undefined | Better HN

0 pointstptacek5y ago0 comments

Work through it. You need WireGuard to talk to SSH on our instances; that can't change, it's a security rule. You can get userland WireGuard; that's how most people WireGuard. But you can't create an OS tun device: you need root to do that; you might as well just install WireGuard. Ok: you handshaked a WireGuard connection in Go. What's next?

Let's simplify it: from your Go WireGuard connection, just do an HTTP GET. What's your next step?

0 comments

ash5y ago

I think I got it now!

I was confused because Tailscale does not bring its own userland TCP/IP. It can - as a VPN solution - rely on OS-provided TCP/IP stack, but you wanted to avoid having to hook up flyctl into OS as a virtual network interface, right?

tptacekOP5y ago

I think you've got it. Tailscale is installing WireGuard. You have to have privileges to install Tailscale. They can tell the OS to route packets through their virtual interface.

We could too! This is all in `wireguard-go`. But we'd have to prompt users to escalate privileges every time they tried to SSH somewhere (or, worse, install a long-term resident thingy, just to SSH to things). We don't want to own your VPN connections!

This is an end-run around all of that; we just take responsibility for all of TCP/IP, in our dumb little command line program.

aleph-5y ago

So I'm curious are there any good documentation available for using wireguard-go as a lib? Or is it just read the source and also read through flyctl source?

Curious about fiddling with something similar with firecracker at home.

Think it'd be neat to spin up bespoke micro-vm's with wireguard enabled.

mrkurt5y ago

The source is about it, it's pretty readable though.

If you're turning up microvms with a linux kernel, it might just be easier to use kernel mode wireguard. It works pretty well!

1 more reply

j / k navigate · click thread line to collapse