Can I connect to remote database via wireguard, and if so, how?

I need to connect to a client’s remote database on an Amazon EC2 instance. The client wants to use an IP whitelist and I understand that a fly does not offer stable outbound IPs. My question is:

Would it be possible to connect to the db using wireguard?

My thought would be to use fly wireguard create and share the resulting config with the client, but I may be misunderstanding how these connections work.

Forgive my ignorance on this topic and thanks for your help!

You’re not far off!

You’d want something like a “bastion” host that you run in the AWS account that runs wireguard so you can make a connection to the database.

There is some prior art. You wouldn’t need to do exactly what these folks do but hopefully this illustrates some of the key parts.

This is very helpful, thank you!

Is it possible to set up a Wireguard VPN the other way around with fly as the “client”, i.e. from a config file? From what I can tell it’s not.

I’m trying to connect with wireguard the other way around. The wireguard gateway is running somehwere else I and I want connect to it from within fly rather than a bastion connecting to a fly gateway. I tried to run wg-quick up in the apps entrypoint and I am getting this error.

sudo: error while loading shared libraries: cannot open shared object file: No such file or directory

  1. Is it even possible to make a wireguard connection this way?
  2. If so, why is sudo breaking here?

Hi @bgaudino

Yeah, it should be possible to setup Wireguard from VM to a gateway running somewhere else. The kernel we use for the virtual machines is built with Wireguard support enabled.

If so, why is sudo breaking here?

Something is wrong with the Docker image. Can you share your Dockerfile?

Thanks, @pavel. I’m actually using a heroku buildpack. Here is my fly.toml. I was getting a wg-quick: command not found so I tried installing it via the “fagiani/apt” buildpack . Maybe using a Dockerfile is a better approach?

app = "wordbank-dev"
primary_region = "dfw"
kill_signal = "SIGINT"
kill_timeout = "5s"

  auto_rollback = true

  builder = "heroku/buildpacks:20"
  buildpacks = ["fagiani/apt", "heroku/python"]

  release_command = "python migrate"

  DJANGO_SETTINGS_MODULE = "ch2.settings_dev"
  PORT = "8080"

  web = "wg-quick up wg1.conf && gunicorn ch2.wsgi:application"
  worker = "wg-quick up wg1.config && python worker"
  scheduler = "wg-quick up wg1.config && python scheduler"

  protocol = "tcp"
  internal_port = 8080
  processes = ["web"]

    port = 80
    handlers = ["http"]
    force_https = true

    port = 443
    handlers = ["tls", "http"]
    type = "connections"
    hard_limit = 25
    soft_limit = 20

    interval = "15s"
    timeout = "2s"
    grace_period = "1s"
    restart_limit = 0

  guest_path = "/workspace/static"
  url_prefix = "/static"

Yeah, looks like an image generated by buildpacks is missing wg-quick

Yep. Since you need to install some custom tools, I think the only way is to use your own Dockerfile.