On Mon, Dec 01, 2025 at 08:58:16PM +0000, Lloyd wrote: > I've noticed that established VPN tunnels never show up in netstat -a. > > The service ports (IKE, Wireguard, etc.) do show up as listening. > > But established endpoints are never visible.
If you are looking at netstat -a output on a router which is forwarding traffic from other hosts over a tunnel, then the forwarded connections won't show up any more than they would when doing regular routing over a normal interface. On the other hand, if you are connecting to services running on the same machine as the tunnel endpoints, those connections should show up based on the local interface they are bound to. So it really depends on how those endpoints are configured. What configurations are you looking at and what exactly are you expecting to see? For example, consider iked running in tunnel mode, with a server on the same machine as the tunnel endpoint. This server process is bound to a vether interface that is configured with the 'inner' IPs configured on the tunnel. With this configuration, the smtp port shows up as listening in netstat -a output, (and active inbound connections show up too).
