A Prometheus exporter for WireGuard

Overview

wireguard_exporter

Rust Version crates.io Dependency Status

An asynchronous Prometheus exporter for wireguard

wireguard_exporter runs wg show [..] and scrapes the output to build Prometheus metrics. Because wg requires root privileges, this tool must be run as root (or via sudo) or with the following capabilities in both the ambient and bounding set:

  • CAP_DAC_READ_SEARCH
  • CAP_NET_ADMIN
  • CAP_NET_RAW

Metrics Provided

  • Total number of bytes transferred in/out per peer
  • Total number of bytes transferred in/out per interface
  • Time since last handshake per peer
  • Scrape duration in milliseconds
  • Scrape success

Installation

wireguard_exporter is a single binary that must be placed somewhere in your $PATH. One can either download 64-bit Linux binaries from the Release Page or one can also compile from source.

Compile from Source

Ensure you have a Rust toolchain installed. Some of the dependencies also require gcc to be installed.

$ git clone https://github.com/kbknapp/wireguard_exporter
$ cd wireguard_exporter
$ cargo build --release
$ sudo cp target/release/wireguard_exporter /usr/local/bin/

Usage

Command Line Interface

USAGE:
    wireguard_exporter [OPTIONS]

OPTIONS:
    -a, --alias <ALIAS>...           Add an alias for a given public key in the form of
                                     'pubkey:alias' (separate multiple with commas)
        --collect-interval <SECS>    How often metrics are gathered [default: 5]
    -h, --help                       Print help information
    -l, --listen-address <ADDR>      The listen address scraping metrics [default: 0.0.0.0]
    -p, --listen-port <PORT>         The listen port for scraping metrics [default: 9586]
    -q, --quiet                      Supress output at a level or lower. -q: INFO, -qq: WARN, -qqq:
                                     ERROR (i.e. everything)
    -v, --verbose                    Show verbose output at a level or higher. -v:  DEBUG, -vv:
                                     TRACE
    -V, --version                    Print version information

To run with the default options, and the binary is installed somewhere in your $PATH:

$ sudo wireguard_exporter

Prometheus Configuration

You can add the following scrape configs to Prometheus:

scrape_configs:
  - job_name: 'wireguard'
    static_configs:
    - targets:
      - 'localhost:9586'
      - 'other_host:9586'

    relabel_configs:
    - source_labels: [ '__address__' ]
      regex: '(.*):\d+'
      target_label: instance

