How to Enable Debug Logging for WireGuard VPN Authentication Monitoring


1 views

Unlike OpenVPN which provides verbose connection logs by default, WireGuard operates silently by design. The kernel module doesn't output connection attempts or authentication failures to standard logs. This makes monitoring more challenging but not impossible.

For Debian/Ubuntu systems, you can increase logging verbosity by modifying the WireGuard service:

sudo systemctl edit wg-quick@wg0.service

Add these override parameters:

[Service]
Environment=WG_QUICK_USERSPACE_IMPLEMENTATION=boringtun
Environment=WG_LOG_LEVEL=info
ExecStart=
ExecStart=/usr/bin/wg-quick up %i

Use these commands to observe active connections:

# Show current connections
sudo wg show all

# Monitor interface traffic
sudo ifconfig wg0

# Follow system logs
sudo journalctl -u wg-quick@wg0.service -f

Create a custom Fail2Ban filter for WireGuard in /etc/fail2ban/filter.d/wireguard.conf:

[Definition]
failregex = .*Invalid handshake initiation from .* 
ignoreregex =

Then add the jail configuration:

[wireguard]
enabled = true
port = 51820
filter = wireguard
logpath = /var/log/syslog
maxretry = 3
bantime = 86400

For detailed connection logging, consider using Mozilla's BoringTun userspace implementation:

sudo apt install boringtun
WG_QUICK_USERSPACE_IMPLEMENTATION=boringtun WG_LOG_LEVEL=info wg-quick up wg0

Example log output:

2023-01-15T12:34:56.789Z INFO: Handshake received from 192.168.1.100:51820
2023-01-15T12:35:01.234Z WARN: Invalid handshake attempt from 203.0.113.45:12345

WireGuard's minimalistic design intentionally keeps logging to a minimum for performance reasons. Unlike OpenVPN which generates detailed connection logs by default, WireGuard requires explicit configuration for debug output. The standard journalctl -u wg-quick@wg0.service only shows basic interface management events.

For detailed packet-level monitoring including authentication attempts, you'll need to enable WireGuard's kernel module debug logging:

# Set dynamic debug for WireGuard module
echo "module wireguard +p" | sudo tee /etc/modprobe.d/wireguard-debug.conf

# Reload the module
sudo modprobe -r wireguard
sudo modprobe wireguard

# Verify debug is enabled
sudo dmesg | grep wireguard

To make these changes persistent across reboots, create a systemd drop-in file:

sudo mkdir -p /etc/systemd/system/wg-quick@wg0.service.d/
sudo tee /etc/systemd/system/wg-quick@wg0.service.d/debug.conf <<EOF
[Service]
Environment=WG_VERBOSE=1
EOF

sudo systemctl daemon-reload
sudo systemctl restart wg-quick@wg0.service

With debug enabled, you can now monitor authentication attempts using:

# Real-time monitoring
sudo journalctl -u wg-quick@wg0.service -f -o cat | grep -i "handshake"

# Or view kernel logs
sudo dmesg -wH | grep -E "wireguard|wg0"

A typical failed authentication attempt will appear like this in logs:

[  123.456789] wireguard: wg0: Handshake for peer XYZ123 failed (invalid preshared key)
[  124.567890] wireguard: wg0: Packet has unallowed src IP (spoofed attempt)

Create a custom Fail2Ban filter for WireGuard:

# /etc/fail2ban/filter.d/wireguard.conf
[Definition]
failregex = wireguard: .* Handshake for peer .* failed
            wireguard: .* Packet has unallowed src IP

Then add a jail configuration:

# /etc/fail2ban/jail.d/wireguard.local
[wireguard]
enabled = true
filter = wireguard
logpath = /var/log/kern.log
maxretry = 3
bantime = 3600

For even more detailed debugging, you can run WireGuard in userspace with full logging:

sudo WG_VERBOSE=1 WG_DEBUG=1 wireguard-go wg0

This provides complete cryptographic operation logs, useful for troubleshooting complex issues.