wireguard_exporter
Command wireguard_exporter
implements a Prometheus exporter for WireGuard
devices. MIT Licensed.
Usage
Use the -h
flag to see full usage:
$ wireguard_exporter -h
Usage of wireguard_exporter:
-metrics.addr string
address for WireGuard exporter (default ":9586")
-metrics.path string
URL path for surfacing collected metrics (default "/metrics")
-wireguard.peer-file string
optional: path to TOML friendly peer names mapping file; takes priority over -wireguard.peer-names
-wireguard.peer-names string
optional: comma-separated list of colon-separated public keys and friendly peer names, such as: "keyA:foo,keyB:bar"
For simple deployments, specifying peer name mappings on the command line may be sufficient:
$ wireguard_exporter -wireguard.peer-names VWRsPtbdGtcNyaQ+cFAZfZnYL05uj+XINQS6yQY5gQ8=:foo
For larger deployments, you can also specify a TOML file of friendly peer name mappings, which will supersede any command line flag mappings.
[[peer]]
public_key = "VWRsPtbdGtcNyaQ+cFAZfZnYL05uj+XINQS6yQY5gQ8="
name = "foo"
[[peer]]
public_key = "UvwWyMQ1ckLEG82Qdooyr0UzJhqOlzzcx90DXuwMTDA="
name = "bar"
$ wireguard_exporter -wireguard.peer-file /etc/wireguard/peers.toml
Example
This exporter exposes metrics about each configured WireGuard device and its peers, using any device implementation supported by wgctrl-go.
$ curl -s http://localhost:9586/metrics | grep wireguard
# HELP wireguard_device_info Metadata about a device.
# TYPE wireguard_device_info gauge
wireguard_device_info{device="wg0",public_key="QwAmAD1v4wMIX/0gKJbr9hv1o3YX0YTk7Mdj0L4dylI="} 1
# HELP wireguard_peer_allowed_ips_info Metadata about each of a peer's allowed IP subnets for a given device.
# TYPE wireguard_peer_allowed_ips_info gauge
wireguard_peer_allowed_ips_info{allowed_ips="192.168.20.0/24",device="wg0",family="IPv4",public_key="UvwWyMQ1ckLEG82Qdooyr0UzJhqOlzzcx90DXuwMTDA="} 1
wireguard_peer_allowed_ips_info{allowed_ips="fd9e:1a04:f01d:20::/64",device="wg0",family="IPv6",public_key="UvwWyMQ1ckLEG82Qdooyr0UzJhqOlzzcx90DXuwMTDA="} 1
# HELP wireguard_peer_info Metadata about a peer. The public_key label on peer metrics refers to the peer's public key; not the device's public key.
# TYPE wireguard_peer_info gauge
wireguard_peer_info{device="wg0",endpoint="",name="foo",public_key="VWRsPtbdGtcNyaQ+cFAZfZnYL05uj+XINQS6yQY5gQ8="} 1
wireguard_peer_info{device="wg0",endpoint="[fd9e:1a04:f01d:20:e5c2:7b69:90d8:ca45]:49203",name="bar",public_key="UvwWyMQ1ckLEG82Qdooyr0UzJhqOlzzcx90DXuwMTDA="} 1
# HELP wireguard_peer_last_handshake_seconds UNIX timestamp for the last handshake with a given peer.
# TYPE wireguard_peer_last_handshake_seconds gauge
wireguard_peer_last_handshake_seconds{device="wg0",public_key="UvwWyMQ1ckLEG82Qdooyr0UzJhqOlzzcx90DXuwMTDA="} 1.588274629e+09
wireguard_peer_last_handshake_seconds{device="wg0",public_key="VWRsPtbdGtcNyaQ+cFAZfZnYL05uj+XINQS6yQY5gQ8="} 0
# HELP wireguard_peer_receive_bytes_total Number of bytes received from a given peer.
# TYPE wireguard_peer_receive_bytes_total counter
wireguard_peer_receive_bytes_total{device="wg0",public_key="UvwWyMQ1ckLEG82Qdooyr0UzJhqOlzzcx90DXuwMTDA="} 76728
wireguard_peer_receive_bytes_total{device="wg0",public_key="VWRsPtbdGtcNyaQ+cFAZfZnYL05uj+XINQS6yQY5gQ8="} 0
# HELP wireguard_peer_transmit_bytes_total Number of bytes transmitted to a given peer.
# TYPE wireguard_peer_transmit_bytes_total counter
wireguard_peer_transmit_bytes_total{device="wg0",public_key="UvwWyMQ1ckLEG82Qdooyr0UzJhqOlzzcx90DXuwMTDA="} 76200
wireguard_peer_transmit_bytes_total{device="wg0",public_key="VWRsPtbdGtcNyaQ+cFAZfZnYL05uj+XINQS6yQY5gQ8="} 0
Sample queries
Get the receive and transmit rates and last handshake of individual peers, and enable querying on both the WireGuard device name and the peer's friendly name:
irate(wireguard_peer_receive_bytes_total[5m]) * on (public_key, device) group_left(name) wireguard_peer_info * on (instance) group_left(device) wireguard_device_info
irate(wireguard_peer_transmit_bytes_total[5m]) * on (public_key, device) group_left(name) wireguard_peer_info * on (instance) group_left(device) wireguard_device_info
time()-(wireguard_peer_last_handshake_seconds * on (public_key, device) group_left(name) wireguard_peer_info * on (instance) group_left(device) wireguard_device_info)
Grafana Dashboard
You can view your data using this Grafana Dashboard using Prometheus as source.
Build Binary
cd cmd/wireguard_exporter/
go build .
mv wireguard_exporter /usr/local/bin/
Add service file for systemd
[Unit]
Description=Prometheus WireGuard Exporter
After=network.target
[Service]
Type=simple
Restart=always
ExecStart=/usr/local/bin/wireguard_exporter
[Install]
WantedBy=multi-user.target
Load new service and enable autostart:
systemctl daemon-reload
systemctl enable wireguard-exporter.service
Add scraping config to prometheus
In /etc/prometheus/prometheus.yml
add following config to the section scrape_configs:
:
- job_name: wireguard
static_configs:
- targets: ['localhost:9586']