I’m trying to setup a wireguard “connection/configuration” on some of my vms so that I can only connect to Staging environments using vpn/wireguard.
After reading some blog posts and other posts here… im completely in the dark.
I’ve followed mainly this blog post Private Networking · Fly Docs
Everything its fine till the part where explains that you run the
wireguard create and your supose to save the config to a
.conf, all fine. And then explains that you need to open your wireguard app and choose
Import tunnel from file....
This is the part that I dont understand.
.conf file generated is not a valid wireguard config, the only thing it contains is a
FLY_WIREGUARD_TOKEN env variable, one same subject… all wireguard configs required a
interface, something like:
PrivateKey = <ommited>
which is not present in this
.conf. Of course I can still create a empty tunnel, so that I have have
[Interface] block, but that does not help with the
FLY_WIREGUARD_TOKEN which is not valid to be in this config.
So where is the wireguard proper config generated and how can I use it to only access specific private apps.
Please let me know what I’m doing wrong and/or if is there anymore information needed.
Something is going wrong when saving the wireguard config file. When you get the prompt, enter a local filename for the CLI to save it to.
If you’re on a mac, the mac wireguard client will import this file like this:
You can check if you’re connected to wireguard by doing a dns query to get all the apps in your account:
dig TXT _apps.internal +short
If you’re connected, you’ll see a big string with all the apps you have in your account. You can access the service on the internal dns name –
<YOUR_APP>.internal:<PORT> from a browser, but only when connected to wireguard.
To only expose apps to internal wireguard clients, make sure you remove the
[[services]] section in your
fly.toml to disable public port forwarding/routing to your app.
I did that exactly… and what I got from generating the file that i have the name of foo.conf was the content of:
Nothing more nothing else. That is not valid wireguard config.
I might be doing something wrong… which I cannot see what.
I will try again.
same thing… nothing changed… just get that token and a curl command…
If I do stdout… I get the
FLY_WIREGUARD_TOKEN in the terminal.
hmm-- so you don’t get something that looks like this when running
fly wireguard create , then typing ‘stdout’ and hitting enter?:
Filename to store WireGuard configuration in, or 'stdout': stdout
PrivateKey = [...]
Address = [...]
DNS = fdaa:0:dade::3
PublicKey = [...]
AllowedIPs = fdaa:0:dade::/48
Endpoint = iad2.gateway.6pn.dev:51820
PersistentKeepalive = 15
Would you mind sharing what flyctl version and OS you’re using when you get those results? I’ve never seen that before on either Mac or Linux
I think you did
fly wireguard token create, not the
fly wireguard create. Those tokens are a different thing. Do the
fly wireguard create and you’ll get a valid
Yes that is correct. For some stupid reason… I used the command to create the token. I’ve notice this after @eli mention the command.
Sry about that.