How to Monitor for WireGuard Key Compromise

If want to know when one of your WireGuard private keys have been compromised, you need a good WireGuard monitoring solution. Pro Custodibus is a great choice, but have a look at your other WireGuard monitoring options if you like. This article will assume you’re already up and running with Pro Custodibus as your solution.

So, how do you find out if any of your keys have been compromised?

Identify Unusual Activity

The first thing you’d probably want to know is if you have any unusual activity with any of your WireGuard hosts. The Pro Custodibus dashboard is perfect for this — it makes it easy to spot suspicious behavior:

Pro Custodibus Dashboard

The Endpoints Connected to Host chart displays how many remote endpoints are actively connected to each WireGuard host you’re monitoring. This chart will show you if you have more users connected to a host than usual. You can click on a host if you want to see more details about who’s been connecting to it.

The Bytes Sent and Received by Peer chart displays how how much data is being transferred to and from the hosts you’re monitoring, by WireGuard identity (since a WireGuard peer is identified by its public key, peer, identity, and key are all synonyms from a WireGuard monitoring perspective). This chart will show you if a particular user is using your WireGuard network more heavily than usual. You can click on a peer if you want to see more detail about its activity.

The IP Addresses Used by Peer chart displays how many different IP addresses each WireGuard identity is using to access your monitored hosts. This chart will show you if more than one user appears to be using the same identity at the same time. You can click on a peer if you want to see more details about which IP addresses are involved.

The Endpoint IP Address Changes table displays the recent changes to the IP address each WireGuard identity has been using to access each monitored host. This table will show you if a particular user has recently changed the IP address from which she is accessing a particular host.

Identify Suspicious IP Addresses

If you see some unusual activity, you’re going to want to know more about where that activity came from. In Pro Custodibus, you can click on an IP address to see more detail about it, and what activity has originated from it:

Pro Custodibus IP Detail for IP in Colorado

The Network panel displays information about what network the IP address belongs to. The Location panel displays the likely geographic location of hosts using the IP address. If these panels show an unexpected network or location (like a network operated by a Chinese telecom, or a location in Russia), the private keys of the peers using this address may be compromised.

The Peers Used table displays each peer that has used this IP address, and the last time the peer used the address. The Peers Used chart above it displays a timeline of when each peer that used this address was active from the address (and detailing specifically the number of monitored hosts the peer connected to from this address — in other words, the number of WireGuard endpoints used with the peer).

The activity from IP address 157.130.186.54 above seems pretty normal for this example, US-based company; but the activity from 31.28.5.212 seems highly suspicious:

Pro Custodibus IP Detail for IP in Russia

Automated Alerts for Suspicious IP Addresses

Pro Custodibus will automatically alert you whenever a suspicious IP address connects to one of your monitored hosts. Specifically, Pro Custodibus will alert you if one of your monitored hosts is connected to from an IP address where:

  1. The IP address is located in a country that has never connected to your hosts before; or
  2. The IP address is located in a region of a country that has never connected to your hosts before; or
  3. The IP address is part of a larger network (an Autonomous System, or AS) that has never connected to your hosts before

These are pretty good indicators that the private key used to connect to the host may have been compromised. Pro Custodibus will send you an alert when this happens; you can also view your alerts on the Alerts page in Pro Custodibus:

Pro Custodibus Alert for First Access From Country

And if you want even more assurance that you’ll know if anyone ever tries to connect to your monitored hosts from an unexpected IP address, you can configure Pro Custodibus with a safelist of good IP addresses or blocks. If an IP address not in that list ever connects to one of your hosts, Pro Custodibus will alert you immediately:

Pro Custodibus Alert for Suspicious IP

Identify Other Suspicious Usage

Another indicator that a WireGuard key may be compromised is when the same key is used to connect to the same host at the same time from two different IP addresses. This will show up in Pro Custodibus’ activity history as the IP address for the same WireGuard endpoint flipping back and forth between two IPs multiple times over the course of several minutes or more:

Pro Custodibus Endpoint Activity History

Pro Custodibus will automatically alert you when this happens:

Pro Custodibus Alert for IP Changes Back and Forth

Automated Alerts for Suspicious Usage

And another suspicious usage pattern is when a WireGuard key that hasn’t been used for a while (or ever) suddenly is used. Pro Custodibus will automatically alert you the first time a WireGuard key that hasn’t been used before (or hasn’t been used in the past 45 days) is used:

Pro Custodibus Alert for First Use of Private Key

Pro Custodibus will also automatically alert you the first time WireGuard key is used to access a monitored host, if that key has never been used to access that host before (or at least hasn’t in the past 45 days):

Pro Custodibus Alert for First Use of Key for Connection

When this happens unexpectedly, it can be another indication that the private key used to connect to the host has been compromised.

Video

Here’s a video that covers the same content as this article: