A Prometheus exporter for WireGuard, written in Rust. This tool exports the wg show all dump results in a format that Prometheus can understand. The exporter is very light on your server resources, both in terms of memory and CPU usage.
Starting from release 2.0.1 this exporter supports IPv6 addressess too (thanks to Maximilian Bosch's PR #5).
rustc 1.35.0-nightly (8159f389f 2019-04-06)).wg CLI in the path. The tool will call wg show all dump and of course will fail if the wg executable is not found. If you want I can add the option of specifying the wg path in the command line, just open an issue for it.To compile the latest master version:
bash
git clone https://github.com/MindFlavor/prometheus_wireguard_exporter.git
cd prometheus_wireguard_exporter
cargo install --path .
If you want the latest release you can simply use:
bash
cargo install prometheus_wireguard_exporter
Start the binary with -h to get the complete syntax. The parameters are:
| Parameter | Mandatory | Valid values | Default | Description |
| -- | -- | -- | -- | -- |
| -v | no | -p | no | any valid port number | 9586 | Specify the service port. This is the port your Prometheus instance should point to.
| -n | no | path to the wireguard configuration file | | This flag adds the friendly_name attribute to the exported entries. See Friendly names for more details.
Once started, the tool will listen on the specified port (or the default one, 9586, if not specified) and return a Prometheus valid response at the url /metrics. So to check if the tool is working properly simply browse the http://localhost:9586/metrics (or whichever port you choose).
Starting from version 1.2 you can instruct the exporter to append a friendly name to the exported entries. This can make the output more understandable than using the public keys. For example this is the standard output:
```
wireguardsentbytestotal{inteface="wg0", publickey="2S7mA0vEMethCNQrJpJKE81/JmhgtB+tHHLYQhgM6kk=", localip="10.70.0.2", localsubnet="32"} 111612260 wireguardsentbytestotal{inteface="wg0", publickey="qnoxQoQI8KKMupLnSSureORV0wMmH7JryZNsmGVISzU=", localip="10.70.0.3", localsubnet="32"} 0 wireguardsentbytestotal{inteface="wg0", publickey="L2UoJZN7RmEKsMmqaJgKG0m1S2Zs2wd2ptAf+kb3008=", localip="10.70.0.4", localsubnet="32"} 29704 wireguardsentbytestotal{inteface="wg0", publickey="MdVOIPKt9K2MPj/sO2NlWQbOnFJ6L/qX80mmhQwsUlA=", localip="10.70.0.50", localsubnet="32"} 0 wireguardsentbytestotal{inteface="wg0", publickey="lqYcojJMsIZXMUw1heAFbQHBoKjCEaeo7M1WXDh/KWc=", localip="10.70.0.40", localsubnet="32"} 333612100 wireguardsentbytestotal{inteface="wg0", publickey="928vO9Lf4+Mo84cWu4k1oRyzf0AR7FTGoPKHGoTMSHk=", localip="10.70.0.80", localsubnet="32"} 37732 wireguardsentbytestotal{inteface="wg0", publickey="wTjv6hS6fKfNK+SzOLo7O6BQjEb6AD1TN9GjwZ08IwA=", localip="10.70.0.5", localsubnet="32"} 28678984
wireguardreceivedbytestotal{inteface="wg0", publickey="2S7mA0vEMethCNQrJpJKE81/JmhgtB+tHHLYQhgM6kk=", localip="10.70.0.2", localsubnet="32"} 814015520 wireguardreceivedbytestotal{inteface="wg0", publickey="qnoxQoQI8KKMupLnSSureORV0wMmH7JryZNsmGVISzU=", localip="10.70.0.3", localsubnet="32"} 0 wireguardreceivedbytestotal{inteface="wg0", publickey="L2UoJZN7RmEKsMmqaJgKG0m1S2Zs2wd2ptAf+kb3008=", localip="10.70.0.4", localsubnet="32"} 69936 wireguardreceivedbytestotal{inteface="wg0", publickey="MdVOIPKt9K2MPj/sO2NlWQbOnFJ6L/qX80mmhQwsUlA=", localip="10.70.0.50", localsubnet="32"} 