Connect fly wireguard to external server?

Is it possible for the wireguard 6pn to connect to another wireguard node? I wanted to know if I could connect fly to another server so it could securely connect to the databases I have there.

Yep, we’re doing exactly that with a database on rds. Fly has an example app showing how to do this: GitHub - fly-apps/rds-connector: Trivial Terraform example for a WireGuard peer to RDS


Thanks for your assistance! I wish there was a tutorial, but this will do.

1 Like

Do you know how this would be done from Fly > Kubernetes Cluster?

I got wireguard-go installed and working by following the example and moving the wg0.conf over like in the AWS example, but I don’t know how to access the pods.

Pod networking is its own beast to some extent. At a minimum you’ll need to make sure you have whatever ports open on the ec2/eks instance and have those opened in your pod config. But I’ve never run a wireguard peer in a k8s pod so it’s very possible there’s a lot more involved. This article might help.

Once you bring up the client in your pod (wg-quick up wg0) and connect to the network — you can test the connection by hitting the dns server, eg dig TXT _apps.internal — that node should be addressable using the ipv6 address (or the peers dns name) specified in the wireguard config file by any other node on the network.

Hope this helps. Good luck!

Thanks for your time on this.

When I run dig TXT _apps.internal it only returns nodes that are fly servers, not the node I have running on non-fly servers. Do you simply start wg on the non fly server with the default wg0.conf generated by fly, or do you modify it?

I set up a test server with WG installed and operational. It’s not k8, but I’m sure I’m missing something. How do you see or access that node that is unrelated to Fly Servers?

Yea, _peer.internal should give you a list of wireguard peers, and you can check the status using fly wireguard status CLI command.

Do you simply start wg on the non fly server with the default wg0.conf generated by fly, or do you modify it?

No modifications necessary. If you can run that dig command from that instance and it gives you a result, that means it’s talking to fly’s DNS server, which means you’re on the wireguard network. In terms of talking to it from one of the other nodes, you need it’s address – either it’s ipv6 ip address, or it’s peer name, e.g. <PEER_NAME>._peer.internal, which will resolve to the peer’s ipv6 address. You can get the latter by doing dig AAAA <PEER_NAME>._peer.internal, or you can get it from fly wireguard list.