SSH and User-mode IP WireGuard

But Fly is kind of an odd duck. We run hardware in data centers around the world, connected to the Internet via Anycast and to each other with a WireGuard mesh. We take Docker-type containers from users and transmogrify them into Firecracker micro-VM

Thomas Ptacek
11 min readintermediate
--
View Original

Overview

The article discusses the implementation of SSH access to applications hosted on Fly.io using a user-mode IP WireGuard approach. It details the unique networking architecture of Fly.io and introduces the Hallpass SSH server, which leverages WireGuard and gVisor for secure connections without requiring users to install WireGuard.

What You'll Learn

1

How to use Hallpass for SSH access to Fly.io applications

2

Why user-mode TCP/IP WireGuard is beneficial for SSH connections

3

How to implement certificate-based SSH authentication using DNS

Prerequisites & Requirements

  • Basic understanding of SSH and networking concepts
  • Familiarity with Fly.io and its CLI tools(optional)

Key Questions Answered

How does Hallpass enable SSH access to Fly.io applications?
Hallpass is a lightweight SSH server implemented in Go that allows users to log into their Fly.io applications using SSH certificates. It utilizes a private DNS to resolve authentication certificates, enabling secure access without needing direct API access from the application instances.
What is user-mode TCP/IP WireGuard and how is it used?
User-mode TCP/IP WireGuard allows applications to communicate over a WireGuard network without needing kernel-level privileges. It enables SSH access to Fly.io instances by running the WireGuard protocol as a userland process, simplifying connectivity for users who do not have WireGuard installed.
What are the benefits of using SSH certificates over traditional keys?
SSH certificates simplify the authentication process by allowing a single public key to authorize multiple private keys without needing to update server configurations. This method enhances security and reduces the complexity of managing SSH access across multiple instances.

Technologies & Tools

Some links below are affiliate links. We may earn a commission if you make a purchase.

Networking
Wireguard
Used for creating secure connections between Fly.io instances.
Containerization
Gvisor
Provides a userland TCP/IP stack for implementing user-mode WireGuard.
Programming Language
Go
Used to implement the Hallpass SSH server.

Key Actionable Insights

1
Implementing Hallpass can streamline SSH access for your Fly.io applications, enhancing security and user experience.
By using Hallpass, you can avoid the complexities of managing SSH keys and instead leverage certificate-based authentication, which is more efficient for dynamic environments.
2
Consider using user-mode TCP/IP WireGuard to facilitate secure connections without requiring users to install additional software.
This approach can significantly reduce barriers for users and improve the accessibility of your applications, especially in environments where installation permissions are restricted.

Common Pitfalls

1
Failing to configure DNS correctly can lead to authentication issues with Hallpass.
Since Hallpass relies on private DNS for resolving SSH certificates, any misconfiguration can prevent users from accessing their applications securely.

Related Concepts

SSH Authentication Methods
Wireguard Networking
User-mode Networking