", i wrote this: https://github.com/nikaro/wirelogd

Wirelogd is a logging daemon for WireGuard. Since WireGuard itself does not log the state of its peers (and since it is UDP based so there is no concept of "connection state"), Wirelogd relies on the latest handshake to determine if a peer is active or inactive. While there is trafic the handshake should be renewed every 2 minutes. If there is no trafic handshake is not renewed. Based on this behavior we assume that if there is no new handshake after a while (default Wirelogd timeout value is 5 minutes), the client is probably inactive.

like image 102
Nicolas Karolak Avatar answered Sep 30 '22 17:09

Nicolas Karolak