16

I've successfully set up a WireGuard VPN on my Debian 10 server. It was incredibly straight forward compared to the setup of OpenVPN, and it's working fine.

However, I can't see any logs beyond those from journalctl -u wg-quick@wg0.service. I'd like to know, for example, when there are failed authentication attempts. Is there a way to monitor that? e.g. with openvpn I could use fail2ban based on auth attempts.

artfulrobot
  • 2,627
  • 11
  • 30
  • 56

2 Answers2

24

Assuming you are running a 5.6 kernel which supports dynamic debugging, you can enable debug logs by executing:

# modprobe wireguard 
# echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control

The logs can than be consumed via dmesg or journalctl. With dmesg, just use following command:

$ dmesg -wH

(-H, --human enables user-friendly features like colors, relative time)

(-w, --follow)

Also on systems with systemd you can use:

$ journalctl -kf
Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
Henrik Pingel
  • 8,676
  • 2
  • 24
  • 38
  • Alas I'm on Debian buster 4.19 kernel. Thanks though. – artfulrobot Jun 07 '20 at 13:50
  • @artfulrobot The newer kernel version could be installed easily via the buster-backports channel if you don't mind a reboot. – Arnie97 Aug 06 '20 at 07:04
  • How do you reverse `+p` thing once I'm done? I'm trying to debug a WireGuard client issue, how do I point `journalctl` to consume the appropriate log? – Oxwivi Mar 08 '21 at 07:53
  • 4
    For CONFIG_DYNAMIC_DEBUG kernels, any settings given at boot-time (or enabled by -DDEBUG flag during compilation) can be disabled later via the sysfs interface if the debug messages are no longer needed: `echo "module module_name -p" > /dynamic_debug/control`. You can read the docs [here](https://www.kernel.org/doc/html/v4.11/admin-guide/dynamic-debug-howto.html) – Henrik Pingel Mar 08 '21 at 10:01
  • 1
    worth mentioning that in minimal setups or containers you may need to enable the `debugfs` via `sudo mount -t debugfs none /sys/kernel/debug/` – Treviño Dec 03 '21 at 13:27
0

My version of logging users, script in crontab every 3 minutes. If inactivity less then 180 seconds, nothing doing, else appending to a log file.

wg show all dump | grep 10.0 | awk 'BEGIN {}; {if (systime()-$6 <180 ) print strftime("%m-%d-%Y %H:%M:%S", systime()),$5, $4, (systime()-$6) "sec" } ; END {}' >> /var/log/wg.log

Note: Searching for 10.0 in the output, because that is what IP addresses in my private network start with.

Geert Smelt
  • 103
  • 2
Alex446
  • 1