After deploy, i can log in into web ui and create configs for clients, but after connection via wireguard ios app with newly created config i can’t access to internet (no connection)
Can you please help me, may be I made a mistake in fly.toml or somewhere else
My Dockerfile:
# There's an issue with node:20-alpine.
# Docker deployment is canceled after 25< minutes.
FROM docker.io/library/node:18-alpine AS build_node_modules
# Copy Web UI
COPY src/ /app/
WORKDIR /app
RUN npm ci --omit=dev
# Copy build result to a new image.
# This saves a lot of disk space.
FROM docker.io/library/node:18-alpine
COPY --from=build_node_modules /app /app
# Move node_modules one directory up, so during development
# we don't have to mount it in a volume.
# This results in much faster reloading!
#
# Also, some node_modules might be native, and
# the architecture & OS of your development machine might differ
# than what runs inside of docker.
RUN mv /app/node_modules /node_modules
# Enable this to run `npm run serve`
RUN npm i -g nodemon
# Install Linux packages
RUN apk add --no-cache \
dpkg \
dumb-init \
iptables \
iptables-legacy \
wireguard-tools
# Use iptables-legacy
RUN update-alternatives --install /sbin/iptables iptables /sbin/iptables-legacy 10 --slave /sbin/iptables-restore iptables-restore /sbin/iptables-legacy-restore --slave /sbin/iptables-save iptables-save /sbin/iptables-legacy-save
# Expose Ports
EXPOSE 51820/udp
EXPOSE 51821/tcp
# Set Environment
ENV DEBUG=Server,WireGuard
# Run Web UI
WORKDIR /app
CMD ["/usr/bin/dumb-init", "node", "server.js"]
Do I understand correctly that my fly.toml should look like this? Do I have to connect dedicated ipv4 instead of shared ipv4? WG_HOST should be exactly the same as I wrote in new fly.toml?
That does look pretty good… Typically the secrets vault would instead be the place entrusted with the PASSWORD, to prevent leaks. (This is sort of like a huge, super-convenient password manager that Fly maintains for you[r Machines].)
Right. Dedicated IPv4 is needed for UDP (on Fly).
IPv6 is unfortunately not supported, and with shared IPv4 they wouldn’t have any idea who incoming packets were intended for.
That looks consistent with the examples in the wg-easy project’s README. With your new settings, port 51820 will be passed along when the general public transmits to app-name.fly.dev.
I don’t see an environment variable that will get UDP bound to fly-global-services inside your Machine, though. If you’re still having trouble connecting, that might be it…
I don’t use this style of WG myself, so I can’t offer anything that I know will definitely succeed. However, I suspect that some combination of the following could eventually made to work:
A userland repeater that binds to fly-global-services in the normal way and then just forwards packets.
A network namespace that contains a veth carrying only the intended address.
Static network address translation.
None of these particularly comport with the “easy” in wg-easy; maybe one of the WireGuard experts here knows better…