I need to call a third party service that requires a static IP, since Fly.io outgoing connections seem to have dynamic IPs I would like to connect to a wireguard node hosted on DigitalOcean and route the traffic of my app through this peer for some ips.
Is there a way to set the allowed IP’s of an app?
If I understand right, you want to create a wireguard peer on DigitalOcean, then route a block of IPs through it at the network level?
I’m 99% sure this won’t work with our built in WireGuard peers. You can do what you need by:
- Run a proxy on the DigitalOcean end and proxy your app requests through that. This could be a SOCKS proxy if you want to do generic network proxying, or something like HAproxy if you just need HTTP requests to one place. Your app will just talk to
<peer>._peers.internal:80 or whatever you have it listen on.
- Setup your own WireGuard network and connect to it from your app VMs. This should let you manage
AllowedIPs the way you want, though it might require some tweaks to the VM to set routes up.
I would probably create a Tailscale exit node on DigitalOcean, then run tailscale in my VMs if I were trying to do this. WireGuard direct will work fine for this, but tailscale is definitely easier.
Thank you for your fast response,
The static IP requirement is only to make http calls to a financial service that requires a static IP. I figured if its possible to do that with fly’s in build wiregurd that would be awesome but from your block posts I was already doubting that specifying allowed IPs for apps will prob not work. A proxy makes a lot of sense, my mind was just very focused on VPN’s because on AWS we use a NAT gateway to achieve this. Tailscale would definitely work as well since we are already using them. But I was a little but concerned how to make it fault tolerant because you can only specify one exit node. So I would have to make sure that the failover droplet uses the same tailscale config file as the normal node.
Thank you very much for your suggestions!