WireGuard Usage Monitoring

One of the most important reasons to use a WireGuard monitoring and management tool like Pro Custodibus is so you can monitor server usage within your WireGuard VPN (Virtual Private Network). You don’t want to lose visibility into your network just because you’re using WireGuard to secure it. Here are four key questions about the usage of your servers that Pro Custodibus will help you answer:

Who accessed this server over WireGuard?

Pro Custodibus keeps track of the usage stats for all your monitored hosts. To see who has accessed a particular server, log into the Pro Custodibus web UI (User Interface), and navigate to the host page for the server:

WireGuard Usage for a Host
Figure 1. Example Pro Custodibus Host Page

The first thing you’ll see on this page is a timeline of the overall usage of the host (the Endpoints Connected to Host Interfaces panel), showing how many different endpoints were actively accessing this host over the last few hours. But if you scroll down, you’ll see the full list of endpoints that have ever connected to the host (the Endpoints panel).

This list of endpoints shows you the friendly name of each WireGuard peer that has accessed the host, like Bob’s Workstation or Alice’s Phone, as well as the name of the WireGuard interface on the host (like wg0) to which each endpoint connected. It also shows the total usage of the host by the peer in terms of bytes sent and received, as well as the timestamp and IP address from the last time the peer connected.

Pro Custodibus can also notify you when a WireGuard peer accesses one of your monitored hosts for the first time. For example, this alert was generated the first time the peer for Juan’s Workstation was used to access the Document Store host:

WireGuard Usage Alert for a Host
Figure 2. Example Pro Custodibus “First Use” Alert

When was this server last accessed via WireGuard?

From the Pro Custodibus host page, if you click on a specific WireGuard interface (like wg0), you’ll navigate to a page with the details and usage history for that interface:

WireGuard Usage for an Interface
Figure 3. Example Pro Custodibus Interface Page

The first thing you’ll see on this page is a timeline of the usage of the interface by each WireGuard peer (the Bytes Sent and Received by Interface Endpoints panel), showing how much data each endpoint transferred over the last few hours. This gives you a quick visualization of who has connected recently to the host, as well as how actively they were using it.

The listing below this timeline (the Endpoints panel) shows the exact date of the last connection from each peer in the Last Handshake column (WireGuard peers exchange a handshake at the beginning of each connection, and every two minutes during use).

How much data was transferred from this server over WireGuard?

To see the full history of a specific remote peer’s usage of a monitored host, first navigate to the host’s page (or an interface page of the host), as shown above. Then click on the endpoint with the peer’s name (like Bob’s Workstation or Alice’s Phone). This will show you the full log of activity between the remote peer and the host:

WireGuard Usage for an Endpoint
Figure 4. Example Pro Custodibus Endpoint Page

The screenshot above shows the full activity between the Document Store host and a specific WireGuard endpoint connected to it, Alice’s Phone. The top panel on the page shows a timeline of the data sent and received between the host and the endpoint (from the perspective of the host, which is monitored by Pro Custodibus; not the endpoint, which doesn’t need be monitored by Pro Custodibus to gather this data — and in this case is not). This provides a convenient visualization of how much data has been transferred recently between the two peers.

You can use the date-range picker above the timeline panel to select a different date range over which to view this timeline; for example, this screenshot shows the data transferred between the two peers over the past 90 days:

Long-Term WireGuard Usage for an Endpoint
Figure 5. Endpoint Page for the Past 90 Days

You can also use the activity log below the timeline (in the Activity panel) to view the exact amount of data sent and received between each handshake of the two peers. Each entry in this list represents a snapshot of time during which the two peers were actively communicating. The Public Address column shows the IP address and WireGuard port of the remote endpoint at the time each handshake occurred, with the handshake timestamp listed in the Handshake column.

The Sent column shows the bytes sent from the monitored host (in this case, the Document Store) to the remote endpoint (Alice’s Phone) between this snapshot and the last; whereas the Tx Cum column shows the total bytes sent from the host to the endpoint up to that point in time. Similarly, the Received column shows the bytes received by the monitored host from the remote endpoint since the last snapshot; and the Rx Cum column shows the total bytes received by the host from the endpoint up to that point in time.

Where was this server accessed from through WireGuard?

The Pro Custodibus endpoint page we navigated to above, representing the connection between a monitored host and a remote WireGuard endpoint, shows the full history of IP addresses used by the remote side of the connection. The Changes panel at the bottom the page will list all changes that occurred to this connection — in particular, it will include an entry every time the IP address used by the remote endpoint changed. If you hover your mouse pointer over an IP address in this list, you’ll see what entity owns the IP address, and geographically where it’s located:

IP Address Detail of a WireGuard Endpoint
Figure 6. Endpoint IP Address Changes

In the example above, you’ll see that the latest IP address used by the remote endpoint (Alice’s Phone) to access the monitored host (the Document Store), was 157.130.186.54, a US address owned by Verizon Business Internet. You can click on this IP address to see the full history of usage from the IP address, including the monitored hosts it was used to access, and the remote peers that used it:

WireGuard Usage by an IP Address
Figure 7. IP Address Page

Furthermore, Pro Custodibus will alert you when a new IP address is used to access one of your monitored hosts, if that IP address belongs to a block of IP addresses or a geographic region that Pro Custodibus hasn’t observed accessing any of your hosts before. For example, this alert was generated the first time someone tried to connect from an IP address located in the US state of Colorado:

WireGuard Usage Alert for an IP Address
Figure 8. IP Address Alert

See the How to Monitor for WireGuard Key Compromise article for more details about alerts like this.

Video

This video shows off the Pro Custodibus pages we walked through in this article: