Wireguard configuration

I’m trying to setup a wireguard “connection/configuration” on some of my vms so that I can only connect to Staging environments using vpn/wireguard.

After reading some blog posts and other posts here… im completely in the dark.

I’ve followed mainly this blog post Private Networking · Fly Docs

Everything its fine till the part where explains that you run the wireguard create and your supose to save the config to a .conf, all fine. And then explains that you need to open your wireguard app and choose Import tunnel from file....

This is the part that I dont understand.

First, the .conf file generated is not a valid wireguard config, the only thing it contains is a FLY_WIREGUARD_TOKEN env variable, one same subject… all wireguard configs required a interface, something like:

PrivateKey = <ommited>

which is not present in this .conf. Of course I can still create a empty tunnel, so that I have have [Interface] block, but that does not help with the FLY_WIREGUARD_TOKEN which is not valid to be in this config.

So where is the wireguard proper config generated and how can I use it to only access specific private apps.

Please let me know what I’m doing wrong and/or if is there anymore information needed.

1 Like


Something is going wrong when saving the wireguard config file. When you get the prompt, enter a local filename for the CLI to save it to.

If you’re on a mac, the mac wireguard client will import this file like this:
CleanShot 2022-09-09 at 10.09.55@2x

You can check if you’re connected to wireguard by doing a dns query to get all the apps in your account:

dig TXT _apps.internal +short

If you’re connected, you’ll see a big string with all the apps you have in your account. You can access the service on the internal dns name – <YOUR_APP>.internal:<PORT> from a browser, but only when connected to wireguard.

To only expose apps to internal wireguard clients, make sure you remove the [[services]] section in your fly.toml to disable public port forwarding/routing to your app.

1 Like

I did that exactly… and what I got from generating the file that i have the name of foo.conf was the content of:


Nothing more nothing else. That is not valid wireguard config.
I might be doing something wrong… which I cannot see what.
I will try again.

same thing… nothing changed… just get that token and a curl command…

If I do stdout… I get the FLY_WIREGUARD_TOKEN in the terminal.

hmm-- so you don’t get something that looks like this when running fly wireguard create , then typing ‘stdout’ and hitting enter?:

Filename to store WireGuard configuration in, or 'stdout':  stdout

PrivateKey = [...]
Address = [...]
DNS = fdaa:0:dade::3

PublicKey = [...]
AllowedIPs = fdaa:0:dade::/48
Endpoint = iad2.gateway.6pn.dev:51820
PersistentKeepalive = 15

Would you mind sharing what flyctl version and OS you’re using when you get those results? I’ve never seen that before on either Mac or Linux :sweat_smile:

I think you did fly wireguard token create, not the fly wireguard create. Those tokens are a different thing. Do the fly wireguard create and you’ll get a valid .conf file.

1 Like

Yes that is correct. For some stupid reason… I used the command to create the token. I’ve notice this after @eli mention the command.

Sry about that.