Hacker News new | ask | show | jobs
by tptacek 1941 days ago
You need WireGuard to SSH to machines at Fly (that's a good thing). You don't have WireGuard installed on a particular machine. That's OK, because there's a portable, userland, Golang implementation of not only WireGuard but all of TCP/IP that can be imported into any Go program. Go programs can BYO network stacks. That's crazy. The end.
2 comments
ash 1941 days ago
Why is userland TCP/IP stack needed? I didn't get this part of the story.
link
tptacek 1941 days ago
Work through it. You need WireGuard to talk to SSH on our instances; that can't change, it's a security rule. You can get userland WireGuard; that's how most people WireGuard. But you can't create an OS tun device: you need root to do that; you might as well just install WireGuard. Ok: you handshaked a WireGuard connection in Go. What's next?

Let's simplify it: from your Go WireGuard connection, just do an HTTP GET. What's your next step?

link
ash 1941 days ago
I think I got it now!

I was confused because Tailscale does not bring its own userland TCP/IP. It can - as a VPN solution - rely on OS-provided TCP/IP stack, but you wanted to avoid having to hook up flyctl into OS as a virtual network interface, right?

link
tptacek 1941 days ago
I think you've got it. Tailscale is installing WireGuard. You have to have privileges to install Tailscale. They can tell the OS to route packets through their virtual interface.

We could too! This is all in `wireguard-go`. But we'd have to prompt users to escalate privileges every time they tried to SSH somewhere (or, worse, install a long-term resident thingy, just to SSH to things). We don't want to own your VPN connections!

This is an end-run around all of that; we just take responsibility for all of TCP/IP, in our dumb little command line program.

link
aleph- 1941 days ago
So I'm curious are there any good documentation available for using wireguard-go as a lib? Or is it just read the source and also read through flyctl source?

Curious about fiddling with something similar with firecracker at home.

Think it'd be neat to spin up bespoke micro-vm's with wireguard enabled.

link
mrkurt 1941 days ago
The source is about it, it's pretty readable though.

If you're turning up microvms with a linux kernel, it might just be easier to use kernel mode wireguard. It works pretty well!

link
londons_explore 1941 days ago
Still seems like a downgrade for actual users... I just want to be able to type ssh instance7.service.zone.user.fly.io into my console, and be connected... I don't actually care about compiling my own custom ssh client written in go, however neat its implementation might be...
link
kasey_junk 1941 days ago
But! They shipped that in their go client program so you don’t have to.
link
mrkurt 1941 days ago
That's how it works now! You just have to setup wireguard first. You don't need to compile anything.

This userland wireguard project was helpful for making "flyctl run console" work.

link