Overview
WireGuard is a modern, high-performance VPN protocol known for its simplicity and speed. Monitoring WireGuard ensures your tunnels remain active, peers stay connected, and traffic flows securely.
Prerequisites
- A Linux server running WireGuard
- Xitogent agent installed on the server
- An active Xitoring account
Step 1 — Install Xitogent
Install the Xitoring agent:
curl -s https://xitoring.com/install.sh | sudo bash -s -- --key=YOUR_API_KEY
Step 2 — Enable the WireGuard Integration
Run the integration command and select WireGuard:
sudo xitogent integrate
Select WireGuard from the available integrations. Xitogent will detect your WireGuard interfaces and start collecting metrics.
Key Metrics to Monitor
| Metric | Description |
|---|---|
| Peer Count | Number of active WireGuard peers |
| Latest Handshake | Time since last successful handshake per peer |
| Transfer (Rx/Tx) | Bytes received and transmitted per peer |
| Interface Status | Whether WireGuard interfaces are up |
| Endpoint Reachability | Connectivity status of peer endpoints |
Step 3 — Configure Triggers
Set up alerts for critical WireGuard events:
- Stale Handshakes — Alert when a peer's last handshake exceeds a threshold (e.g., > 5 minutes), indicating a broken tunnel
- Transfer Rate Drop — Detect when a peer stops sending or receiving traffic
- Interface Down — Immediate alert if a WireGuard interface goes offline
Monitoring Strategy
WireGuard's simplicity means monitoring requires a layered approach:
- Xitogent Integration — Monitors WireGuard process and peer-level metrics directly
- Uptime Checks — Create ICMP ping checks to internal IPs reachable only through the tunnel to verify end-to-end connectivity
- Server Monitoring — Track CPU, memory, and network I/O on the WireGuard host
Best Practices
- Monitor handshake freshness — WireGuard peers must handshake at least every 2 minutes to maintain connectivity
- Track per-peer transfer rates — Identify which tunnels are active versus stale
- Use internal ping checks — The best way to confirm a tunnel is truly functional is to ping a resource behind it
- Combine with Netstat — Enable Netstat integration for full visibility into network connections and listening ports
Troubleshooting
- No handshake data: Ensure
wg showreturns interface data when run as root - Peer shows 0 transfer: The peer may not have initiated traffic; check endpoint configuration
- Interface missing: Verify WireGuard is running with
systemctl status wg-quick@wg0