0 wireguardreceivedbytestotal{inteface="wg0", publickey="lqYcojJMsIZXMUw1heAFbQHBoKjCEaeo7M1WXDh/KWc=", localip="10.70.0.40", localsubnet="32"} 1022815448 wireguardreceivedbytestotal{inteface="wg0", publickey="928vO9Lf4+Mo84cWu4k1oRyzf0AR7FTGoPKHGoTMSHk=", localip="10.70.0.80", localsubnet="32"} 62908 wireguardreceivedbytestotal{inteface="wg0", publickey="wTjv6hS6fKfNK+SzOLo7O6BQjEb6AD1TN9GjwZ08IwA=", localip="10.70.0.5", localsubnet="32"} 1261474420
wireguardlatesthandshakeseconds{inteface="wg0", publickey="2S7mA0vEMethCNQrJpJKE81/JmhgtB+tHHLYQhgM6kk=", localip="10.70.0.2", localsubnet="32"} 1559314162 wireguardlatesthandshakeseconds{inteface="wg0", publickey="qnoxQoQI8KKMupLnSSureORV0wMmH7JryZNsmGVISzU=", localip="10.70.0.3", localsubnet="32"} 0 wireguardlatesthandshakeseconds{inteface="wg0", publickey="L2UoJZN7RmEKsMmqaJgKG0m1S2Zs2wd2ptAf+kb3008=", localip="10.70.0.4", localsubnet="32"} 1559313782 wireguardlatesthandshakeseconds{inteface="wg0", publickey="MdVOIPKt9K2MPj/sO2NlWQbOnFJ6L/qX80mmhQwsUlA=", localip="10.70.0.50", localsubnet="32"} 0 wireguardlatesthandshakeseconds{inteface="wg0", publickey="lqYcojJMsIZXMUw1heAFbQHBoKjCEaeo7M1WXDh/KWc=", localip="10.70.0.40", localsubnet="32"} 1559210171 wireguardlatesthandshakeseconds{inteface="wg0", publickey="928vO9Lf4+Mo84cWu4k1oRyzf0AR7FTGoPKHGoTMSHk=", localip="10.70.0.80", localsubnet="32"} 1558851920 wireguardlatesthandshakeseconds{inteface="wg0", publickey="wTjv6hS6fKfNK+SzOLo7O6BQjEb6AD1TN9GjwZ08IwA=", localip="10.70.0.5", localsubnet="32"} 1559313713 ```
And this is the one augmented with friendly names:
```
wireguardsentbytestotal{inteface="wg0", publickey="2S7mA0vEMethCNQrJpJKE81/JmhgtB+tHHLYQhgM6kk=", localip="10.70.0.2", localsubnet="32", friendlyname="OnePlus 6T"} 111612260 wireguardsentbytestotal{inteface="wg0", publickey="qnoxQoQI8KKMupLnSSureORV0wMmH7JryZNsmGVISzU=", localip="10.70.0.3", localsubnet="32", friendlyname="varch.local (laptop)"} 0 wireguardsentbytestotal{inteface="wg0", publickey="L2UoJZN7RmEKsMmqaJgKG0m1S2Zs2wd2ptAf+kb3008=", localip="10.70.0.4", localsubnet="32", friendlyname="cantarch"} 29704 wireguardsentbytestotal{inteface="wg0", publickey="MdVOIPKt9K2MPj/sO2NlWQbOnFJ6L/qX80mmhQwsUlA=", localip="10.70.0.50", localsubnet="32", friendlyname="frcognoarch"} 0 wireguardsentbytestotal{inteface="wg0", publickey="lqYcojJMsIZXMUw1heAFbQHBoKjCEaeo7M1WXDh/KWc=", localip="10.70.0.40", localsubnet="32", friendlyname="frcognowin10"} 333612100 wireguardsentbytestotal{inteface="wg0", publickey="928vO9Lf4+Mo84cWu4k1oRyzf0AR7FTGoPKHGoTMSHk=", localip="10.70.0.80", localsubnet="32", friendlyname="OnePlus 5T"} 37732 wireguardsentbytestotal{inteface="wg0", publickey="wTjv6hS6fKfNK+SzOLo7O6BQjEb6AD1TN9GjwZ08IwA=", localip="10.70.0.5", localsubnet="32", friendly_name="folioarch"} 28678984
wireguardreceivedbytestotal{inteface="wg0", publickey="2S7mA0vEMethCNQrJpJKE81/JmhgtB+tHHLYQhgM6kk=", localip="10.70.0.2", localsubnet="32", friendlyname="OnePlus 6T"} 814015520 wireguardreceivedbytestotal{inteface="wg0", publickey="qnoxQoQI8KKMupLnSSureORV0wMmH7JryZNsmGVISzU=", localip="10.70.0.3", localsubnet="32", friendlyname="varch.local (laptop)"} 0 wireguardreceivedbytestotal{inteface="wg0", publickey="L2UoJZN7RmEKsMmqaJgKG0m1S2Zs2wd2ptAf+kb3008=", localip="10.70.0.4", localsubnet="32", friendlyname="cantarch"} 69936 