Unable to connect to wireguard tunnel

Hello folks,
I’m new to fly.io and I just setup a database. I tried to connect to it using the internal connection string with wireguard activated but I have this response.

psql: error: could not translate host name “tododemo.internal” to address: Nom ou service inconnu

But it seems like the wireguard connection is established from what I got on my terminal (before attempting to connect to the database).

wg-quick up kevin-wireguard
[#] ip link add kevin-wireguard type wireguard
[#] wg setconf kevin-wireguard /dev/fd/63
[#] ip -6 address add fdaa:0:b152:a7b:1596:0:a:2/120 dev kevin-wireguard
[#] ip link set mtu 1420 up dev kevin-wireguard
[#] resolvconf -a kevin-wireguard -m 0 -x
[#] ip -6 route add fdaa:0:b152::/48 dev kevin-wireguard

Also the dig example from the docs is not working for me

dig +short txt _peer.internal @fdaa:0:18::3

I guess it is a bad sign. :confused:

Any help will be welcome

Hello @lewoudar! Until the more experienced folks chime in, can you do a sanity check on the connection with fly wireguard status personal kevin-wireguard? Or just fly wireguard status and select it. Just want to make sure it’s up and running.

After running wg-quick up kevin-wireguard, check the status of the service.

On ubuntu 18 and later: sudo systemctl status wg-quick@kevin-wireguard. If the service is not active, try restarting it with sudo systemctl restart wg-quick@kevin-wireguard.

When using dig, make sure to set the resolver to the DNS value set in your wireguard config file. it looks like you might be using the DNS server (fdaa:0:18::3) from the Fly documentation, which is probably not (but could be!) the dns server set in your wireguard configuration.

A couple commands to print the dns server and run the dig command:

grep DNS kevin-wireguard.conf
dig +short txt _peer.internal @$(grep DNS kevin-wireguard.conf | cut -d' ' -f3)

Once you have that working ensure that the routing is setup correctly:

ip -6 route list | grep kevin-wireguard

And make sure resolvconf was correctly setup (it should show NAMESERVERS set to an fdaa… address matching the DNS server in the wireguard config):

resolvconf -v

If things still aren’t working after all that, let us know more about the platform, operating system (including version) you are using. You might have found a bug!

Oh, and one more thing: if you have tailscale or another vpn solution on your system, that likely cannot be running simultaneously with the Fly wireguard tunnel. Try turning off tailscale/other vpns and then stop and restart the Fly wireguard tunnel, and see if you’re able to access your database.

If tailscale/another vpn support split tunnels, you may be able to run those simultaneously with the Fly wireguard tunnel. That’s a more advanced setup.

Hi @mwills , this is what I got for the first command, so I guess the connection is alive.

> fly wireguard status personal kevin-wireguard
Alive: true
Last Source Address: 90.91.255.60:44188
Installed On Gateway At: 2022-10-04T16:41:11Z
Traffic: rx:4348 tx:1012

Hi @tvdfly, it seems like you hit the point, when I check the status, this is what I get:

> sudo systemctl status wg-quick@kevin-wireguard
● wg-quick@kevin-wireguard.service - WireGuard via wg-quick(8) for kevin/wireguard
     Loaded: loaded (/lib/systemd/system/wg-quick@.service; disabled; vendor preset: enabled)
     Active: inactive (dead)
       Docs: man:wg-quick(8)
             man:wg(8)
             https://www.wireguard.com/
             https://www.wireguard.com/quickstart/
             https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
             https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8

And when I try to restart, I get this:

> sudo systemctl restart wg-quick@kevin-wireguard
Job for wg-quick@kevin-wireguard.service failed because the control process exited with error code.
See "systemctl status wg-quick@kevin-wireguard.service" and "journalctl -xe" for details

I don’t know what to do at this step :frowning:

You are right, the DNS server configured from my connection is not the same as in the doc :upside_down_face:

For the last two commands, I guess I have correct configuration

> ip -6 route list | grep kevin-wireguard

fdaa:0:b152:a7b:1596:0:a:0/120 dev kevin-wireguard proto kernel metric 256 pref medium
fdaa:0:b152::/48 dev kevin-wireguard metric 1024 pref medium

> resolvconf -v
DOMAIN=''
SEARCH=''
NAMESERVERS='fdaa:0:b152::3'
LOCALNAMESERVERS=''
DOMAINS=''

For your information I have three VPN configured on my machine, one for work and two for my personal usage. I try to deactivate all of them before running wireguard but I’m not sure that there is no conflicting configuration.

By the way, is there a way to add a public ip address to my db (without paying) so I can run my python script to initialize the latter. This is my only use case for the wireguard connection.

Platform information:

> lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 20.04.5 LTS
Release:	20.04
Codename:	focal

Thanks in advance for the replies.

You’ll need to check the logs to see what’s going on there. You might be missing the wireguard kernel module or something like that.

fly ssh console will use usermode wireguard to ssh into a running vm and that is more likely to work even if the system wireguard isn’t. You could try that to ssh into your db vm, or another app in the same org as your db, and then run your python script from there.

Yeah, I probably missed something in my installation but it is difficult to know what is wrong.

Yeah this is hardcore, but it is a solution :sweat_smile:
Thanks

If the only reason you’re using WireGuard is to get a shell on your VM, don’t use native WireGuard; let flyctl do that work for you. Just flyctl ssh console.

1 Like

Hi @thomas , my concern is not to get a shell but to have an automatic way to run migrations files (sql in most cases) on the database, for example using my CI system.
This is a common requirement in python (at least) backend apps. So I guess they must be a solution, I can’t be the only one with this issue.

This is why I asked earlier if it is possible to assign a public IP address to a postgres app.

db migrations are typically handled with a release_command configured in fly.toml.

1 Like

Thanks @tvdfly !
This is exactly what I was looking for. Now my first app is deployed, hoora!

I think I will just close this case, because I don’t want to bother with wireguard now.

Thanks everyone.

1 Like

db migrations are typically handled with a release_command configured in fly.toml.

I’ve found this approach to be very unreliable in case of using rails. 1 out of 3 times deployment just hangs or fails.