Our User-Mode WireGuard Year

WireGuard is fundamental to how Fly.io works. Along with Firecracker and Rust, it’s one of the three “interesting” technical choices we’ve made. Practically everything that talks to anything else at Fly.io does so over WireGuard. That goes for use

Overview

The article discusses the implementation and evolution of user-mode WireGuard at Fly.io, detailing how it enhances the platform's functionality, particularly in enabling SSH access to applications. It highlights the challenges faced during development and the innovative solutions that emerged, such as using a user-mode TCP/IP stack.

What You'll Learn

1

How to use flyctl to SSH into a Fly.io app instance without complex setup

2

Why user-mode WireGuard is beneficial for remote builds and SSH access

3

How to troubleshoot slow WireGuard peer creation in Fly.io

Prerequisites & Requirements

  • Basic understanding of networking concepts and SSH
  • familiarity with command-line interfaces and GraphQL APIs(optional)

Key Questions Answered

How does flyctl enable SSH access to Fly.io app instances?
flyctl allows users to SSH into Fly.io app instances by establishing a WireGuard VPN session and running a user-mode TCP/IP stack. This innovative approach eliminates the need for complex client-side configurations, making it easy for users to access their applications securely.
What challenges did Fly.io face with WireGuard implementation?
Fly.io encountered several challenges, including slow creation of WireGuard peers and issues with SSH session management. These problems were addressed by optimizing the peer creation process and implementing a background agent to manage WireGuard sessions more effectively.
Why is user-mode WireGuard considered beneficial for Fly.io?
User-mode WireGuard allows Fly.io to provide flexible and efficient networking capabilities without requiring root access on client machines. This innovation simplifies the user experience and enhances the platform's functionality, particularly for remote builds and SSH access.

Key Statistics & Figures

Time taken for initial WireGuard peer creation
45-95 seconds
This was the delay experienced when creating a new WireGuard peer before optimizations were implemented.

Technologies & Tools

Networking
Wireguard
Used for establishing secure VPN connections for SSH access to Fly.io app instances.
Backend
Graphql API
Facilitates communication for creating WireGuard peers and managing application deployments.
Sandboxing
Gvisor
Related to the user-mode TCP/IP stack implementation.

Key Actionable Insights

1
Utilize flyctl for seamless SSH access to your Fly.io applications, which simplifies the connection process by handling WireGuard configurations automatically.
This approach reduces the complexity typically associated with SSH access, allowing developers to focus on application development rather than networking issues.
2
Monitor the performance of WireGuard peer creation and optimize your workflows to minimize delays during application deployment.
Understanding the underlying processes can help you troubleshoot issues more effectively and improve the overall efficiency of your deployment pipeline.
3
Leverage the user-mode TCP/IP stack for innovative networking solutions within your applications on Fly.io.
This technology opens up new possibilities for application connectivity and interaction, enhancing the capabilities of your deployed services.

Common Pitfalls

1
Assuming that WireGuard connections will always be quick and reliable can lead to frustration during initial setups.
New users may not realize that the first connection can take significantly longer due to the peer creation process, which can lead to misconceptions about the platform's performance.

Related Concepts

User-mode Networking
TCP/IP Stack Implementation
Remote Application Deployment
SSH Access Management