icinga2-checks/check_wireguard.sh

#!/bin/bash

function display_help {
  echo "Usage: $0 [options]"
  echo
  echo "Options:"
  echo "-i, Wireguard interface name. Identical to what you would put in wg-quick."
  echo "-s, How long to wait for a handshake in seconds, after which the script will fail. (default: $HANDSHAKE_SEC_DEFAULT)"
  echo "-w, Handshake time warning level in seconds. (default: $WARNING_LEVEL_DEFAULT)"
  echo "-c, Handshake time critical level in seconds. (default: $CRITICAL_LEVEL_DEFAULT)"
  echo "-h, Display this help menu"
  echo
}

while getopts ":i:s:w:c:h" opt; do
  case ${opt} in
  i)
    WG_INTERFACE=$OPTARG
    ;;
  s)
    HANDSHAKE_SEC=$OPTARG
    ;;
  w)
    WARNING_LEVEL=$OPTARG
    ;;
  c)
    CRITICAL_LEVEL=$OPTARG
    ;;
  h)
    display_help
    exit 0
    ;;
  \?)
    echo "Invalid option: -$OPTARG" 1>&2
    display_help
    exit 1
    ;;
  :)
    echo "Option -$OPTARG requires an argument." 1>&2
    display_help
    exit 1
    ;;
  esac
done

# Set default values
HANDSHAKE_SEC=${HANDSHAKE_SEC:-20}
WARNING_LEVEL=${WARNING_LEVEL:-5}
CRITICAL_LEVEL=${CRITICAL_LEVEL:-10}

# Check if WG_INTERFACE is set
if [ -z "$WG_INTERFACE" ]; then
  echo "Error: -i (interface) option is required" 1>&2
  display_help
  exit 1
fi

if ! command -v wg-quick &>/dev/null; then
  echo "UNKNOWN - wg-quick could not be found"
  exit 3
fi

function cleanup {
  wg-quick down "$WG_INTERFACE" >/dev/null 2>&1
}
trap cleanup EXIT

# Try to establish a connection
WG_UP_OUTPUT=$(wg-quick up "$WG_INTERFACE" 2>&1)

# Check if the connection was successful
WG_STATUS=$(wg show)

if [ -z "$WG_STATUS" ]; then
  wg-quick down "$WG_INTERFACE" >/dev/null 2>&1 # be extra careful
  echo "CRITICAL - Unable to establish a connection to the Wireguard server. Output from wg-quick up:"
  echo "$WG_UP_OUTPUT"
  exit 2
fi

# Start the timer
START_TIME=$(date +%s%N)

# Wait for handshake
for i in $(seq 1 $(expr $HANDSHAKE_SEC \* 100)); do
  HANDSHAKE_TIME=$(wg show $WG_INTERFACE latest-handshakes | awk '{print $2}')
  CURRENT_TIME=$(date +%s)
  if [ $(expr $CURRENT_TIME - $HANDSHAKE_TIME) -le $HANDSHAKE_SEC ]; then
    break
  fi
  if [ $i -eq $(expr $HANDSHAKE_SEC \* 100) ]; then
    echo "CRITICAL - No handshakes within the $HANDSHAKE_SEC seconds"
    wg-quick down $WG_INTERFACE >/dev/null 2>&1
    exit 2
  fi
  sleep 0.01
done

END_TIME=$(date +%s%N)
ELAPSED_TIME=$(expr $END_TIME - $START_TIME)
ELAPSED_TIME=$(echo "scale=2; $ELAPSED_TIME/1000000000" | bc)
ELAPSED_TIME=$(printf "%0.2f" $ELAPSED_TIME)

# Count peers
PEER_COUNT=$(wg show "$WG_INTERFACE" peers | wc -l)

# Check if elapsed time exceeds warning or critical levels
if (($(echo "$ELAPSED_TIME > $CRITICAL_LEVEL" | bc -l))); then
  echo "CRITICAL - Connection time $ELAPSED_TIME seconds exceeds critical level of $CRITICAL_LEVEL seconds | time=${ELAPSED_TIME}s;${WARNING_LEVEL};${CRITICAL_LEVEL};0;${CRITICAL_LEVEL} peers=${PEER_COUNT};;0;"
  exit 2
elif (($(echo "$ELAPSED_TIME > $WARNING_LEVEL" | bc -l))); then
  echo "WARNING - Connection time $ELAPSED_TIME seconds exceeds warning level of $WARNING_LEVEL seconds | time=${ELAPSED_TIME}s;${WARNING_LEVEL};${CRITICAL_LEVEL};0;${CRITICAL_LEVEL} peers=${PEER_COUNT};;0;"
  exit 1
fi

# Close connection
wg-quick down "$WG_INTERFACE" >/dev/null 2>&1

# Output metrics
echo "OK - connection to the Wireguard server was established | time=${ELAPSED_TIME}s;${WARNING_LEVEL};${CRITICAL_LEVEL};0;${CRITICAL_LEVEL} peers=${PEER_COUNT};;0;"
exit 0
add check_wireguard 2023-11-08 18:39:49 -07:00			`#!/bin/bash`

			`function display_help {`
			`echo "Usage: $0 [options]"`
			`echo`
			`echo "Options:"`
			`echo "-i, Wireguard interface name. Identical to what you would put in wg-quick."`
			`echo "-s, How long to wait for a handshake in seconds, after which the script will fail. (default: $HANDSHAKE_SEC_DEFAULT)"`
			`echo "-w, Handshake time warning level in seconds. (default: $WARNING_LEVEL_DEFAULT)"`
			`echo "-c, Handshake time critical level in seconds. (default: $CRITICAL_LEVEL_DEFAULT)"`
			`echo "-h, Display this help menu"`
			`echo`
			`}`

