VPN support/options?
Hey yall.
So, I'm running a BullMQ queue service with this template (https://railway.app/template/odzp-I).
The service is private networking only, and I want to try keeping it that way for now. The only problem is that means I can't visit the BullMQ dashboard UI in my browser.
I have a public-facing service that acts like the gateway to my project, so I thought I'll just pick a route, and proxy everything from my public service to the queue service, and BOOM I'll get my BullMQ dashboard in the browser again.
However no dice. The source files make it from the queue service to the browser, but don't run... I thought maybe I'll look into it but I had another thought.
I could visit it in my browser if I somehow tunneled into my project's private network. That's how like every enterprise-level organization operates all the time, with everyone required to be on a VPN in order to visit any company site.
Will this ever be first-class at railway? Any recommendations on how to achieve this now?
Solution:Jump to solution
enable public access, do what you need to do, disable public access.
sure its not the elegant solution you want, but it gets the job done...
37 Replies
Project ID:
N/A
I'm seeing in the private networking docs: "You will need to establish a wireguard tunnel to external services if you wish to vendor requests in your application"
I think it would be super cool for railway to provide a way to use the wireguard client to easily connect into the private network (private network only, not the internet)
I just downloaded wireguard official VPN client for my mac
How to grab public keys for my project's private network?? hmm
I'm not sure I've seen that in the docs before
you can't, that why I said it would be cool if they provided those
The funny thing is what I pasted above tho
"You will need to establish a wireguard tunnel to external services if you wish to vendor requests in your application"
yeah you'd run a wireguard server as a service in the project
well I'll be damned
That's a major feature right there, have them expose in their public API maybe a way to be issued public keys
it wouldn't nearly be as simple as that
And user management/having their private network layer register all parties whose public keys are allowed to access the network
they would need a way to restrict the incoming wireguard connection to just the private network and not the internet
could you explain that?
what part needs explaining
" restrict the incoming wireguard connection to just the private network and not the internet"
yeah what's the confusion?
Does what I mentioned about first-class access management solve that issue?
regardless of class, no one should be able to tunnel into the private network and access the internet, the services on the private network is the only thing that should be accessible
Hmm
WHen I'm connected to the VPN at my work, I can access the internet and internal enterprise websites
Why not??
Because that's overhead for Railway to be brokering that traffic?
because then that just turns railway into a 5$ a month vpn service, and that's not what railway is, in fact you aren't even supposed to run vpns on railway for this very fact
Why aren't you supposed to run VPNs on railway? What makes it explicitly bad for that purpose?
nothing makes it bad, its just simply not allowed
You think it's because the price of brokering all that traffic would rack up?
of course if you used it for a legit usecase, like the one you described then it would be allowed
They are charging for outgoing network though. So I'm trying to understand if it's an issue
i just think its super easy to abuse a 5$ a month vpn service and railway doesnt wanna deal with that
If a person wants to host their entire enterprise company within a single railway project and pay for the networking cost, why not?
It's not abuse if they pay by the GB outgoing network
no where did i say everyone would abuse it, nor did i say you would
Right, that wouldn't be my case anyway
i know that
im speaking generally
Just trying to understand, is there such a thing as a case of abusing the service if it's pay as you go?
yes you can absolutely abuse something you pay for
and its not like im talking about abusing railway, you could use the vpn to abuse other services outside of railway
It's still something they would have to build into their engine to accommodate all that traffic. But yknow, a busy server outputs more traffic than someone working in an organization
The one-time $5 payment you suggested, for sure. But pay-as-you-go means railway will still make a margin on all of it no?
its not about money, you are missing the point
Oh like for anonymity?
Railway doesn't want to be implicated/complicit?
I'm in over my head with trying to make this BullMQ work....
Solution
enable public access, do what you need to do, disable public access.
sure its not the elegant solution you want, but it gets the job done
The inner workings of the Bullboard UI and the data-fetching endpoints are completely abstracted behind the Fastify Addapter for it
You can run tailscale for free (except resource usage on railway), either within the service or as a separate service (subnet router).