How to Monitor for WireGuard Key Compromise
If want to know when one of your WireGuard private keys have been compromised, you need a good WireGuard monitoring solution. Pro Custodibus is a great choice, but have a look at your other WireGuard monitoring options if you like. This article will assume you’re already up and running with Pro Custodibus as your solution.
So, how do you find out if any of your keys have been compromised?
Identify Unusual Activity
The first thing you’d probably want to know is if you have any unusual activity with any of your WireGuard hosts. The Pro Custodibus dashboard is perfect for this — it makes it easy to spot suspicious behavior:
The Endpoints Connected to Host chart displays how many remote endpoints are actively connected to each WireGuard host you’re monitoring. This chart will show you if you have more users connected to a host than usual. You can click on a host if you want to see more details about who’s been connecting to it.
The Bytes Sent and Received by Peer chart displays how how much data is being transferred to and from the hosts you’re monitoring, by WireGuard identity (since a WireGuard peer is identified by its public key, peer, identity, and key are all synonyms from a WireGuard monitoring perspective). This chart will show you if a particular user is using your WireGuard network more heavily than usual. You can click on a peer if you want to see more detail about its activity.
The IP Addresses Used by Peer chart displays how many different IP addresses each WireGuard identity is using to access your monitored hosts. This chart will show you if more than one user appears to be using the same identity at the same time. You can click on a peer if you want to see more details about which IP addresses are involved.
The Endpoint IP Address Changes table displays the recent changes to the IP address each WireGuard identity has been using to access each monitored host. This table will show you if a particular user has recently changed the IP address from which she is accessing a particular host.
Identify Suspicious IP Addresses
If you see some unusual activity, you’re going to want to know more about where that activity came from. In Pro Custodibus, you can click on an IP address to see more detail about it, and what activity has originated from it:
The Network panel displays information about what network the IP address belongs to. The Location panel displays the likely geographic location of hosts using the IP address. If these panels show an unexpected network or location (like a network operated by a Chinese telecom, or a location in Russia), the private keys of the peers using this address may be compromised.
The Peers Used table displays each peer that has used this IP address, and the last time the peer used the address. The Peers Used chart above it displays a timeline of when each peer that used this address was active from the address (and detailing specifically the number of monitored hosts the peer connected to from this address — in other words, the number of WireGuard endpoints used with the peer).
The activity from IP address 184.108.40.206 above seems pretty normal for this example, US-based company; but the activity from 220.127.116.11 seems highly suspicious:
Automated Alerts for Suspicious IP Addresses
Pro Custodibus will automatically alert you whenever a suspicious IP address connects to one of your monitored hosts. Specifically, Pro Custodibus will alert you if one of your monitored hosts is connected to from an IP address where:
- The IP address is located in a country that has never connected to your hosts before; or
- The IP address is located in a region of a country that has never connected to your hosts before; or
- The IP address is part of a larger network (an Autonomous System, or AS) that has never connected to your hosts before
These are pretty good indicators that the private key used to connect to the host may have been compromised. Pro Custodibus will send you an alert when this happens; you can also view your alerts on the Alerts page in Pro Custodibus:
And if you want even more assurance that you’ll know if anyone ever tries to connect to your monitored hosts from an unexpected IP address, you can configure Pro Custodibus with a safelist of good IP addresses or blocks. If an IP address not in that list ever connects to one of your hosts, Pro Custodibus will alert you immediately:
Identify Other Suspicious Usage
Another indicator that a WireGuard key may be compromised is when the same key is used to connect to the same host at the same time from two different IP addresses. This will show up in Pro Custodibus’ activity history as the IP address for the same WireGuard endpoint flipping back and forth between two IPs multiple times over the course of several minutes or more:
Pro Custodibus will automatically alert you when this happens:
Automated Alerts for Suspicious Usage
And another suspicious usage pattern is when a WireGuard key that hasn’t been used for a while (or ever) suddenly is used. Pro Custodibus will automatically alert you the first time a WireGuard key that hasn’t been used before (or hasn’t been used in the past 45 days) is used:
Pro Custodibus will also automatically alert you the first time WireGuard key is used to access a monitored host, if that key has never been used to access that host before (or at least hasn’t in the past 45 days):
When this happens unexpectedly, it can be another indication that the private key used to connect to the host has been compromised.
Here’s a video that covers the same content as this article: