WireGuard peering without proxy

I’ve been following the below example for setting up a WireGuard peer to expose services behind another cloud VPC. Thanks for this. This was really easy to start off with.

The below is roughly the WireGuard client configuration that was generated by flyctl.

[Interface]
PrivateKey = ...
Address = ...
DNS = <ipv6>::3

[Peer]
PublicKey = ...
AllowedIPs = <ipv6>::/48
Endpoint = ...
PersistentKeepalive = 15

The typical pattern I see people employ is hosting a proxy like nginx or pgbouncer on the WireGuard client in order to reach hosts in the VPC.

Is there anyway we can add a route so that fly.io apps can connect to all hosts in the VPC?

FlyApp_A = <ipv6_A>
VPC_Server_A (WG Peer) = 10.0.2.1, <ipv6_B>
VPC_Server_B = 10.0.2.2
VPC_Server_C = 10.0.2.3

I want FlyApp_A to reach any of the VPC_Servers without needing a proxy.

I’ve tried to update the client configuration like the following.

AllowedIPs = <ipv6>::/48, 10.0.2.1/24

But I think the WireGuard server on fly.io’s side would also need to know that that route exists right? Is this currently doable?

1 Like

We don’t have the right bits to route traffic to IP blocks through a wireguard peer.

The best way to do this is to run something like Tailscale in all your Fly VMs. Tailscale does all the routing you’d need to make it work.

If you’re feeling bold, you can experiment with making this work on Fly, but you can’t do it with our built in Wireguard peers. You’d need to run your own Wireguard instance on Fly, figure out how to set the Fly vm that’s running it to work as a router, and then install routes through it on your other VMs.

I really want this to work some day, for what it’s worth. :slight_smile:

2 Likes

Gotcha, thanks for confirming. I’ll play around with setting my own WG setup on Fly.

1 Like