I've successfully set up a WireGuard VPN on my Debian 10 server. It was incredibly straight forward compared to the setup of OpenVPN, and it's working fine.
However, I can't see any logs beyond those from journalctl -u wg-quick@wg0.service. I'd like to know, for example, when there are failed authentication attempts. Is there a way to monitor that? e.g. with openvpn I could use fail2ban based on auth attempts.
Assuming you are running a kernel which supports dynamic debugging, you can enable debug logs by executing:
# modprobe wireguard
# echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control
The logs can than be consumed via dmesg or journalctl. With dmesg, just use following command:
$ dmesg -wH
(-H, --human enables user-friendly features like colors, relative time)
(-w, --follow)
Also on systems with systemd you can use:
$ journalctl -kf
My version of logging users, script in crontab every 3 minutes. If inactivity less then 180 seconds, nothing doing, else appending to a log file.
wg show all dump | grep 10.0 | awk 'BEGIN {}; {if (systime()-$6 <180 ) print strftime("%m-%d-%Y %H:%M:%S", systime()),$5, $4, (systime()-$6) "sec" } ; END {}' >> /var/log/wg.log
Note: Searching for 10.0 in the output, because that is what IP addresses in my private network start with.
To automatically activate wireguard's dynamic debug logging directly at boot, have the wireguard kernel module
# automatically modprobe wireguard during boot:
echo "wireguard" | sudo tee /etc/modules-load.d/wireguard.conf
automatically activate dynamic_debug for wireguard during boot:
echo "options wireguard dyndbg=+p" | sudo tee /etc/modprobe.d/wireguard.conf
(Reference: Debug Messages at Module Initialization Time from kernel.org documentation)
The wireguard-specific log entries can then be followed/monitored with any of the following commands:
sudo journalctl -x -f -g wireguard*
sudo dmesg -wH --color=always | grep -i wireguard
