Hi,
I’m setting up a VPN between balena devices using wireguard.
How can I give certain services access to this newly created network interface without having to set host networking because I don’t want external devices to have access to these services.
All suggestions are welcomed,
Bart
1 Like
Hello @bartjanszoon good question! What Wireguard project are you deploying ?
Checking the archived wireguard project I can see that there are variables such as ALLOWEDIPS and i see in the WireGuard docs that you can use table routes.
Could you please share more details on the issues and what did you already test?
Hi Marc,
From a service which is priviledged with host network_mode, I am using zeroconf (python) for devices on the network to discover each other and the pyroute2 and wireguard_py libraries to setup the wg0 wireguard interface. (exchange of IP configuration and wireguard public keys happens in a proprietary but secure way).
At this point services on different device that have access to the wg0 network interface can access each other.
Let’s assume that I have a resource, eg a database, that I want to reach from one device to another one over the network, without untrusted resources also having access to the same resource, which would happen if I also configure the database service with host network_mode.
I was thinking of explicitly defining the networks in the yml file:
services:
container1:
image: your_image
priviledged: true
networks:
- default
- wg0
networks:
default:
driver: bridge
wg0:
external: true
The balena docs seem to indicate that this should be possible, but it refers to generic docker-compose documentation, so I’m not sure what’s really supported.
Any pointers? Do you see any alternative approaches?