Work through it. You need WireGuard to talk to SSH on our instances; that can't change, it's a security rule. You can get userland WireGuard; that's how most people WireGuard. But you can't create an OS tun device: you need root to do that; you might as well just install WireGuard. Ok: you handshaked a WireGuard connection in Go. What's next?
Let's simplify it: from your Go WireGuard connection, just do an HTTP GET. What's your next step?
I was confused because Tailscale does not bring its own userland TCP/IP. It can - as a VPN solution - rely on OS-provided TCP/IP stack, but you wanted to avoid having to hook up flyctl into OS as a virtual network interface, right?
I think you've got it. Tailscale is installing WireGuard. You have to have privileges to install Tailscale. They can tell the OS to route packets through their virtual interface.
We could too! This is all in `wireguard-go`. But we'd have to prompt users to escalate privileges every time they tried to SSH somewhere (or, worse, install a long-term resident thingy, just to SSH to things). We don't want to own your VPN connections!
This is an end-run around all of that; we just take responsibility for all of TCP/IP, in our dumb little command line program.
So I'm curious are there any good documentation available for using wireguard-go as a lib? Or is it just read the source and also read through flyctl source?
Curious about fiddling with something similar with firecracker at home.
Think it'd be neat to spin up bespoke micro-vm's with wireguard enabled.
Let's simplify it: from your Go WireGuard connection, just do an HTTP GET. What's your next step?