VPN
    Updated May 2026
    WireGuard logo

    WireGuard Monitoring

    Monitor WireGuard peer handshake age (alert if > 3 min), per-peer transfer_rx/tx bytes, endpoint reachability, allowed-IP routes, and interface-level packets/errors in real time — via `wg show all dump`.

    Start Free TrialView Docs

    Why monitor WireGuard?

    WireGuard is the modern in-kernel VPN — fast, simple, and silently stateless. There's no 'disconnect' event when a peer dies, so without monitoring, you only learn a tunnel is down when users report it. Tracking handshake age per peer is the canonical liveness signal: catch dead peers within the polling interval, before they become support tickets.

    Auto-discovery of every `wg*` interface on the host
    Per-peer handshake age tracking (the canonical liveness signal)
    Per-peer transfer_rx_bytes / transfer_tx_bytes trending
    Endpoint change detection (NAT remap, IP migration)
    Allowed IPs route monitoring per peer
    Persistent keepalive interval visibility per peer
    Interface-level packet stats (`ip -s link`) for kernel-side issues
    MTU and listen port visibility
    Wire-compatible with data model
    1-minute metric collection intervals out of the box
    What is WireGuard monitoring?

    WireGuard monitoring, explained

    WireGuard monitoring catches dead peers (no recent handshake = silent disconnection), endpoint changes (a peer's public IP moved or a NAT mapping expired), per-peer bandwidth abuse, and interface-level packet errors before they manifest as "my VPN sometimes doesn't work" reports. Because WireGuard is stateless UDP — there's no "connect" or "disconnect" event like OpenVPN — handshake age is the canonical "is this peer alive" signal. For remote-access VPN servers, site-to-site tunnels, Kubernetes pod-to-pod encryption via Cilium, and mesh networks (Tailscale / NetBird), per-peer handshake-age visibility is what separates a 60-second alert on a dropped tunnel from finding peers offline for hours. Xitoring auto-discovers every wg* interface, reads wg show all dump, and routes alerts to Slack, PagerDuty, Telegram, or your existing on-call.

    Metrics

    What we monitor

    Active Peers

    Count of peers with handshake age < 3 minutes (live by WireGuard's standard liveness inference). Compare against total configured peers to spot offline peers.

    Latest Handshake (per peer)

    Unix epoch timestamp of the most recent successful handshake per peer. The single most important WireGuard metric — alert when `now - latest_handshake > 180s` (3 minutes).

    Handshake Age Distribution

    Buckets of peers by handshake age (< 30s, 30s-2min, 2-5min, 5-15min, > 15min). Drift toward higher buckets across the fleet = upstream connectivity issue.

    Transfer RX (per peer)

    `transfer_rx_bytes` per peer (received from peer). Tracks ingress bandwidth use — surfaces bandwidth abuse and asymmetric traffic patterns.

    Transfer TX (per peer)

    `transfer_tx_bytes` per peer (sent to peer). Pair with RX to compute transfer ratio — heavy outbound = peer downloading through tunnel.

    Endpoint per Peer

    Public address:port the peer is currently reachable at. Endpoint changes signal NAT remapping, mobile peer movement, or peer-side IP rotation.

    Allowed IPs

    List of subnets routed to each peer (used both for routing and access control). Unexpected changes flag config drift; missing entries explain mysterious connectivity gaps.

    Persistent Keepalive

    Keepalive interval per peer (default `0` = none; typical NAT-traversal value is `25` seconds). Peers behind NAT without keepalive will appear dead after NAT mapping expires.

    Interface RX / TX Bytes

    Total bytes on the `wg*` interface from `ip -s link`. Aggregate throughput across all peers — for capacity planning.

    Interface Packets / Errors / Dropped

    Kernel-side packet counters. RX errors / drops signal MTU misconfiguration (WireGuard adds 80 bytes overhead — typical MTU 1420 on 1500 link) or kernel buffer overflow.