Example Metrics

# HELP wireguard_bytes_total Total number of bytes per direction per interface
# TYPE wireguard_bytes_total counter
wireguard_bytes_total{direction="rx",interface="custom"} 19576636452
wireguard_bytes_total{direction="rx",interface="wg0"} 1091996152
wireguard_bytes_total{direction="tx",interface="custom"} 3919310388
wireguard_bytes_total{direction="tx",interface="wg0"} 2393043528
# HELP wireguard_duration_since_latest_handshake During since latest handshake for a peer
# TYPE wireguard_duration_since_latest_handshake gauge
wireguard_duration_since_latest_handshake{interface="custom",peer="q2JWEKWfLPU5UjG2Sq31xx2GsSjdhKNtdT/X/tFVyjs=",alias="kevin"} 51405
wireguard_duration_since_latest_handshake{interface="custom",peer="2ELWFmGnqhtRpu4r2PUKc0cw+ELtuMPLd6l0KsoCUBQ=",alias="jane"} 88405
wireguard_duration_since_latest_handshake{interface="custom",peer="duVVziZbyIiIPoRprisE69K0By198Cn8dPwY5bFecEk=",alias="robert"} 116405
wireguard_duration_since_latest_handshake{interface="custom",peer="nwj+Zw49AbYrzUAPzeRf8hhll/1dz8SjoOYZuB+JdT4="} 15296341405
wireguard_duration_since_latest_handshake{interface="custom",peer="QF01u5CZhH9+CWcVY9pbsuTu3QsTcSqFvni3VfOiL2s="} 34405
wireguard_duration_since_latest_handshake{interface="custom",peer="N5UQp3XbysLBAavUm1Cpv7xxjk99LwJD99z5//PsyCc="} 95405
wireguard_duration_since_latest_handshake{interface="custom",peer="QlgHHfYP3aMlRG7d6/Zp9IhUOLrpT5G2GIdODODaUHQ="} 10690033405
wireguard_duration_since_latest_handshake{interface="custom",peer="FtUeMGdNxgkVN0G9lpvOc5jtAQQ1m9DpvZPDCUdKBx0="} 96405
wireguard_duration_since_latest_handshake{interface="wg0",peer="bRQZOyOZUvHMhBvCWq2sXO0VsRu6Aq5LCACi/R3AJk8="} 42405
# HELP wireguard_interfaces_total Total number of interfaces
# TYPE wireguard_interfaces_total gauge
wireguard_interfaces_total 2
# HELP wireguard_peer_bytes_total Total number of bytes per direction for a peer
# TYPE wireguard_peer_bytes_total counter
wireguard_peer_bytes_total{direction="rx",interface="custom",peer=q2JWEKWfLPU5UjG2Sq31xx2GsSjdhKNtdT/X/tFVyjs="",alias="kevin"} 0
wireguard_peer_bytes_total{direction="rx",interface="custom",peer="2ELWFmGnqhtRpu4r2PUKc0cw+ELtuMPLd6l0KsoCUBQ=",alias="jane"} 1240506784
wireguard_peer_bytes_total{direction="rx",interface="custom",peer="duVVziZbyIiIPoRprisE69K0By198Cn8dPwY5bFecEk=",alias="robert"} 1312403276
wireguard_peer_bytes_total{direction="rx",interface="custom",peer="nwj+Zw49AbYrzUAPzeRf8hhll/1dz8SjoOYZuB+JdT4="} 11962543712
wireguard_peer_bytes_total{direction="rx",interface="custom",peer="QF01u5CZhH9+CWcVY9pbsuTu3QsTcSqFvni3VfOiL2s="} 0
wireguard_peer_bytes_total{direction="rx",interface="custom",peer="N5UQp3XbysLBAavUm1Cpv7xxjk99LwJD99z5//PsyCc="} 0
wireguard_peer_bytes_total{direction="rx",interface="custom",peer="QlgHHfYP3aMlRG7d6/Zp9IhUOLrpT5G2GIdODODaUHQ="} 353261276
wireguard_peer_bytes_total{direction="rx",interface="custom",peer="FtUeMGdNxgkVN0G9lpvOc5jtAQQ1m9DpvZPDCUdKBx0="} 2150081456
wireguard_peer_bytes_total{direction="rx",interface="wg0",peer=""} 1091996152
wireguard_peer_bytes_total{direction="tx",interface="custom",peer="q2JWEKWfLPU5UjG2Sq31xx2GsSjdhKNtdT/X/tFVyjs=",alias="kevin"} 0
wireguard_peer_bytes_total{direction="tx",interface="custom",peer="2ELWFmGnqhtRpu4r2PUKc0cw+ELtuMPLd6l0KsoCUBQ=",alias="jane"} 708900060
wireguard_peer_bytes_total{direction="tx",interface="custom",peer="duVVziZbyIiIPoRprisE69K0By198Cn8dPwY5bFecEk=",alias="robert"} 714718444
wireguard_peer_bytes_total{direction="tx",interface="custom",peer="nwj+Zw49AbYrzUAPzeRf8hhll/1dz8SjoOYZuB+JdT4="} 1171658320
wireguard_peer_bytes_total{direction="tx",interface="custom",peer="QF01u5CZhH9+CWcVY9pbsuTu3QsTcSqFvni3VfOiL2s="} 0
wireguard_peer_bytes_total{direction="tx",interface="custom",peer="N5UQp3XbysLBAavUm1Cpv7xxjk99LwJD99z5//PsyCc="} 0
wireguard_peer_bytes_total{direction="tx",interface="custom",peer="QlgHHfYP3aMlRG7d6/Zp9IhUOLrpT5G2GIdODODaUHQ="} 88648
wireguard_peer_bytes_total{direction="tx",interface="custom",peer="FtUeMGdNxgkVN0G9lpvOc5jtAQQ1m9DpvZPDCUdKBx0="} 480852300
wireguard_peer_bytes_total{direction="tx",interface="wg0",peer="bRQZOyOZUvHMhBvCWq2sXO0VsRu6Aq5LCACi/R3AJk8="} 2393043528
# HELP wireguard_peers_total Total number of peers per interfaces
# TYPE wireguard_peers_total gauge
wireguard_peers_total{interface="custom"} 7
wireguard_peers_total{interface="wg0"} 1
# HELP wireguard_scrape_duration_milliseconds Duration in milliseconds of the scrape
# TYPE wireguard_scrape_duration_milliseconds gauge
wireguard_scrape_duration_milliseconds 1
# HELP wireguard_scrape_success If the scrape was a success
# TYPE wireguard_scrape_success gauge
wireguard_scrape_success 1

License

This crate is licensed under either of

at your option.

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.

You might also like...
WireGuard gateway with SNI for portable connectivity.

Gateway This is a daemon that controls gateway servers. Gateway servers are servers that fulfil three major purposes: facilitating connectivity betwee

Rosenpass is a formally verified, post-quantum secure VPN that uses WireGuard to transport the actual data.

