Icinga2 health check of wireguard peers, using output of wg(8).
FreeBSD port here
check_wg [command]
Available Commands:
completion Generate the autocompletion script for the specified shell
handshake check oldest latest handshake
help Help about any command
transfer Outputs transfer stats
-h, --help help for check_wg
Use "check_wg [command] --help" for more information about a command.
$ check_wg handshake -h
It executes given wg(8) command and reads its output or stdin, if no
command was given at all.
It analizes latest handshake of every peer and outputs warning or critical
status if any of them is greater of given threshold.
check_wg handshake [-w 5m] [-c 15m] [wg show wg0 dump] [flags]
-c, --crit duration critical threshold (default 15m0s)
-h, --help help for handshake
-w, --warn duration warning threshold (default 5m0s)
$ check_wg handshake wg show wg0 dump
OK: latest handshake: 1m10s ago
peer: (hostname)
endpoint: (hostname) | 'latest handshake'=70s;300;900;;
$ check_wg handshake wg show wg0 dump
CRITICAL: latest handshake is outside of CRITICAL threshold
peer: (hostname)
endpoint: (hostname)
latest handshake: 188016s ago
threshold: 180000s | 'latest handshake'=188016s;300;180000;;
$ check_wg handshake wg show wg0 dump
WARNING: latest handshake: never
peer: (hostname)
$ check_wg transfer -h
Outputs transfer stats
check_wg transfer [flags] PEER [wg show wg0 dump]
-h, --help help for transfer
$ check_wg transfer wg show wg0 dump
OK: peer= | 'rx'=5417417193b 'tx'=83425243432b
Icinga2 configuration examples
object CheckCommand "check_wg_handshake" {
command = [ PluginDir + "/check_wg" ]
arguments = {
"--handshake" = {
value = "handshake"
order = -1
skip_key = true
"-w" = {
value = "$wg_handshake_warn$"
"-c" = {
value = "$wg_handshake_crit$"
"--" = {
value = "--"
order = 1
skip_key = true
"--wg-bin" = {
value = "/usr/bin/wg"
order = 2
skip_key = true
"--show" = {
value = "show"
order = 3
skip_key = true
"--ifname" = {
value = "$wg_ifname$"
order = 4
skip_key = true
"--dump" = {
value = "dump"
order = 5
skip_key = true
vars.wg_ifname = "wg0"
vars.wg_handshake_warn = "30m"
vars.wg_handshake_crit = "1h"
object CheckCommand "check_wg_transfer" {
command = [ PluginDir + "/check_wg" ]
arguments = {
"--transfer" = {
value = "transfer"
order = -1
skip_key = true
"--peer" = {
value = "$wg_peer$"
required = true
skip_key = true
"--" = {
value = "--"
order = 1
skip_key = true
"--wg-bin" = {
value = "/usr/bin/wg"
order = 2
skip_key = true
"--show" = {
value = "show"
order = 3
skip_key = true
"--ifname" = {
value = "$wg_ifname$"
order = 4
required = true
skip_key = true
"--dump" = {
value = "dump"
order = 5
skip_key = true
vars.wg_ifname = "wg0"
apply Service "wg_handshake_" for (ifname in host.vars.wg_ifaces) {
import "generic-service"
check_command = "check_wg_handshake"
command_endpoint = host.vars.agent_endpoint
vars.wg_iface = ifname
assign where host.vars.wg_ifaces
apply Service "wg_transfer_" for (name => cfg in host.vars.wg_peers) {
import "generic-service"
check_command = "check_wg_transfer"
command_endpoint = host.vars.agent_endpoint
vars.wg_iface = cfg.ifname
vars.wg_peer = cfg.peer
assign where host.vars.wg_peers
object Host "server" {
vars.wg_ifaces = [ "wg0" ]
vars.wg_peers["peer1"] = {
ifname = "wg0"
peer = ""
vars.wg_peers["peer2"] = {
ifname = "wg0"
peer = ""