    Listen Port

    UDP port the WireGuard interface is bound to (default 51820). Surfaced for inventory + change detection.

    Peer Count (total / configured)

    Number of peer entries in the interface config vs number currently alive. Gap = peers configured but never connecting (wrong key, wrong endpoint, firewall block).

    Triggers & Alerts

    Configurable alert triggers

    Set up custom triggers in your dashboard to get notified the moment WireGuard metrics cross your defined thresholds.

    WireGuard monitoring trigger configuration dashboard

    Handshake Stale

    critical

    Fires when handshake is too old, indicating peer disconnection.

    Peer Down

    critical

    Alerts when expected peer is unreachable.

    Transfer Rate

    warning

    Triggers on abnormal transfer patterns.

    01

    Importance of WireGuard Monitoring

    WireGuard's simplicity hides silent failures. Stale handshakes and peer disconnections go unnoticed without monitoring.

    • Detect stale handshakes indicating lost connectivity
    • Monitor peer availability
    • Track transfer rates per peer
    • Ensure tunnel health
    WireGuard monitoring
    Peer analytics
    02

    Why Choose Xitoring

    Zero-config WireGuard monitoring.

    • One-command install
    • Global nodes
    • Unified dashboard
    • Multi-channel alerts
    Overview
    Alerts
    Use cases

    Common WireGuard monitoring scenarios

    Where WireGuard typically runs today — and what could go wrong if no one's watching.

    Modern remote-access VPN for staff

    WireGuard quietly stops talking to a user when their connection dies — there's no error, just silence. We catch the dropped tunnel the moment it happens so IT can fix it before staff are stuck and start calling support.

    Encrypted traffic between Kubernetes servers

    Modern Kubernetes setups encrypt the traffic between servers so internal data stays private. If that encryption quietly stops working between two servers, sensitive data could be flowing unprotected. We catch the moment any link goes dark so the protection stays real.

    Private networks linking offices, users, and devices

    Modern private networks connect dozens or hundreds of users, offices, and devices into one secure mesh. When a single connection silently fails, only a slice of your network is affected — making it hard to spot. We surface the trouble immediately so the right link can be fixed before more users are affected.

    Before you start

    Prerequisites for WireGuard

    Make sure you've got these in place — most installs are a 60-second job once they are.

    • WireGuard kernel module loaded (built-in on Linux kernel 5.6+) — OR wireguard-go userspace implementation
    • wireguard-tools installed (wg, wg-quick available on PATH)
    • Root access — WireGuard interface details require it
    Setup Guide

    Get started in minutes

    1

    Install Xitogent on your WireGuard host

    Install the lightweight Xitogent monitoring agent on the host running WireGuard.

    curl -s https://xitoring.com/install.sh | sudo bash -s -- --key=YOUR_API_KEY
    2

    Bring up the WireGuard interface

    Activate the tunnel (e.g. `wg-quick up wg0`) and confirm `wg show` returns peer state. Xitogent runs as root, so it can read WireGuard runtime details directly — no extra group setup needed.

    sudo xitogent integrate
    3

    Enable the WireGuard integration

    Use the Xitoring dashboard or CLI to enable the WireGuard integration. Xitogent auto-detects every `wg` interface on the host along with its peers.

    4

    Configure alert thresholds (optional)

    Set custom thresholds for Handshake Stale, Peer Down, or Transfer Rate anomalies so dark tunnels show up in alerts before users complain.

    5

    Verify it's working

    Run this command on the server to confirm Xitogent picked up the integration. Fresh metrics will start streaming to your dashboard within ~30 seconds.

    sudo xitogent status
    Compare

    Considering alternatives?

    See how Xitoring stacks up against the alternatives for WireGuard monitoring — flat pricing, deeper integrations, and one agent that covers your whole stack.

