Description: Create fake WireGuard VPN configurations to install on your phone or on servers that will alert when used. The value of this Canarytoken as a signal of compromise, is that the attacker —once they land on your device— will want to check what further privileged access the VPN gets them to spread their compromise further and grab more data. For more on the thinking behind this WireGuard Canarytoken see this blog post.
Log in to your Console.
Create a new WireGuard Canarytoken:
Give a friendly name to remind you where this WireGuard VPN is configured:
The Canarytoken will then show a QR code to install the WireGuard config on your phone, or you can download the config to install on another device:
On your phone, use the WireGuard app to add a new VPN configuration by scanning the QR code:
That's it! When someone tries to use this VPN, it'll trigger an alert, showing the source IP of the unexpected access: