Hacker News new | past | comments | ask | show | jobs | submit login

Why is userland TCP/IP stack needed? I didn't get this part of the story.



Work through it. You need WireGuard to talk to SSH on our instances; that can't change, it's a security rule. You can get userland WireGuard; that's how most people WireGuard. But you can't create an OS tun device: you need root to do that; you might as well just install WireGuard. Ok: you handshaked a WireGuard connection in Go. What's next?

Let's simplify it: from your Go WireGuard connection, just do an HTTP GET. What's your next step?


I think I got it now!

I was confused because Tailscale does not bring its own userland TCP/IP. It can - as a VPN solution - rely on OS-provided TCP/IP stack, but you wanted to avoid having to hook up flyctl into OS as a virtual network interface, right?


I think you've got it. Tailscale is installing WireGuard. You have to have privileges to install Tailscale. They can tell the OS to route packets through their virtual interface.

We could too! This is all in `wireguard-go`. But we'd have to prompt users to escalate privileges every time they tried to SSH somewhere (or, worse, install a long-term resident thingy, just to SSH to things). We don't want to own your VPN connections!

This is an end-run around all of that; we just take responsibility for all of TCP/IP, in our dumb little command line program.


So I'm curious are there any good documentation available for using wireguard-go as a lib? Or is it just read the source and also read through flyctl source?

Curious about fiddling with something similar with firecracker at home.

Think it'd be neat to spin up bespoke micro-vm's with wireguard enabled.


The source is about it, it's pretty readable though.

If you're turning up microvms with a linux kernel, it might just be easier to use kernel mode wireguard. It works pretty well!


True, yeah!

Just thought it'd be fun to futz with network code for once given the most I do is http usually.

Been checking out gliberlabs/ssh the past few hours which is neat. And which I can think of fun ways to pair with a micro-vm and step ca.


Seriously, check out the code in pkg/wg. The code you need is like 4 lines (get a working WireGuard connection first, outside of your code, and then bring the configuration --- keys, addresses --- into your code); everything else will be normal Go code.

I would take credit for this, but it's Ben's c--- hey, wait, I paid Ben Burkert for this, I'm going to take full credit.


Hahaha.

So I have been actually looking at the code under pkg/wg and tracing stuff back into the wireguard-go pkg and so on for a bit. (Which is some very nice and clean code haha, so you definitely got what you paid for. :P)

I guess the conceptual hurdle I'm stuck on now is, great I've got this wg tunnel open in my code go. How do I actually force packets over it? Say I've got a sshd listening on the other end of the tunnel with netfilter rules that say only allow access over this tunnel.

Can I just do normal ssh calls and use the wg tunnel remote addr to do stuff?

Is it that simple and I'm vastly over thinking things, or is it more complicated then I thought?

Incidentally, fly.io is awesome!

Might have to see about getting our workloads running on it for any customers who might want to run them.

It's definitely given me some fun ideas custom wg and sshd impls running over micro-vm's for at home haha.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: