Security: WireGuard VPN Peer Management

Overview#

WireGuard is a modern, high-performance VPN protocol built directly into the Linux kernel (mainlined in 5.6). Its design philosophy is radical simplicity: a 4,000-line codebase versus OpenVPN's 100,000+, a single cryptographic suite (Noise protocol framework, Curve25519, ChaCha20-Poly1305, BLAKE2s), and configuration expressed entirely as peer key pairs and allowed-IP routing tables. Argus integrates WireGuard to synchronise peer configuration and connection status into the operational picture -- giving security operators visibility over which VPN endpoints are active, when they last connected, and what traffic tunnels are active across distributed deployments.

Key Features#

Peer Inventory Synchronisation#

Sync the full peer table from a WireGuard interface via

fetchWireguardPeers

. Each peer record captures the public key (WireGuard's identity primitive), endpoint address and port, configured allowed-IP prefixes, latest handshake timestamp, and cumulative transfer bytes (sent/received). The sync writes to PostgreSQL under organisation and clearance-level scoping.

Handshake Staleness Alerting#

WireGuard peers that have not completed a handshake within the configured staleness window are flagged. The latest handshake timestamp surfaces directly in peer records -- operators can immediately identify remote sites that have dropped off the VPN mesh (equipment failure, WAN outage, or potential security incident) without needing to shell into gateway hosts.

Per-Peer Traffic Metrics#

Cumulative transfer byte counts per peer are captured on each sync cycle. Delta calculations between sync cycles give per-peer throughput estimates, supporting anomaly detection -- a peer that historically transfers 50 MB/day suddenly transferring 50 GB is a detectable signal worth investigation.

Peer Configuration Export#

Export current WireGuard peer configuration as wg-format output for backup, auditing, or deployment to new gateway nodes. All public keys and endpoint configurations are captured in Argus, making Argus the authoritative source of record for WireGuard mesh topology.

Interface and Endpoint Metadata#

Interfaces are tracked with their listen port and public key. Multiple WireGuard interfaces across multiple gateway hosts can be tracked simultaneously, covering hub-and-spoke and full-mesh topologies.

Use Cases#

Remote Site Connectivity Monitoring: A deployed tactical network uses WireGuard to connect a dozen forward operating bases back to a central operations centre. Argus WireGuard sync gives the NOC team a live view of which FOB VPN tunnels are up, when each last connected, and which have gone silent.
Zero-Trust Micro-Segmentation Audit: In a zero-trust architecture, every service-to-service connection runs over a WireGuard tunnel. Argus peer sync provides an audit log showing which service peers were active over each shift, supporting post-incident reconstruction.
Certificate/Key Rotation Verification: After a WireGuard key rotation event (scheduled or in response to a suspected compromise), Argus peer sync confirms that all peers have updated public keys matching the rotation manifest -- any peer still presenting a pre-rotation key is immediately visible.
Hybrid Cloud Gateway Monitoring: WireGuard gateways bridging on-premises security infrastructure to cloud-hosted Argus components are monitored via peer sync -- Argus can alert if its own connectivity to a key sensor gateway drops.

Integration#

Available via GraphQL:

wireguardPeers

wireguardInterfaces

wireguardStats

(queries);

syncWireguardPeers

fetchWireguardPeerDetail

(mutations). All operations require authentication and organisation scoping.

Works alongside the Identity modules (SCIM, Keycloak, SAML) for user-to-peer mapping, and Network Monitoring for overlay correlation between VPN peer status and underlying network path health.

Last Reviewed: 2026-03-18

Modulmetadaten

Gerenderte Dokumentation