    See all comparisons

    Frequently asked questions

    What is WireGuard monitoring?
    WireGuard monitoring is the continuous collection of per-peer VPN state from `wg show all dump` — handshake age (the liveness signal), transfer_rx/tx bytes, endpoint addresses, allowed IPs, persistent keepalive intervals, plus interface-level packet stats — combined with alerting on stale handshakes, missing peers, and abnormal transfer patterns. Because WireGuard is stateless UDP, handshake age is the only way to know a peer is alive.
    How do I monitor WireGuard handshake age?
    `wg show all dump` returns per-peer `latest_handshake` as a Unix epoch timestamp. Compare to `now`: if `now - latest_handshake > 180` seconds (3 minutes), the peer hasn't successfully re-keyed in over a re-key window and is presumed dead. WireGuard re-keys every 120 seconds by default — 180 seconds gives one missed re-key tolerance. Xitogent computes this per peer automatically and alerts on staleness.
    How do I detect WireGuard peer disconnections?
    WireGuard has no `disconnect` event (stateless UDP). The detection is: configured peer + no recent handshake = disconnected. Track each peer's `latest_handshake` over time — when it stops advancing, the peer is offline. For NAT-traversal scenarios where peers lose connectivity when their NAT mapping expires, configure `PersistentKeepalive = 25` to keep handshakes flowing.
    How do I check WireGuard transfer bytes per peer?
    `wg show all dump` includes `transfer_rx_bytes` and `transfer_tx_bytes` per peer (cumulative since the interface was brought up). Compute per-minute rate from sequential samples. Useful for bandwidth-abuse detection and asymmetric-traffic analysis. Xitogent surfaces both totals and rates per peer.
    How do I monitor WireGuard with Prometheus / Grafana?
    (MindFlavor) is the canonical Prometheus exporter for WireGuard — runs `wg show` and exposes per-peer metrics on `/metrics`. Pair with prebuilt Grafana dashboards. Xitogent reads `wg show` directly without an exporter — pick whichever fits your stack.
    WireGuard vs OpenVPN monitoring — what's different?
    OpenVPN is stateful TCP-style — explicit connect/disconnect events, per-session bandwidth + duration, easy to track. WireGuard is stateless UDP — no "connect" event, no session concept; "is the peer alive" is inferred from handshake age. OpenVPN has rich per-user PKI + RADIUS for enterprise; WireGuard uses simpler PublicKey/PrivateKey pairs without RADIUS chains. Both are valid in 2026 — use the right integration for the right protocol.
    What MTU should I use with WireGuard?
    WireGuard adds 80 bytes of overhead to every packet. On a standard 1500-byte Ethernet link, set WireGuard MTU to 1420 (1500 - 80). On VXLAN, GRE, or another encapsulated link, subtract additional overhead. Wrong MTU causes large packets to fragment or be dropped — visible as RX errors on the interface and "sometimes my SSH freezes" reports.
    Does this work with Tailscale, NetBird, or Cilium WireGuard?
    Yes — all of them use the same underlying `wg*` interface, so `wg show` works identically. For Tailscale, monitor both `tailscale status` (for the coordination plane: ACLs, MagicDNS, auth state) AND the underlying `wg0` interface (for the actual encrypted tunnels). Same for Headscale, NetBird, Netmaker. Cilium WireGuard mode exposes per-node peers — monitor across the cluster.
    Does Xitogent support userspace WireGuard?
    Yes. Both kernel WireGuard (Linux 5.6+ in-tree) and `wireguard-go` userspace are supported — both expose the same `wg show` interface. Userspace is slower (~15% throughput penalty) but works on platforms without the kernel module (older Linux kernels, BSD, macOS, Windows). For Windows, the WireGuard for Windows app uses a kernel-mode driver — Xitogent's Windows agent reads via the equivalent IOCTL surface.

    Start monitoring WireGuard today

    Set up in under 60 seconds. No credit card required. Full metrics from day one.

    Start Free Trial

    Keep exploring

    Related Integrations