wireguard tunnels from userland

ajbouh · December 1, 2021, 8:48pm

I have some HTTP requests I need to run from my local machine against a private service already deployed as a fly application. I’d like to do this completely in userland without needing to “install” a wireguard client on my local machine.

I know that ssh tunneling seems to work this way but is there a way to proxy other traffic to a TCP service other than SSH?

kurt · December 1, 2021, 9:33pm

If the service is listening on IPv6, you can use the preview fly proxy command for this. If you have your app running on port 8080, you can do this:

fly proxy 8080:8080 -a <appname>

Then localhost:8080 will connect to your app.

Does that do what you need?

ajbouh · December 1, 2021, 9:36pm

Oh I think it might!

ajbouh · December 2, 2021, 8:35am

Ok, this almost gave me what I needed, but I guess the application I’m running doesn’t actually listen on any IPv6 addresses. Is there any recourse here, or am I just unable to use fly?

I think this is the line that’s responsible for the IPv4-centric binding:

github.com

graphprotocol/graph-node/blob/04e02dcb7557a2b73525b41e58b1925674e55255/server/http/src/server.rs#L76

    
      
              port: u16,
              ws_port: u16,
          ) -> Result<Box<dyn Future<Item = (), Error = ()> + Send>, Self::ServeError> {
              let logger = self.logger.clone();
          
          
    info!(
                  logger,
                  "Starting GraphQL HTTP server at: http://localhost:{}", port
              );
          
          
    let addr = SocketAddrV4::new(Ipv4Addr::new(0, 0, 0, 0), port);
          
          
    // On every incoming request, launch a new GraphQL service that writes
              // incoming queries to the query sink.
              let logger_for_service = self.logger.clone();
              let graphql_runner = self.graphql_runner.clone();
              let metrics = self.metrics.clone();
              let node_id = self.node_id.clone();
              let new_service = make_service_fn(move |_| {
                  futures03::future::ok::<_, Error>(GraphQLService::new(
                      logger_for_service.clone(),

I’m hoping to avoid forking this project and would instead prefer to get something working in userland.

This particular port is essentially an admin RPC port and is unsafe to expose directly to the internet. Is there any other way to get the fly internal network to route traffic to IPv4-only services?

kurt · December 2, 2021, 10:45pm

That is definitely a problem. The internal network won’t route traffic to IPv4 only services. It should be a simple fix for graph-node to listen on both ipv4 and ipv6, though. I bet they’d accept a PR!

ajbouh · December 3, 2021, 12:36am

I’ve made progress here running socat in the background and configuring it to bind to [::] (with and tunnel those to 127.0.0.1 IPv4.

socat TCP6-LISTEN:8020,bind=[::],reuseaddr,ipv6only=1,fork TCP4:127.0.0.1:8020 &

Once I get things working I’ll figure out what sort of PR might make sense to file with the graph-node project.

I also ended up using docker compose to create a sort of “tunneled” environment to run the container within locally. It requires a bit of acrobatics to make it work, but I think it’s the simplest approach, all things considered.

For each service on fly I want to connect to, I run an additional service in docker-compose.yml. I also use the --exit-code-from option on docker compose up, which tears everything down cleanly after my ephemeral container finishes executing.

This approach would be even cleaner if flyctl proxy accepted a --bind argument that let me bind it to something other than 127.0.0.1. (In this specific setting I would prefer 0.0.0.0.)

sudhir.j · December 8, 2021, 2:20pm

I’ve raised an issue, will look into a PR soon. Bind server to IPv6 as well as IPv4 · Issue #3044 · graphprotocol/graph-node · GitHub

Topic		Replies	Views
Using WireGuard to connect to service on my laptop Questions / Help	7	471	July 4, 2023
Alternatives for WireGuard Setup due to ISP IPv6 and Potential Block Issues Questions / Help	4	77	October 16, 2024
Route certain traffic via wireguard back into the office to use office IP to originate to backend services	2	222	November 5, 2023
Wireguard private networking with distinct networks wishlist	14	1027	August 28, 2024
Ports not exposed internally, only externally Questions / Help	2	452	September 5, 2022

wireguard tunnels from userland

Related topics