I need to connect to a client’s remote database on an Amazon EC2 instance. The client wants to use an IP whitelist and I understand that a fly does not offer stable outbound IPs. My question is:
Would it be possible to connect to the db using wireguard?
My thought would be to use
fly wireguard create and share the resulting config with the client, but I may be misunderstanding how these connections work.
Forgive my ignorance on this topic and thanks for your help!
You’re not far off!
You’d want something like a “bastion” host that you run in the AWS account that runs wireguard so you can make a connection to the database.
There is some prior art. You wouldn’t need to do exactly what these folks do but hopefully this illustrates some of the key parts.
I’m trying to decide if I should be deploying my Hasura instances (and possibly Postgres read replicas) via fly or via AWS.
I’d personally prefer fly, but then I need to sort out how fly gets access to my AWS VPC where my RDS instance is running. Based on my research that seems like it’s via a
Wireguard bastion host that I deploy in AWS.
Adding a hop like this seems like it would be a bottleneck (for both bandwidth and latency) as well as a single point of failure. But perhaps that’s not a pro…
This is very helpful, thank you!
Is it possible to set up a Wireguard VPN the other way around with fly as the “client”, i.e. from a config file? From what I can tell it’s not.
I’m trying to connect with wireguard the other way around. The wireguard gateway is running somehwere else I and I want connect to it from within fly rather than a bastion connecting to a fly gateway. I tried to run wg-quick up in the apps entrypoint and I am getting this error.
sudo: error while loading shared libraries: libsudo_util.so.0: cannot open shared object file: No such file or directory
Is it even possible to make a wireguard connection this way?
If so, why is sudo breaking here?
Yeah, it should be possible to setup Wireguard from VM to a gateway running somewhere else. The kernel we use for the virtual machines is built with Wireguard support enabled.
If so, why is sudo breaking here?
Something is wrong with the Docker image. Can you share your Dockerfile?
@pavel. I’m actually using a heroku buildpack. Here is my fly.toml. I was getting a
wg-quick: command not found so I tried installing it via the “fagiani/apt” buildpack . Maybe using a Dockerfile is a better approach?
app = "wordbank-dev"
primary_region = "dfw"
kill_signal = "SIGINT"
kill_timeout = "5s"
auto_rollback = true
builder = "heroku/buildpacks:20"
buildpacks = ["fagiani/apt", "heroku/python"]
release_command = "python manage.py migrate"
DJANGO_SETTINGS_MODULE = "ch2.settings_dev"
PORT = "8080"
web = "wg-quick up wg1.conf && gunicorn ch2.wsgi:application"
worker = "wg-quick up wg1.config && python manage.py worker"
scheduler = "wg-quick up wg1.config && python manage.py scheduler"
protocol = "tcp"
internal_port = 8080
processes = ["web"]
port = 80
handlers = ["http"]
force_https = true
port = 443
handlers = ["tls", "http"]
type = "connections"
hard_limit = 25
soft_limit = 20
interval = "15s"
timeout = "2s"
grace_period = "1s"
restart_limit = 0
guest_path = "/workspace/static"
url_prefix = "/static"
Yeah, looks like an image generated by buildpacks is missing
Yep. Since you need to install some custom tools, I think the only way is to use your own Dockerfile.