From: Vitaliy Makkoveev <otto@bsdbox.dev>
Subject: Re: [patch] wireguard floods dmesg
To: Claudio Jeker <cjeker@diehard.n-r-g.com>
Cc: Lloyd <ng2d68@proton.me>, "tech@openbsd.org" <tech@openbsd.org>
Date: Wed, 11 Dec 2024 20:58:00 +0300



> On 11 Dec 2024, at 15:11, Claudio Jeker <cjeker@diehard.n-r-g.com> wrote:
> 
> On Wed, Dec 11, 2024 at 02:39:20PM +0300, Vitaliy Makkoveev wrote:
>>> On 11 Dec 2024, at 12:24, Claudio Jeker <cjeker@diehard.n-r-g.com> wrote:
>>> 
>>> On Wed, Dec 11, 2024 at 07:45:34AM +0000, Lloyd wrote:
>>>> Hello,
>>>> 
>>>> Wireguard has a rudimentary logging function accessed by setting the debug flag on the interface. Logging Wireguard activity is desirable e.g. for SIEM purposes. However, the current implementation will flood the system message buffer with the following message if the other side of the tunnel is down:
>>>> 
>>>> wg0: No valid endpoint has been configured or discovered for peer 0
>>>> wg0: No valid endpoint has been configured or discovered for peer 0
>>>> wg0: No valid endpoint has been configured or discovered for peer 0
>>> 
>>> Is that message actually useful? Shouldn't it be simply removed?
>> 
>> This message appears only if IFF_DEBUG flag is set. No problem
>> with it.
> 
> But it triggers probably for every portscan or similar attempt. It does
> not report the IP addrs it does not give any useful info. So I think it is
> not useful for anyone.
> 

No, this is the output path. You will see it if remote peer is missing,
eg down.

This debug message seems to be developers related. Personally I prefer
to enable of disable it and similar (like in wg_send_buf()) in compile
time.

> -- 
> :wq Claudio