Skip to main content
APA
Sponsored by CAST AI — Kubernetes cost optimization Better Stack — Uptime monitoring and log management
⚠️

Alert thresholds depend on the nature of your applications. Some queries may have arbitrary tolerance thresholds. Building an efficient monitoring platform takes time. 😉

WireGuard Prometheus Alert Rules

3 Prometheus alerting rules for WireGuard. Exported via MindFlavor/prometheus_wireguard_exporter. These rules cover critical and warning conditions — copy and paste the YAML into your Prometheus configuration.

9.12. MindFlavor/prometheus_wireguard_exporter (3 rules) 

wget https://raw.githubusercontent.com/samber/awesome-prometheus-alerts/refs/heads/master/dist/rules/wireguard/mindflavor-prometheus-wireguard-exporter.yml
warning

9.12.1. WireGuard peer handshake too old

WireGuard peer {{ $labels.public_key }} on interface {{ $labels.interface }} has not had a handshake for over 5 minutes. The tunnel may be down. 

  # The threshold of 300 seconds (5 minutes) is a rough default. WireGuard peers that are idle but reachable
  # typically re-handshake every 2 minutes. Adjust based on your keepalive interval.
  # The `> 0` guard excludes peers that have never completed a handshake (covered by a separate rule).
- alert: WireGuardPeerHandshakeTooOld
  expr: time() - wireguard_latest_handshake_seconds > 300 and wireguard_latest_handshake_seconds > 0
  for: 2m
  labels:
    severity: warning
  annotations:
    summary: WireGuard peer handshake too old (instance {{ $labels.instance }})
    description: "WireGuard peer {{ $labels.public_key }} on interface {{ $labels.interface }} has not had a handshake for over 5 minutes. The tunnel may be down.\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
critical

9.12.2. WireGuard peer handshake never established

WireGuard peer {{ $labels.public_key }} on interface {{ $labels.interface }} has never completed a handshake. Check peer configuration and network connectivity. 

  # This alert will fire for all offline mobile/laptop peers. Consider filtering by expected-online peers.
- alert: WireGuardPeerHandshakeNeverEstablished
  expr: wireguard_latest_handshake_seconds == 0
  for: 5m
  labels:
    severity: critical
  annotations:
    summary: WireGuard peer handshake never established (instance {{ $labels.instance }})
    description: "WireGuard peer {{ $labels.public_key }} on interface {{ $labels.interface }} has never completed a handshake. Check peer configuration and network connectivity.\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
warning

9.12.3. WireGuard no traffic on peer

WireGuard peer {{ $labels.public_key }} on interface {{ $labels.interface }} has had no traffic for 15 minutes despite an active handshake. 

  # This alert fires when a peer has a recent handshake but zero traffic flow.
  # May indicate routing issues or a misconfigured allowed-ips.
  # Only useful if you expect continuous traffic on all peers.
- alert: WireGuardNoTrafficOnPeer
  expr: (rate(wireguard_sent_bytes_total[15m]) + rate(wireguard_received_bytes_total[15m])) == 0 and wireguard_latest_handshake_seconds > 0 and (time() - wireguard_latest_handshake_seconds) < 300
  for: 15m
  labels:
    severity: warning
  annotations:
    summary: WireGuard no traffic on peer (instance {{ $labels.instance }})
    description: "WireGuard peer {{ $labels.public_key }} on interface {{ $labels.interface }} has had no traffic for 15 minutes despite an active handshake.\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"

More in Network and security

SpeedTest SSL/TLS cert-manager Juniper CoreDNS Freeswitch Hashicorp Vault Keycloak Cloudflare SNMP Cilium