			`while getopts ":i:s:w:c:h" opt; do`
			`case ${opt} in`
			`i)`
			`WG_INTERFACE=$OPTARG`
			`;;`
			`s)`
			`HANDSHAKE_SEC=$OPTARG`
			`;;`
			`w)`
			`WARNING_LEVEL=$OPTARG`
			`;;`
			`c)`
			`CRITICAL_LEVEL=$OPTARG`
			`;;`
			`h)`
			`display_help`
			`exit 0`
			`;;`
			`\?)`
			`echo "Invalid option: -$OPTARG" 1>&2`
			`display_help`
			`exit 1`
			`;;`
			`:)`
			`echo "Option -$OPTARG requires an argument." 1>&2`
			`display_help`
			`exit 1`
			`;;`
			`esac`
			`done`

			`# Set default values`
			`HANDSHAKE_SEC=${HANDSHAKE_SEC:-20}`
			`WARNING_LEVEL=${WARNING_LEVEL:-5}`
			`CRITICAL_LEVEL=${CRITICAL_LEVEL:-10}`

			`# Check if WG_INTERFACE is set`
			`if [ -z "$WG_INTERFACE" ]; then`
			`echo "Error: -i (interface) option is required" 1>&2`
			`display_help`
			`exit 1`
			`fi`

			`if ! command -v wg-quick &>/dev/null; then`
			`echo "UNKNOWN - wg-quick could not be found"`
			`exit 3`
			`fi`

			`function cleanup {`
modify check_wireguard, add initial check_openwrt_bssid 2023-11-12 10:27:23 -07:00			`wg-quick down "$WG_INTERFACE" >/dev/null 2>&1`
add check_wireguard 2023-11-08 18:39:49 -07:00			`}`
			`trap cleanup EXIT`

			`# Try to establish a connection`
modify check_wireguard, add initial check_openwrt_bssid 2023-11-12 10:27:23 -07:00			`WG_UP_OUTPUT=$(wg-quick up "$WG_INTERFACE" 2>&1)`
add check_wireguard 2023-11-08 18:39:49 -07:00
			`# Check if the connection was successful`
			`WG_STATUS=$(wg show)`

			`if [ -z "$WG_STATUS" ]; then`
modify check_wireguard, add initial check_openwrt_bssid 2023-11-12 10:27:23 -07:00			`wg-quick down "$WG_INTERFACE" >/dev/null 2>&1 # be extra careful`
add check_wireguard 2023-11-08 18:39:49 -07:00			`echo "CRITICAL - Unable to establish a connection to the Wireguard server. Output from wg-quick up:"`
			`echo "$WG_UP_OUTPUT"`
			`exit 2`
			`fi`

			`# Start the timer`
			`START_TIME=$(date +%s%N)`

			`# Wait for handshake`
			`for i in $(seq 1 $(expr $HANDSHAKE_SEC \* 100)); do`
			`HANDSHAKE_TIME=$(wg show $WG_INTERFACE latest-handshakes \| awk '{print $2}')`
			`CURRENT_TIME=$(date +%s)`
			`if [ $(expr $CURRENT_TIME - $HANDSHAKE_TIME) -le $HANDSHAKE_SEC ]; then`
			`break`
			`fi`
			`if [ $i -eq $(expr $HANDSHAKE_SEC \* 100) ]; then`
			`echo "CRITICAL - No handshakes within the $HANDSHAKE_SEC seconds"`
			`wg-quick down $WG_INTERFACE >/dev/null 2>&1`
			`exit 2`
			`fi`
			`sleep 0.01`
			`done`

			`END_TIME=$(date +%s%N)`
			`ELAPSED_TIME=$(expr $END_TIME - $START_TIME)`
			`ELAPSED_TIME=$(echo "scale=2; $ELAPSED_TIME/1000000000" \| bc)`
			`ELAPSED_TIME=$(printf "%0.2f" $ELAPSED_TIME)`

			`# Count peers`
modify check_wireguard, add initial check_openwrt_bssid 2023-11-12 10:27:23 -07:00			`PEER_COUNT=$(wg show "$WG_INTERFACE" peers \| wc -l)`
add check_wireguard 2023-11-08 18:39:49 -07:00
			`# Check if elapsed time exceeds warning or critical levels`
			`if (($(echo "$ELAPSED_TIME > $CRITICAL_LEVEL" \| bc -l))); then`
			`echo "CRITICAL - Connection time $ELAPSED_TIME seconds exceeds critical level of $CRITICAL_LEVEL seconds \| time=${ELAPSED_TIME}s;${WARNING_LEVEL};${CRITICAL_LEVEL};0;${CRITICAL_LEVEL} peers=${PEER_COUNT};;0;"`
			`exit 2`
			`elif (($(echo "$ELAPSED_TIME > $WARNING_LEVEL" \| bc -l))); then`
			`echo "WARNING - Connection time $ELAPSED_TIME seconds exceeds warning level of $WARNING_LEVEL seconds \| time=${ELAPSED_TIME}s;${WARNING_LEVEL};${CRITICAL_LEVEL};0;${CRITICAL_LEVEL} peers=${PEER_COUNT};;0;"`
			`exit 1`
			`fi`

			`# Close connection`
modify check_wireguard, add initial check_openwrt_bssid 2023-11-12 10:27:23 -07:00			`wg-quick down "$WG_INTERFACE" >/dev/null 2>&1`
add check_wireguard 2023-11-08 18:39:49 -07:00
			`# Output metrics`
			`echo "OK - connection to the Wireguard server was established \| time=${ELAPSED_TIME}s;${WARNING_LEVEL};${CRITICAL_LEVEL};0;${CRITICAL_LEVEL} peers=${PEER_COUNT};;0;"`
			`exit 0`