Jump to:navigation, search
Wiki

WireGuard Logging

From Securepoint Wiki





























In dieser Seite werden die Variablen für unterschiedliche Sprachen definiert.
Diese Seite wird auf folgenden Seiten eingebunden







































Logging WireGuard tunnel setup using packet filter rules

New article: 02.2025

notempty
This article refers to a Beta version
-
Access: UTM-IP:Port or UTM-URL:Port
Port as configured at Network / Appliance Settings / Webserver
Default-Port: 11115
i.e.: https://utm.ttt-point.de:11115
Default: https://192.168.175.1:11115 VPN WireGuard

Introduction

Unfortunately, the WireGuard protocol itself does not offer any logging options. However, it is still possible to track which IP addresses have connected or attempted to connect via WireGuard on the UTM. This can be achieved using a packet filter rule. The implicit rules for WireGuard are deactivated and a packet filter rule is created instead, which can then be logged.
In addition, the WireGuard widget can be used to monitor when clients last successfully logged in using the "Last Handshake" column. However, this column is only visible if the widget is at least 2 columns wide.

Replace implicit rules with packet filter rules

Disable implicit rules

WireGuard UTMuser@firewall.name.fqdn VPN Restart
WireGuard Disable implicit rules
The WireGuard Implicit Rules can be disabled at the bottom of VPN WireGuard using the Implicit Rule Status: button.
The rules are disabled when the status indicator is gray ().


Create packet filter rule

Then, under Firewall Packet Filter button Add Rule, a new rule is created that not only enables the VPN connection itself, but also logs the connections.
Caption Value Description Add rule UTMuser@firewall.name.fqdn Firewall Packet filter
Create packet filter rule


Add service UTMuser@firewall.name.fqdn Firewall Services
Create new service
Source: internet Select Internet as the source
Destination: external-interface Select external-interface as the destination
Service: Add service A new service must be created that opens the listening port of the WireGuard connection (usually 51820) with UDP.
Name:
WireGuard		 Name of the new service
Protocol:
udp		 Select UDP as protocol
Protocol type:
 Must be left blank
Destination port type:
Single portPort Section 		Select single port
Destination port:
51820		 The listening port of the WireGuard connection

May differ from 51820!

Source port type:
AllSingle port Port Section
Create service and close dialog
WireGuard Select the new service
LOG
Logging: LONG - log everything Have everything logged
Log Alias: WG-Log Set log alias to better identify log entries

Read log

Packet filter log
Now you can open the log using the Package filter log
under Firewall Package filter in the newly created package filter rule
button. This shows the IP addresses from which a connection attempt was made.


Retrieved from "https://wiki.securepoint.de/index.php?title=UTM/VPN/WireGuard-Logging&oldid=94570"