Shulou(Shulou.com)06/01 Report--

This article mainly introduces "how to use Prometheus to monitor WireGuard". In daily operation, I believe many people have doubts about how to use Prometheus to monitor WireGuard. The editor consulted all kinds of data and sorted out simple and easy-to-use operation methods. I hope it will be helpful to answer the doubts about "how to use Prometheus to monitor WireGuard". Next, please follow the editor to study!

Cloud Origin is a belief, a new technological model, and it is not limited to the one-third acre of land that is inherent in your mind. How bold people are and how productive the land is, as long as you dare to think about it, everything can be born in the cloud. As a cloud native fanatic, let me show you my fanaticism:

All my services (including blog, image acceleration, comment service) are deployed in the cloud K3s cluster. At the same time, local and home devices are connected to the cloud cluster Pod network through WireGuard, the home gateway DNS uses CoreDNS to divert domestic and foreign resolution, the gateway uses Envoy to proxy various home services, and so on.

All devices and services at home, including those on the cloud, are monitored by kube-prometheus. I won't go into details. I'll take a few pictures to show you:

Now that there is only one WireGuard left to monitor, let's take a look at how to use Prometheus to monitor WireGuard.

If you are still new to WireGuard after reading this article, be sure to read each article in the following order:

WireGuard tutorial: how WireGuard works

WireGuard Quick installation tutorial

WireGuard configuration tutorial: using wg-gen-web to manage WireGuard configuration

Wireguard fully connected Mode (full mesh) configuration Guid

If you encounter something you don't understand, you can refer to the notes in this article:

WireGuard tutorial: detailed explanation of the Construction, use and configuration of WireGuard

The rest of these articles are optional, so if you are interested, just read:

Why don't I advocate WireGuard?

Why not "Why not WireGuard?"

WireGuard tutorial: NAT-to-NAT traversal with DNS-SD

WireGuard itself does not expose any indicators, which needs to be exposed through the third-party exporter. There are currently two versions of exporter, and neither of them is perfect, so I'll just use both.

1. Mirror image construction

Neither of these exporter provides Docker images, so I have to do it myself. The Dockerfile of Rust version of exporter is as follows:

FROM rust as builderLABEL description= "Docker container for building prometheus exporter for wireguard." LABEL maintainer= "Ryan Yang" WORKDIR / usr/src/RUN git clone https://github.com/MindFlavor/prometheus_wireguard_exporter.git;\ cd prometheus_wireguard_exporter;\ cargo install-- path .from debian:buster-slimRUN sh-c "echo 'deb http://deb.debian.org/debian buster-backports main contrib non-free' > / etc/apt/sources.list.d/buster-backports.list";\ apt update \ apt install-y wireguard;\ rm-rf / var/lib/apt/lists/*COPY-- from=builder / usr/local/cargo/bin/prometheus_wireguard_exporter / usr/local/bin/prometheus_wireguard_exporterCMD ["prometheus_wireguard_exporter"]

The Dockerfile of Go version of exporter is as follows:

FROM golang AS buildLABEL description= "Docker container for building prometheus exporter for wireguard." LABEL maintainer= "Ryan Yang" WORKDIR / srcRUN git clone https://github.com/mdlayher/wireguard_exporter;\ cd wireguard_exporter/cmd/wireguard_exporter/;\ go build .from busybox:glibcCOPY-- from=build / src/wireguard_exporter/cmd/wireguard_exporter/wireguard_exporter .CMD [". / wireguard_exporter"]

I won't dwell on the construction of the image, you can take a look at my GitHub repository.

2. Prometheus_wireguard_exporter deployment

Prometheus_wireguard_exporter directly uses wg's configuration file to get metrics, and it doesn't need to prepare the configuration file alone, so it just needs to map the / etc/wireguard directory to the container. If your wg networking mode is hub-and-spoke, it is recommended that you only monitor the wg gateway. If it is full interconnection mode, you can also monitor only one of the nodes used to generate the configuration. Of course, you can also monitor all nodes.

I only monitor one of the nodes used to generate the configuration here. Here is the deployment list:

# wireguard_exporter.yamlapiVersion: apps/v1kind: Deploymentmetadata: name: wireguard-exporter labels: app: wireguard-exporterspec: replicas: 1 selector: matchLabels: app: wireguard-exporter strategy: rollingUpdate: maxSurge: 0 maxUnavailable: 1 type: RollingUpdate template: metadata: labels: app: wireguard-exporterspec: nodeSelector: kubernetes.io/hostname: blog-k3s03 tolerations:-key : node-role.kubernetes.io/ingress operator: Exists effect: NoSchedule hostNetwork: true containers:-name: wireguard-exporter image: yangchuansheng/wireguard_exporter command: ["/ usr/local/bin/prometheus_wireguard_exporter"] args: ["- n" "/ etc/wireguard/wg0.conf" "- r"] securityContext: capabilities: add: ["NET_ADMIN"] ports:-containerPort: 9586 protocol: TCP name: http-metrics volumeMounts:-mountPath: / etc/localtime name: localtime-mountPath: / etc/wireguard name: config volumes:-name: localtime HostPath: path: / etc/localtime-name: config hostPath: path: / etc/wireguard---apiVersion: v1kind: Servicemetadata: name: wireguard-exporter labels: app: wireguard-exporterspec: sessionAffinity: ClientIP selector: app: wireguard-exporter ports:-protocol: TCP name: http-metrics port: 9586 targetPort: 9586

