Got WireGuard working with some mobile clients, in just a few minutes!
Is there any way to log activity on the WireGuard port? Something like the Log checkbox under Firewall Rules.
I don’t understand what you want to log here. The port is automatically opened and there is no logging enabled.
WireGuard itself is very hard to exploit if you don’t have a valid key, so there is no need to put any additional protection on.
I get the security part.
Sometimes while traveling, outbound connections to certain ports are blocked. (Like VoIP, VPN, messaging in some countries.)
In that case, all you can hope for (at the time) is that your WireGuard client connects.
With logs, you have real time confirmation that IPFire is getting inbound connections to that port, or not.
You can actually check this kind of activity directly from the WireGuard menu in IPFire.
Each peer is listed with its connection status — so if a client has successfully connected, it’ll show as connected in the table. That gives you a real-time indication of whether the connection is active.
Also, if you hover over the little country flag icon, you’ll see the IP address and port number the client is using — useful for confirming what’s coming in.
Just a note: since WireGuard is stateless by design, you might want to be aware of the persistent keepalive setting. If it’s set to 0, the connection will only be made when the client actually sends traffic, so it won’t appear connected until then. But this setting is defaulted to 25 seconds.
Hope that helps.
Cheers,
A G
1 Like
Thanks, I knew most of that - WireGuard menu.
Hovering over the country flag icon does help, now good to know.
There is a bit of a delay in the CONNECTED/DISCONNECTED being updated in the Status column. Does this have anything to do with the persistent keepalive setting?
Also, on the WireGuard mobile client - tapping on the interface provides connection details about IPFire and the Peer.
Yes – it’s all about the handshake timer.
-
IPFire decides a peer is “Connected” when the last WireGuard handshake is ≤ 120 seconds old.
-
Persistent KeepAlive 25s (the default) makes the client send a dummy packet every 25s, so a new handshake happens well inside that 120-second window. The row stays green the whole time.
-
If you set KeepAlive to
0, the client only speaks when it has real traffic. While you’re idle the handshake ages past 120 s, so IPFire flips the status to “Disconnected”. First packet you send brings it straight back to “Connected”.
There’s also a small WUI delay:
- The status table is refreshed only when the page reloads (no live push).
- Each reload calls
wg show, so you’re seeing whatever the kernel knew at that moment.
Cheers,
A G
1 Like
Got it. Thank you!
1 Like