Is it possible to route all outgoing traffic through an external server? I can setup a WireGuard or OpenVPN server at home if needed.
Due to the pandemic I’m working remote, and our company decided to make office work voluntary.
After Covid, I want to move around a bit and travel light. I only need decent wifi/4G to do my (webdev) job so why not right?
Anyway, JetBrains recently announced Projector, allowing me to host my IDE on a server and use a thin client. They provide a Docker image to run it.
I’ve been meaning to use Fly for a while now. And seeing how Projector is nothing but a Docker image I Immediately thought, “Ooh, this sounds Fly”.
And sure enough! It took almost no work to get started with Projector. Added a Volume to it and I’m ready to travel!
Our git instance and development servers are only accessible from home ( ip is whitelisted ).
Some of our clients are in broadcasting ( tv ) and most content is geo-blocked, that’s another reason I want to make it look like my connections are coming from home. I already have an OpenVPN server running at home, so I was hoping I could tunnel all my outgoing traffic through my home network.
However I’m a complete noob when it comes to Docker networking. Is what I want to do possible?
This is theoretically doable but is gonna take some work! I probably would not try OpenVPN, though, since it will be extra tricky to get going.
The simplest option might be to create a Wireguard peer for the service you need to connect to. When you set those up, each one will get a private IPv6 address that’s accessible from your app. You can run these on the same host you’re using for OpenVPN.
The trick is getting those IPs to forward to the right place. It doesn’t look like Projector supports a SOCKS proxy yet, which would be simplest, so you’ll need to run something on your server to proxy connections to the right place. I think this is doable with HAProxy, but you might need different ports per development service.
Assuming you get that going, you should be able to connect to <peer-private-ip> from Projector in your app.
Another option is to do your own wireguard. You can create a wireguard config on your server and then configure your Fly VMs to connect to it and forward all traffic. This is easier than an OpenVPN client because the kernels we use have wireguard support baked in, but it also requires more Docker shenanigans to get connected.
For anyone else working through something like this, some hopefully helpful tips to test that your connection is working right
when setting up your wireguard peer via fly, you probably want to give it a nice name, let’s say test-host for now
ensure your remote host permits traffic through the relevant port, with AWS e.g. you’ll do something like add an inbound rule for your security group permitting ipv6 UDP in on whatever port is specified in your wireguard config
when you started up wireguard on your remote host, you can do nc -6 -l 12345 to tell netcat to listen with ipv6 on whatever random port you want (NOT the same as your wireguard port). you’ll need to ensure your version of netcat supports ipv6
on one of your fly hosts (e.g. just fly ssh console to an existing app) you can then run nc -6 test-host._peer.internal 12345
should then have a little echo server set up, if you type and hit enter on your fly host, you should see the output echo’d on the other host
then you just have to ensure your services can speak ipv6 to each other - if i’m wrong about this, would love to be corrected.
- if i’m wrong about this, would love to be corrected.