wireguard tunnels from userland

I have some HTTP requests I need to run from my local machine against a private service already deployed as a fly application. I’d like to do this completely in userland without needing to “install” a wireguard client on my local machine.

I know that ssh tunneling seems to work this way but is there a way to proxy other traffic to a TCP service other than SSH?

If the service is listening on IPv6, you can use the preview fly proxy command for this. If you have your app running on port 8080, you can do this:

fly proxy 8080:8080 -a <appname>

Then localhost:8080 will connect to your app.

Does that do what you need?

Oh I think it might!

Ok, this almost gave me what I needed, but I guess the application I’m running doesn’t actually listen on any IPv6 addresses. Is there any recourse here, or am I just unable to use fly?

I think this is the line that’s responsible for the IPv4-centric binding:

I’m hoping to avoid forking this project and would instead prefer to get something working in userland.

This particular port is essentially an admin RPC port and is unsafe to expose directly to the internet. Is there any other way to get the fly internal network to route traffic to IPv4-only services?

That is definitely a problem. The internal network won’t route traffic to IPv4 only services. It should be a simple fix for graph-node to listen on both ipv4 and ipv6, though. I bet they’d accept a PR!

I’ve made progress here running socat in the background and configuring it to bind to [::] (with and tunnel those to IPv4.

socat TCP6-LISTEN:8020,bind=[::],reuseaddr,ipv6only=1,fork TCP4: &

Once I get things working I’ll figure out what sort of PR might make sense to file with the graph-node project.

I also ended up using docker compose to create a sort of “tunneled” environment to run the container within locally. It requires a bit of acrobatics to make it work, but I think it’s the simplest approach, all things considered.

For each service on fly I want to connect to, I run an additional service in docker-compose.yml. I also use the --exit-code-from option on docker compose up, which tears everything down cleanly after my ephemeral container finishes executing.

This approach would be even cleaner if flyctl proxy accepted a --bind argument that let me bind it to something other than (In this specific setting I would prefer

1 Like

I’ve raised an issue, will look into a PR soon. Bind server to IPv6 as well as IPv4 · Issue #3044 · graphprotocol/graph-node · GitHub

1 Like