Hi,
I’m setting up a VPN between balena devices using wireguard.
How can I give certain services access to this newly created network interface without having to set host networking because I don’t want external devices to have access to these services.
All suggestions are welcomed,
Bart
1 Like
Hello @bartjanszoon good question! What Wireguard project are you deploying ?
Checking the archived wireguard project I can see that there are variables such as ALLOWEDIPS and i see in the WireGuard docs that you can use table routes.
Could you please share more details on the issues and what did you already test?
Hi Marc,
From a service which is priviledged with host network_mode, I am using zeroconf (python) for devices on the network to discover each other and the pyroute2 and wireguard_py libraries to setup the wg0 wireguard interface. (exchange of IP configuration and wireguard public keys happens in a proprietary but secure way).
At this point services on different device that have access to the wg0 network interface can access each other.
Let’s assume that I have a resource, eg a database, that I want to reach from one device to another one over the network, without untrusted resources also having access to the same resource, which would happen if I also configure the database service with host network_mode.
I was thinking of explicitly defining the networks in the yml file:
services:
container1:
image: your_image
priviledged: true
networks:
- default
- wg0
networks:
default:
driver: bridge
wg0:
external: true
The balena docs seem to indicate that this should be possible, but it refers to generic docker-compose documentation, so I’m not sure what’s really supported.
Any pointers? Do you see any alternative approaches?
It turns out that I don’t need access to see the vpn network from services that need it, they just need to know the vpn IP address of the device they need to access.
But to do that I had to use host DBus access to monitor avahi service announcements.
1 Like