Wireguard - SNMP interface monitoring

loca995 · March 13, 2022, 11:32am

Hello Forum,
is it possible to monitor a Wireguard interface state, since it’s always running?
It would be cool to monitor the interface state with a SNMP server like Zabbix, pointing to the oper-status oid.

Any idea?
Thanks!

holvoetn · March 13, 2022, 12:01pm

As far as I know, wireguard is a stateless interface.
Nothing you can consult to binary know if it is working or not.

Interested in knowing others opinion on this…

Jotne · March 13, 2022, 2:44pm

You can use netwatch to minitor remote IP. See my script for netwatch here:
http://forum.mikrotik.com/t/script-info-connection-wireguard/154094/15

SNMP would be complicate to work with this, but Syslog/Telegram/Email ++ should work fine.

aleab · March 29, 2022, 10:58am

i also search to monitor internet connections (dual WAN) with zabbix (snmp).

for now i think only way is use snmp3 and custom oid
https://wiki.mikrotik.com/wiki/Manual:SNMP#Runing_scripts_with_GET

i’m working… i will post here scripts…

msatter · March 29, 2022, 11:48am

Using Netwatch and routing rules to disable using the WG connection when it’s down. After 5 minutes the WG connection is restarted and when it works then also the connection-marking is activated again.
When having multiple connections then creating a catch-all connection will allow to disable connections and then the catch-all will take care of the traffic that otherwise will get lost.
If you have three WG connections then the PCC will be both-addresses-ports [3/0] and [3/2] and the catch-all will not have and PCC in it’s line. It will connection-mark all traffic that is not yet marked by the two lines above.

Netwatch:

/tool/netwatch
add comment=NordLynx-1 disabled=yes down-script="# Disable WG when the IP is unreachable\r\
    \n\r\
    \n# no disabling an already disabled interface\r\
    \n:if (![/interface/wireguard  get [find name=\"NordLynx-1\"] disabled]) do={\r\
    \n\r\
    \n/ip/firewall/mangle set disabled=yes [find new-connection-mark=\"NordLynx-1\"]\r\
    \n/interface/wireguard set disable=yes [find name=\"NordLynx-1\"]\r\
    \n:log warning \"Waiting 5 minutes before trying again: NordLynx-1\"\r\
    \n\r\
    \n:delay 5m\r\
    \n/interface/wireguard set disable=no [find name=\"NordLynx-1\"]\r\
    \n}" host=198.18.0.1 interval=15s timeout=5s up-script="# Disable PrivadoAMS when the DNS server is reachable\r\
    \n\r\
    \n/ip/firewall/mangle set disabled=no [find new-connection-mark=\"NordLynx-1\"]"

Routing rule: /ip/route/rule or /routing/rule depending on your version of RouterOS.

add action=lookup-only-in-table comment="Netwatch ping" disabled=no dst-address=198.18.0.1/32 table=wg-1

The address 198.18.0.1 is an IP that is ping-able with NordLynx (NordVPN) and sits in their network. For each NordLynx WG profile you can use an other IP: 198.18.0.2, 198.18.0.3, etc. For each one you have to create also an routing rule and create an adapted Netwatch entry with the dedicated IP address (198.18.0.x).

Have fun!

Update: this constant pining will keep the connections open 24-7 and having a catch-all in place allows to disable the specific other Netwatch line(s) and other WG connections so that only one WG connection is active during a period. For example at night when there is no or less need for several WG connections.
Enabling again then you first have to start the earlier deactivated WG connection and then earlier deactivated the Netwatch line. If the WG is working then, Netwatch will activate also the connection-mark line for that connection. That has also be deactivated when the others also got deactivated. The catch-all will take care of the traffic while the other WG connection sleeps.

Update 2: Changed the down script in Netwatch so that it won’t disable a connection that is already disabled. This because after 5 minutes a restart is done and you only need one restart and not many.

aleab · March 29, 2022, 1:16pm

Hello again, i used this thread to dust off my old notes ...

i hope found a solution to monitor netwatch with zabbix (of course you adapt for your needs)

zabbix can monitor mikrotik only via SNMP and to use custom oid is necessary enable write access

so i setup mikrotik with snmp3 with security private (and of course setup zabbix to user snmp3)

on mikrotik i create script with
:put ([:pick [/tool netwatch print as-value where comment="WAN1"] 0]->"status")

then return only up or down

on zabbix i monitor already some devices, so i add an item
Name snmp_netwatch_wan1
type snmp agent
key netwatch.wan1
host interface mikrotik-ip-or-hostname:161
SNMP OID .1.3.6.1.4.1.14988.1.1.18.1.1.2.4 (last number 4 is because my script is number 4)
type information text
update interval 1m
storage period 30d
enabled V
Add / update

i don't know about wireguard but i think is simple convert netwatch to wireguard ...