Can ping VPS through wireguard but can't cURL or connect to DB

1

Hi All,
I’ve got a fly VM running a daemon that’s trying to connect to a DB I’ve got running on a VPS on some dedicated hosting.
I’ve set up wireguard with
fly wireguard create <org_name> lhr <vps_peer_name>

then run wg-quick up <vps_peer_name>
which outputs

[#] ip link add <vps_peer_name>  type wireguard                                                                                                                                                                                 
[#] wg setconf <vps_peer_name>  /dev/fd/63                                                                                                                                                                                      
[#] ip -6 address add <ipv6_addr>/120 dev <vps_peer_name>                                                                                                                                                     
[#] ip link set mtu 1420 up dev <vps_peer_name>                                                                                                                                                                                 
[#] resolvconf -a tun.<vps_peer_name>  -m 0 -x                                                                       
[#] ip -6 route add <dns_server?>/48 dev <vps_peer_name>

Interestingly I was getting two “Too few arguments” messages after the resolvconf line, I had openresolv installed. So I installed resolvconf as well, and that seems to have removed those messages.

On the fly VM I can
ping [vps_ip6_addr]

which shows some traffic if I
tcpdump port 51280
on the vps

But I can’t cURL a local server by that ipv6, I can’t either connect to a postgres DB. The connections just time out. Again this traffic is showing in TCPDUMP, but there’s no logs of attempted connections in NGINX or Postgres
Any ideas please? How to troubleshoot this?

2

It sounds like the local server and DB may not be listening on IPv6. That’s normally what a successful ping and a failed connection means.

3

Hi Kurt,
Thanks for the reply

I’ve confirmed that I can access postgres from the machine locally using both[ ::] and [wireguard_peer_ip] addresses. It prompts me for a password

I might mention it’s running in docker and lsof -i6 confirms that docker’s binding the container to all ipv6 interfaces on port 5432

docker-pr 32643     root    4u  IPv6 13573753      0t0  TCP *:postgresql (LISTEN)

I’m just trying this on the fly vm
psql -h <wireguard_peer_ip>
and it’s hanging, not prompting me for a password

4

My bad - didn’t allow in firewall.

The reason I didn’t check this is because I could see the wireguard traffix getting through and being forwarded to the right address + port so I didn’t think firewall could block it once it was already being translate by wireguard.

Fixed…

1 Like
5

Hi Kurt,
I’ve just come back to this project, and my Fly instance can’t connect to the DB anymore - I think maybe the IP it’s runinng under has gone outside of the /120 range I specified in my UFW?
I’ve been reading this

but it doesn’t seem to shed light on what my UFW status needs to look like? I’m allowing in 51280 for wireguard traffic. I don’t know why I then have to also allow in traffic from my wireguard interface?

Is there a guide for configuring a VPS firewall to handle wireguard traffic to an application please?
Thanks,
R