VPN support/options?

Hey yall. So, I'm running a BullMQ queue service with this template (https://railway.app/template/odzp-I). The service is private networking only, and I want to try keeping it that way for now. The only problem is that means I can't visit the BullMQ dashboard UI in my browser. I have a public-facing service that acts like the gateway to my project, so I thought I'll just pick a route, and proxy everything from my public service to the queue service, and BOOM I'll get my BullMQ dashboard in the browser again. However no dice. The source files make it from the queue service to the browser, but don't run... I thought maybe I'll look into it but I had another thought. I could visit it in my browser if I somehow tunneled into my project's private network. That's how like every enterprise-level organization operates all the time, with everyone required to be on a VPN in order to visit any company site. Will this ever be first-class at railway? Any recommendations on how to achieve this now?
Solution:
enable public access, do what you need to do, disable public access. sure its not the elegant solution you want, but it gets the job done...
Jump to solution
37 Replies
Percy
Percy14mo ago
Project ID: N/A
BenIsenstein
BenIsenstein14mo ago
I'm seeing in the private networking docs: "You will need to establish a wireguard tunnel to external services if you wish to vendor requests in your application"
Brody
Brody14mo ago
I think it would be super cool for railway to provide a way to use the wireguard client to easily connect into the private network (private network only, not the internet)
BenIsenstein
BenIsenstein14mo ago
I just downloaded wireguard official VPN client for my mac How to grab public keys for my project's private network?? hmm I'm not sure I've seen that in the docs before
Brody
Brody14mo ago
you can't, that why I said it would be cool if they provided those
BenIsenstein
BenIsenstein14mo ago
The funny thing is what I pasted above tho "You will need to establish a wireguard tunnel to external services if you wish to vendor requests in your application"
Brody
Brody14mo ago
yeah you'd run a wireguard server as a service in the project
BenIsenstein
BenIsenstein14mo ago
well I'll be damned That's a major feature right there, have them expose in their public API maybe a way to be issued public keys
Brody
Brody14mo ago
it wouldn't nearly be as simple as that
BenIsenstein
BenIsenstein14mo ago
And user management/having their private network layer register all parties whose public keys are allowed to access the network
Brody
Brody14mo ago
they would need a way to restrict the incoming wireguard connection to just the private network and not the internet
BenIsenstein
BenIsenstein14mo ago
could you explain that?
Brody
Brody14mo ago
what part needs explaining
BenIsenstein
BenIsenstein14mo ago
" restrict the incoming wireguard connection to just the private network and not the internet"
Brody
Brody14mo ago
yeah what's the confusion?
BenIsenstein
BenIsenstein14mo ago
Does what I mentioned about first-class access management solve that issue?
Brody
Brody14mo ago
regardless of class, no one should be able to tunnel into the private network and access the internet, the services on the private network is the only thing that should be accessible
BenIsenstein
BenIsenstein14mo ago
Hmm WHen I'm connected to the VPN at my work, I can access the internet and internal enterprise websites Why not?? Because that's overhead for Railway to be brokering that traffic?
Brody
Brody14mo ago
because then that just turns railway into a 5$ a month vpn service, and that's not what railway is, in fact you aren't even supposed to run vpns on railway for this very fact
BenIsenstein
BenIsenstein14mo ago
Why aren't you supposed to run VPNs on railway? What makes it explicitly bad for that purpose?
Brody
Brody14mo ago
nothing makes it bad, its just simply not allowed
BenIsenstein
BenIsenstein14mo ago
You think it's because the price of brokering all that traffic would rack up?
Brody
Brody14mo ago
of course if you used it for a legit usecase, like the one you described then it would be allowed
BenIsenstein
BenIsenstein14mo ago
They are charging for outgoing network though. So I'm trying to understand if it's an issue
Brody
Brody14mo ago
i just think its super easy to abuse a 5$ a month vpn service and railway doesnt wanna deal with that
BenIsenstein
BenIsenstein14mo ago
If a person wants to host their entire enterprise company within a single railway project and pay for the networking cost, why not? It's not abuse if they pay by the GB outgoing network
Brody
Brody14mo ago
no where did i say everyone would abuse it, nor did i say you would
BenIsenstein
BenIsenstein14mo ago
Right, that wouldn't be my case anyway
Brody
Brody14mo ago
i know that im speaking generally
BenIsenstein
BenIsenstein14mo ago
Just trying to understand, is there such a thing as a case of abusing the service if it's pay as you go?
Brody
Brody14mo ago
yes you can absolutely abuse something you pay for and its not like im talking about abusing railway, you could use the vpn to abuse other services outside of railway
BenIsenstein
BenIsenstein14mo ago
It's still something they would have to build into their engine to accommodate all that traffic. But yknow, a busy server outputs more traffic than someone working in an organization The one-time $5 payment you suggested, for sure. But pay-as-you-go means railway will still make a margin on all of it no?
Brody
Brody14mo ago
its not about money, you are missing the point
BenIsenstein
BenIsenstein14mo ago
Oh like for anonymity? Railway doesn't want to be implicated/complicit? I'm in over my head with trying to make this BullMQ work....
Solution
Brody
Brody14mo ago
enable public access, do what you need to do, disable public access. sure its not the elegant solution you want, but it gets the job done
BenIsenstein
BenIsenstein14mo ago
The inner workings of the Bullboard UI and the data-fetching endpoints are completely abstracted behind the Fastify Addapter for it
BrianJM
BrianJM14mo ago
You can run tailscale for free (except resource usage on railway), either within the service or as a separate service (subnet router).
Want results from more Discord servers?
Add your server