Deploy prometheus_wireguard_exporter using the deployment manifest:

$kubectl apply-f wireguard_exporter.yaml

To see if the deployment was successful:

$kubectl get pod-l app=wireguard-exporterNAME READY STATUS RESTARTS AGEwireguard-exporter-78d44b8bd9-ppm9t 1 Running 0 41s3. Wireguard_exporter deployment

Wireguard_exporter needs to prepare the configuration file separately, in the following format:

# / etc/wireguard/wg0.toml [[Peer]] public_key = "cGsHfwmPEiLJj6Fv3GU5xFvdyQByn50PC5keVGJEe0w=" name = "RouterOS" [[Peer]] public_key = "izv5L8Kn48+SVwE3D498mdi7YfSrn6aKDNIRxIAHDkU=" name = "macOS" [[Peer]] public_key = "EOM0eLVxsj9jGKWamuIn65T3Wmqw36uLOg2ss7yJ2gw=" name = "blog-k3s02" [[Peer]] public_key = "1RxEokE41ypnIMsbE5OVHFVx199V71MOYzpzQ8bbbFY =" name = "blog-k3s01" [Peer]] public_key = "b3JiuvdOUV7cFpXyJzb2Ea4V4AoyugICGZ18 =" name = "Openwrt" [Peer]] public_key = "FIbzqNv10cdCDO/Ka2GIN9rpxNVV2tO2f00R71EHeSg=" name = "Oneplus"

You need to convert the configuration content in wg0.conf to the above format and save it to the wg0.toml file, and then map it to the container. The deployment list is as follows:

# wireguard_exporter_go.yamlapiVersion: apps/v1kind: Deploymentmetadata: name: wireguard-exporter-go labels: app: wireguard-exporter-gospec: replicas: 1 selector: matchLabels: app: wireguard-exporter-go strategy: rollingUpdate: maxSurge: 0 maxUnavailable: 1 type: RollingUpdate template: metadata: labels: app: wireguard-exporter-gospec: nodeSelector: kubernetes.io/hostname: blog-k3s03 Tolerations:-key: node-role.kubernetes.io/ingress operator: Exists effect: NoSchedule hostNetwork: true containers:-name: wireguard-exporter-go image: docker.io/yangchuansheng/wireguard_exporter:golang command: ["/ wireguard_exporter"] args: ["- wireguard.peer-file" "/ etc/wireguard/wg0.toml", "- metrics.addr" ": 9587"] securityContext: capabilities: add: ["NET_ADMIN"] ports:-containerPort: 9587 protocol: TCP name: http-metrics volumeMounts:-mountPath: / etc/localtime name: localtime-mountPath: / etc/wireguard name: config volumes:-name: localtime HostPath: path: / etc/localtime-name: config hostPath: path: / etc/wireguard---apiVersion: v1kind: Servicemetadata: name: wireguard-exporter-go labels: app: wireguard-exporter-gospec: sessionAffinity: ClientIP selector: app: wireguard-exporter-go ports:-protocol: TCP name: http-metrics port: 9587 targetPort: 9587

Deploy wireguard_exporter using the deployment manifest:

$kubectl apply-f wireguard_exporter_go.yaml

To see if the deployment was successful:

$kubectl get pod-l app=wireguard-exporter-goNAME READY STATUS RESTARTS AGEwireguard-exporter-go-7f5c88fc68-h55x5 1 Running 0 52s4. Join Prometheus monitoring

The deployment method of kube-prometheus is skipped here. Beginners please refer to the documentation for deployment. I will only talk about the key steps. To enable kube-prometheus to obtain WireGuard metrics, you need to create corresponding ServiceMonitor resources. The resource list is as follows:

# prometheus-serviceMonitorWireguard.yamlapiVersion: monitoring.coreos.com/v1kind: ServiceMonitormetadata: labels: app: wireguard-exporter name: wireguard-exporter namespace: endpoints:-interval: 15s port: http-metrics namespaceSelector: matchNames:-default selector: matchLabels: app: wireguard-exporter- apiVersion: monitoring.coreos.com/v1kind: ServiceMonitormetadata: labels: app: wireguard-exporter-go name: wireguard-exporter-go namespace: monitoringspec: endpoints:-interval : 15s port: http-metrics namespaceSelector: matchNames:-default selector: matchLabels: app: wireguard-exporter-go

Create a ServiceMonitor using the resource manifest:

$kubectl apply-f prometheus-serviceMonitorWireguard.yaml

Check whether the corresponding Target in Prometheus has been obtained successfully:

Finally, the dashboard is added to the Grafana, and the monitoring dashboard with different wg interfaces is switched through the environment variables.

As for the grammatical details of the dashboard, I won't talk about it. If you are interested, you can import my dashboard first, and then ask me if you don't understand. Dashboard json file link:

Https://cdn.jsdelivr.net/gh/yangchuansheng/docker-image@master/wireguard_exporter/dashboard.json

At this point, the study on "how to use Prometheus to monitor WireGuard" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.