wireguardreceivedbytestotal{inteface="wg0", publickey="MdVOIPKt9K2MPj/sO2NlWQbOnFJ6L/qX80mmhQwsUlA=", localip="10.70.0.50", localsubnet="32", friendlyname="frcognoarch"} 0 wireguardreceivedbytestotal{inteface="wg0", publickey="lqYcojJMsIZXMUw1heAFbQHBoKjCEaeo7M1WXDh/KWc=", localip="10.70.0.40", localsubnet="32", friendlyname="frcognowin10"} 1022815448 wireguardreceivedbytestotal{inteface="wg0", publickey="928vO9Lf4+Mo84cWu4k1oRyzf0AR7FTGoPKHGoTMSHk=", localip="10.70.0.80", localsubnet="32", friendlyname="OnePlus 5T"} 62908 wireguardreceivedbytestotal{inteface="wg0", publickey="wTjv6hS6fKfNK+SzOLo7O6BQjEb6AD1TN9GjwZ08IwA=", localip="10.70.0.5", localsubnet="32", friendly_name="folioarch"} 1261474420
wireguardlatesthandshakeseconds{inteface="wg0", publickey="2S7mA0vEMethCNQrJpJKE81/JmhgtB+tHHLYQhgM6kk=", localip="10.70.0.2", localsubnet="32", friendlyname="OnePlus 6T"} 1559314162 wireguardlatesthandshakeseconds{inteface="wg0", publickey="qnoxQoQI8KKMupLnSSureORV0wMmH7JryZNsmGVISzU=", localip="10.70.0.3", localsubnet="32", friendlyname="varch.local (laptop)"} 0 wireguardlatesthandshakeseconds{inteface="wg0", publickey="L2UoJZN7RmEKsMmqaJgKG0m1S2Zs2wd2ptAf+kb3008=", localip="10.70.0.4", localsubnet="32", friendlyname="cantarch"} 1559313782 wireguardlatesthandshakeseconds{inteface="wg0", publickey="MdVOIPKt9K2MPj/sO2NlWQbOnFJ6L/qX80mmhQwsUlA=", localip="10.70.0.50", localsubnet="32", friendlyname="frcognoarch"} 0 wireguardlatesthandshakeseconds{inteface="wg0", publickey="lqYcojJMsIZXMUw1heAFbQHBoKjCEaeo7M1WXDh/KWc=", localip="10.70.0.40", localsubnet="32", friendlyname="frcognowin10"} 1559210171 wireguardlatesthandshakeseconds{inteface="wg0", publickey="928vO9Lf4+Mo84cWu4k1oRyzf0AR7FTGoPKHGoTMSHk=", localip="10.70.0.80", localsubnet="32", friendlyname="OnePlus 5T"} 1558851920 wireguardlatesthandshakeseconds{inteface="wg0", publickey="wTjv6hS6fKfNK+SzOLo7O6BQjEb6AD1TN9GjwZ08IwA=", localip="10.70.0.5", localsubnet="32", friendly_name="folioarch"} 1559313713 ```
In order for this to work, you need to add comments to your wireguard configuration file (below the [Peer] definition). The comment will be interpreted as friendly_name and added to the entry exported to Prometheus. Note that this is not a standard but, since it's a comment, will not interfere with WireGuard in any way. For example this is how you edit your WireGuard configuration file:
``` [Peer] PublicKey = lqYcojJMsIZXMUw1heAFbQHBoKjCEaeo7M1WXDh/KWc= AllowedIPs = 10.70.0.40/32
[Peer] PublicKey = 928vO9Lf4+Mo84cWu4k1oRyzf0AR7FTGoPKHGoTMSHk= AllowedIPs = 10.70.0.80/32 ```
``` [Peer]
PublicKey = lqYcojJMsIZXMUw1heAFbQHBoKjCEaeo7M1WXDh/KWc= AllowedIPs = 10.70.0.40/32
[Peer]
PublicKey = 928vO9Lf4+Mo84cWu4k1oRyzf0AR7FTGoPKHGoTMSHk= AllowedIPs = 10.70.0.80/32 ```
As you can see, all you need to do is to add the friendly name as comment (and enable the flag since this feature is opt-in).
Now add the exporter to the Prometheus exporters as usual. I recommend to start it as a service. It's necessary to run it as root (if there is a non-root way to call wg show all dump please let me know). My systemd service file is like this one:
``` [Unit] Description=Prometheus WireGuard Exporter Wants=network-online.target After=network-online.target
[Service] User=root Group=root Type=simple ExecStart=/usr/local/bin/prometheuswireguardexporter -n /etc/wireguard/wg0.conf
[Install] WantedBy=multi-user.target ```