WireGuard Monitoring
Real-time uptime monitoring for WireGuard servers with real protocol handshakes — not just port pings. Sub-second alerts across email, Slack, Telegram, Discord, and webhooks. Free for 5 monitors.
What makes WireGuard monitoring different
WireGuard is a kernel-level VPN protocol that uses Curve25519 key exchange and ChaCha20-Poly1305 encryption. Unlike TLS-based VPNs, WireGuard has no persistent session — every packet is authenticated independently using a rotating nonce and the peer's public key. This makes WireGuard fast, but it also means a standard HTTP or TCP port check tells you almost nothing useful.
A WireGuard server on UDP/51820 will respond to port probes even when:
- The server's private key has been replaced but peers haven't been updated
- The preshared key has expired
- AllowedIPs routing has been misconfigured
- The underlying interface is up but the peer is effectively unreachable
- The server is rate-limiting handshake attempts due to DDoS protection
TunnelHQ performs a real WireGuard handshake using your config's PrivateKey, Endpoint, and peer PublicKey. Only a successful handshake counts as "up".
How TunnelHQ monitors WireGuard
1. Upload your config
Paste your WireGuard config or upload the .conf file. TunnelHQ auto-detects the protocol and parses:
[Interface]
PrivateKey = yAnz5TF+...
Address = 10.0.0.2/32
DNS = 1.1.1.1
[Peer]
PublicKey = xTIBA5rb...
Endpoint = 203.0.113.1:51820
AllowedIPs = 0.0.0.0/02. Scheduled checks from distributed nodes
TunnelHQ runs the handshake check from regional check nodes across US, EU, APAC, and SA. If the handshake fails from one region but succeeds from others, you know it's a regional issue (routing, BGP hijack, local DDoS).
3. Sub-second alerts
On state change (up → down or down → up), TunnelHQ dispatches alerts within 1 second to every configured channel:
- Email — always included, even on the Free plan
- Slack — with interactive message blocks and incident threading
- Telegram — via bot or channel
- Discord — with embed formatting
- Webhook — raw HTTP POST with JSON payload for custom integrations
4. REST API for automation
Trigger a WireGuard check programmatically and pipe results into your own dashboards or on-call systems:
curl -X POST https://tunnelhq.com/api/v1/check/public \
-H "Content-Type: application/json" \
-d '{
"protocol": "wireguard",
"config": "[Interface]\nPrivateKey=...\n..."
}'The response returns handshake latency, the server's public key echoed back, and any error detail if the check failed.
Pricing for WireGuard monitoring
All plans include WireGuard monitoring. No credit card required to start.
| Plan | WG Monitors | Interval | Price |
|---|---|---|---|
| Free | 5 | 10 min | $0 |
| Starter | 20 | 5 min | $12/mo or $84/yr |
| Pro | 100 | 2 min | $39/mo or $276/yr |
| Business | 500 | 1 min | $99/mo or $756/yr |
FAQ
What does TunnelHQ check on a WireGuard server?
A full WireGuard handshake using your PrivateKey, Endpoint, and the peer's PublicKey. A responding UDP port is not enough — if the handshake fails (bad key, expired preshared key, firewall misconfig), TunnelHQ flags it and alerts.
How often can TunnelHQ check a WireGuard server?
As fast as every 1 minute on the Business plan. Pro runs every 2 minutes, Starter every 5 minutes, Free every 10 minutes.
Does TunnelHQ need my WireGuard private key?
Yes, to perform a real handshake. Configs are encrypted with AES-256-GCM at rest and never shared. For best operational hygiene, generate a dedicated monitoring peer key separate from your production client keys.
Can I monitor WireGuard servers that aren't exposed to the internet?
If a server is only reachable inside your VPC or corporate network, TunnelHQ's public check nodes can't reach it. We're working on a self-hosted check agent for this use case — contact [email protected] if it's a priority.
Does this work with AmneziaWG?
Yes. AmneziaWG is a WireGuard variant with traffic obfuscation. TunnelHQ has separate AmneziaWG protocol support — just paste the AmneziaWG config and it'll auto-detect.