Jack into your private network with WireGuard

I’m working on a series of Fly.io video tutorials so you can learn how to use all of the secret or indirect features on the platform. Today’s video is about accessing your org’s private network with WireGuard:

Jack into your private network with WireGuard

What do you think? Do you have any features you’d like to see covered? I’d love to hear your feedback so that you can learn all of the fun things that Fly.io has to offer.

For those of you that learn better from reading, I’ve copied my script here with some tweaks to make it flow better in written form.

Jack into your private network with WireGuard

Every Fly.io organization comes with a private network that lets all your apps connect to each other. This is super convenient when you need to have microservices call eachother’s endpoints or use Flycast to let your private apps turn off when you’re not using them. However, this isn’t just limited to your apps. You can jack into this network with WireGuard.

Today I’ll show you how to create a WireGuard peer to your private network and connect to it so that you can access it from anywhere.


In order to get started, you need to have the following:


When you create a WireGuard peer, you need the following information:

  • The organization you want to create the peer in, such as your personal organization.
  • The fly.io region that’s closest to you.
  • The name of the peer, such as your computer’s hostname
  • A filename to save the configuration to

You can figure out your list of organizations with fly orgs list:

$ fly orgs list

You can figure out which region is nearest you with fly platform regions:

$ fly platform regions

With all this in mind, let’s assemble the command. Start with:

$ fly wireguard create

I want to create this in my personal organization, so I’ll enter in personal for the organization name.

$ fly wireguard create personal

I’m in Ottawa, so I’m using the Montreal region.

$ fly wireguard create personal yul

My computer’s hostname is Camellia, so I’ll use that as the peer name.

$ fly wireguard create personal yul camellia

Finally I want to save this as camellia.conf so that WireGuard can load it.

$ fly wireguard create personal yul camellia camellia.conf

Then I run the command and once it’s done I open up the WireGuard app.

Import the tunnel from the configuration file and then turn it on. macOS may prompt if you want the WireGuard app to manage VPN connections. If it does, hit accept, otherwise you won’t be able to get into your network.

To test it, ping _api.internal (NOTE: on macOS you need to run ping6 _api.internal because it’s an IPv6 address):

$ ping6 _api.internal -c4
PING6(56=40+8+8 bytes) fdaa:3:9018:a7b:9285:0:a:602 --> fdaa:3:9018::3
16 bytes from fdaa:3:9018::3, icmp_seq=0 hlim=64 time=9.741 ms
16 bytes from fdaa:3:9018::3, icmp_seq=1 hlim=64 time=49.103 ms
16 bytes from fdaa:3:9018::3, icmp_seq=2 hlim=64 time=97.667 ms
16 bytes from fdaa:3:9018::3, icmp_seq=3 hlim=64 time=14.726 ms

--- _api.internal ping6 statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 9.741/42.809/97.667/35.111 ms

To test this, I’ll fire up an instance of Ollama that I have on my private network.

export OLLAMA_HOSTNAME=http://xe-ollama.flycast
ollama run llama3 "Why is the sky blue? Explain in a single sentence."

And then the model will reply with something like this:

The sky appears blue because of a phenomenon called Rayleigh scattering, where shorter wavelengths of light (like blue and violet) are scattered more than longer wavelengths (like red and orange) by tiny molecules of gases like nitrogen and oxygen in the Earth’s atmosphere.

And there you go! Hope this helps give you ideas on how you can bend your network to your will. Have a good day all.


Is this appropriate for accessing a web server running internally (but not exposed to the internet) in my application?
I have followed these instructions but was unable to access anything at http://my-app.flycast:9000
my-app.flycast does not resolve on my machine after running the the above commands. Wire is setup and ping6 _api.internal -c4 works.
I can also ssh to the machine and check for port 9000 listening from a shell.