WireGuard Network Map

Understanding who has been granted access to what on your network can be difficult. The Network Map feature in Pro Custodibus makes it easy to visualize how all the peers in your WireGuard virtual private network (VPN) are connected — as well as see how those connections are being actively used.

In the screenshot below, you can see a host on a WireGuard network, connected to several remote endpoints:

Network Map of a WireGuard Interface

In the screenshot, we’re looking at the connections to the “wg0” interface of the “Document Store” host on this WireGuard network, with a tooltip showing the endpoint of that interface connected to the “Alice’s Laptop” peer.

Here’s a key to the different types of resources shown:

Host Icon Host

one of your monitored hosts

Interface Icon Interface

one of the WireGuard interfaces on a host (a single host can have multiple interfaces)

Endpoint Icon Endpoint

the remote side of a WireGuard connection, from the point of view of a monitored host

Peer Icon Peer

the WireGuard identity used by one or more interfaces or endpoints

The thickness of the line connecting each interface and endpoint indicates how much the connection has been used (connections that have transferred more data are thicker), and its darkness shows how recently it has been used (connections that have been used more recently are darker). Disabled connections are rendered with a dotted line.

You can mouse over each resource to view a tooltip with the name and other details about the resource. You can also click on a resource to bring up its details in the info panel on the left side of the page. Also, any connections that haven’t been loaded yet will be loaded once you click on a resource.

You can click on the Load All icon in the top right of the Network Map panel to load all the peers that are connected by further degrees of separation to the selected resource, and fill in the connections between them.

In this screenshot, we’ve clicked on the endpoint representing the connection from the “Field Service” host to the “Alice’s Laptop” peer, and used the Load All icon to load the rest of the WireGuard connections in the network:

Network Map of a WireGuard Endpoint

You can click on the Close icon in the top right of the Network Map panel to close it and view more information about the selected resource (like its activity log, or other charts and details about the resource). To open up the Network Map again, click the Network Map icon in the top right of the resource’s info panel:

Other Endpoint Details

The great thing about a network map like this is that it allows you to navigate from resource to resource, see how resources are connected, and check how actively they’re being used. If one WireGuard peer has access to another peer it shouldn’t have, you can immediately identify it and correct it.