Rosenpass README This repository contains A description of the Rosenpass protocol The reference implementation of the protocol – the rosenpass tool A

User-space Wireguard gateway allowing sharing network connection from environment where usual routing rules are inaccessible.

wgslirpy A command line tool (and a Rust library) for accepting incoming connections within a Wireguard link and routing them to external network usin

A Prometheus Aggregation Gateway for FAAS applications

Gravel Gateway Gravel Gateway is a Prometheus Push Gateway for FAAS applications. In particular it allows aggregation to be controlled by the incoming

A Prometheus Aggregation Gateway for FAAS applications

Gravel Gateway Gravel Gateway is a Prometheus Push Gateway for FAAS applications. In particular it allows aggregation to be controlled by the incoming

Export statistics of Mosquitto MQTT broker (topic: $SYS) to Prometheus

Preface The Mosquitto MQTT broker provides a number of statistics on the special $SYS/# topic (see mosquitto(8)). Build requirements As a Rust program

Prometheus instrumentation service for the NGINX RTMP module.

nginx-rtmp-exporter Prometheus instrumentation service for the NGINX RTMP module. Usage nginx-rtmp-exporter [OPTIONS] --scrape-url SCRAPE_URL O

⏱ Cross-platform Prometheus style process metrics collector of metrics crate

⏱ metrics-process This crate provides Prometheus style process metrics collector of metrics crate for Linux, macOS, and Windows. Collector code is man

`prometheus` backend for `metrics` crate
`prometheus` backend for `metrics` crate

metrics + prometheus = ❤️ API Docs | Changelog prometheus backend for metrics crate. Motivation Rust has at least two ecosystems regarding metrics col

Comments
  • Adds peer aliases

    Adds peer aliases

    One can now alias peer public keys which can be unwieldy.

    Use --alias PUBKEY:ALIAS. Multiple invocations can be used, or you can use a comma separator.

    These aliases appear as optional labels in the Prometheus metrics.

    opened by kbknapp 0
Releases(nightly)
Owner
Kevin K.
I love to code, skydive, and do the things.
Kevin K.
An asynchronous Prometheus exporter for iptables

iptables_exporter An asynchronous Prometheus exporter for iptables iptables_exporter runs iptables-save --counter and scrapes the output to build Prom

Kevin K. 21 Dec 29, 2022
An asynchronous dumb exporter proxy for prometheus. This aggregates all the metrics and exposes as a single scrape endpoint.

A dumb light weight asynchronous exporter proxy This is a dumb lightweight asynchronous exporter proxy that will help to expose multiple application m

Dark streams 3 Dec 4, 2022
Druid Exporter plays a fundamental role as a receiver of metrics events coming from Druid clusters, adopting the HTTP format as a means of communication

Druid Exporter plays a fundamental role as a receiver of metrics events coming from Druid clusters, adopting the HTTP format as a means of communication. In addition to this capability, its primary function is to export these metrics to Prometheus, thus allowing the creation of meaningful graphs and visualizations.

Kiwfy 3 Sep 21, 2023
Druid Exporter plays a fundamental role as a receiver of metrics events coming from Druid clusters, adopting the HTTP format as a means of communication.

Druid Exporter plays a fundamental role as a receiver of metrics events coming from Druid clusters, adopting the HTTP format as a means of communication. In addition to this capability, its primary function is to export these metrics to Prometheus, thus allowing the creation of meaningful graphs and visualizations.

Not Empty Free Software Foundation 5 Oct 24, 2023
A private network system that uses WireGuard under the hood.

innernet A private network system that uses WireGuard under the hood. See the announcement blog post for a longer-winded explanation. innernet is simi

Tonari, Inc 4.1k Dec 29, 2022
A cross-platform, user-space WireGuard port-forwarder that requires no system network configurations.

Cross-platform, user-space WireGuard port-forwarder that requires no system network configurations.

Aram Peres 629 Jan 4, 2023
A WireGuard UWP VPN plugin.

WireGuard UWP A Universal Windows Platform (UWP) VPN Plug-in for WireGuard® written in Rust. Windows provides a plug-in based model for adding 3rd-par

Luqman Aden 92 Dec 13, 2022
WireGuard front for mitmproxy (WIP)

mitmguard work-in-progress WireGuard front for mitmproxy Architecture DONE multi-threaded / asynchronous WireGuard server using tokio: one worker thre

Fabio Valentini 23 Jan 5, 2023
WireGuard frontend for mitmproxy (WIP)

mitmproxy_wireguard Transparently proxy any device that can be configured as a WireGuard client! Work-In-Progress. Architecture DONE multi-threaded /

Fabio Valentini 20 Dec 29, 2022
Rust utility crate for parsing, encoding and generating x25519 keys used by WireGuard

WireGuard Keys This is a utility crate for parsing, encoding and generating x25519 keys that are used by WireGuard. It exports custom types that can b

Fractal Networks 3 Aug 9, 2022