New article: 02.2025
notemptyThis article refers to a Beta version
Introduction
Unfortunately, the WireGuard protocol itself does not offer any logging options. However, it is still possible to track which IP addresses have connected or attempted to connect via WireGuard on the UTM. This can be achieved using a packet filter rule. The implicit rules for WireGuard are deactivated and a packet filter rule is created instead, which can then be logged.
In addition, the WireGuard widget can be used to monitor when clients last successfully logged in using the "Last Handshake" column. However, this column is only visible if the widget is at least 2 columns wide.
Replace implicit rules with packet filter rules
Disable implicit rules
UTMuser@firewall.name.fqdnVPN 
WireGuard Disable implicit rules
Create packet filter rule
| Then, under button , a new rule is created that not only enables the VPN connection itself, but also logs the connections. | |||
| Caption | Value | Description | UTMuser@firewall.name.fqdnFirewallPacket filter  Create packet filter rule UTMuser@firewall.name.fqdnFirewallServices  Create new service
|
|---|---|---|---|
| Source: |  internet |
Select Internet as the source | |
| Destination: |  external-interface |
Select external-interface as the destination | |
| Service: | Add service | A new service must be created that opens the listening port of the WireGuard connection (usually 51820) with UDP. | |
| Name: WireGuard |
Name of the new service | ||
| Protocol: udp |
Select UDP as protocol | ||
| Protocol type: |
Must be left blank | ||
| Destination port type: |
Select single port | ||
| Destination port: 51820 |
The listening port of the WireGuard connection May differ from 51820! | ||
| Source port type: |
|||
| Create service and close dialog | |||
 WireGuard |
Select the new service | ||
| LOG | |||
| Logging: | LONG - log everything | Have everything logged | |
| Log Alias: | WG-Log | Set log alias to better identify log entries | |
Read log
