Hi @kurt, sure I’ve deployed another app (tpproxy-wtf9ja) with a custom network (jason-tp13-network) and added a WireGuard peer (jason-tp13) to that network. I’ll leave it up for you to debug. Thanks! 
For completeness, here are the steps to reproduce the issue:
Set some environment variables:
FLY_REGION="lhr"
FLY_ORG_ID="YOUR-FLY-ORG-ID"
FLY_API_TOKEN="YOUR-FLY-API-TOKEN"
APP_NAME="tpproxy-wtf9ja"
WG_PEER_NAME="jason-tp13"
WG_PEER_NETWORK="jason-tp13-network"
Create the app in a custom network:
curl 'https://api.fly.io/graphql' \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer ${FLY_API_TOKEN}" \
--data '{
"query": "mutation($input: CreateAppInput!){ createApp(input: $input) { app { id name organization { id slug } network runtime regions { name code } } } }",
"variables": {
"input": {
"name": "'"${APP_NAME}"'",
"runtime": "FIRECRACKER",
"organizationId": "'"${FLY_ORG_ID}"'",
"preferredRegion": "'"${FLY_REGION}"'",
"network": "'"${WG_PEER_NETWORK}"'"
}
}
}'; echo
Generate your private & public keys for WireGuard:
wg genkey > wg-test.priv && \
wg pubkey < wg-test.priv > wg-test.pub && \
cat wg-test.pub
Set your WireGuard public key (that you just created):
WG_PEER_PUBLIC_KEY="<put contents of wg-test.pub here>"
Add a WireGuard peer to the custom network:
curl 'https://api.fly.io/graphql' \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer ${FLY_API_TOKEN}" \
--data '{
"query": "mutation($input: AddWireGuardPeerInput!){ addWireGuardPeer(input: $input){ clientMutationId endpointip peerip pubkey } }",
"variables": {
"input": {
"organizationId": "'"${FLY_ORG_ID}"'",
"region": "'"${FLY_REGION}"'",
"name": "'"${WG_PEER_NAME}"'",
"pubkey": "'"${WG_PEER_PUBLIC_KEY}"'",
"network": "'"${WG_PEER_NETWORK}"'"
}
}
}'; echo
Create the WireGuard config file as wg0.conf:
[Interface]
PrivateKey = <put contents of wg-test.priv here>
Address = <put peerip from addWireguardPeer response here>/120
# The DNS is our fly organization network ID + ::3
# Our organization network ID is the first 3 sections of the WireGuard peer IP.
# Source: https://fly.io/docs/reference/privatenetwork/#discovering-apps-through-dns-on-an-instance
DNS = fdaa:0:28a6::3
[Peer]
PublicKey = <put pubkey from addWireGuardPeer response here>
AllowedIPs = fdaa:0:28a6::/48 # Allow all IPs within our org network prefix
Endpoint = <put endpoint IP from addWireGuard response peer here>:51820
PersistentKeepalive = 15
Create the wg0 WireGuard interface:
sudo cp wg0.conf /etc/wireguard && \
wg-quick up wg0
Create the fly.toml file:
app = "tpproxy-wtf9ja"
kill_signal = "SIGINT"
kill_timeout = 5
# Remove this section to build from the local Dockerfile
[build]
image = "sspreitzer/shellinabox:latest"
[experimental]
private_network=true
[[services]]
internal_port = 4200
protocol = "tcp"
[services.concurrency]
hard_limit = 25
soft_limit = 20
[[services.ports]]
port = "443"
[[services.tcp_checks]]
grace_period = "1s"
interval = "15s"
port = "4200"
restart_limit = 6
timeout = "2s"
Deploy the app:
fly deploy \
--env SIAB_USER=jason \
--env SIAB_PASSWORD=mysecretpassword \
--env SIAB_SUDO=true
Once on the fly instance, install some tools to debug the network:
sudo -i
apt update && \
apt install -y net-tools iputils-ping dnsutils netcat socat
dig +short txt _peer.internal @fdaa::3
# ;; Warning: Message parser reports malformed message packet.