threefoldtech · Eslam-Nawara · Apr 16, 2025 · Apr 16, 2025 · Apr 16, 2025 · Apr 16, 2025
@@ -80,6 +80,52 @@ What happens now is:
 - VMs inside a single space can communicate directly over their bridge.
 - Different networks resource can (and well) have conflicting IP and ranges but with no issue since each network is completely isolated from the other ones.
 
+## Private Networks
+
+To reach vms on local nodes using wireguard you need to:
+
+- Deploy a networkwith valid pairs so you can be able to connect to the vm from your machine and add a container to this network.
+For example:
+
+```go
+WGPrivateKey: wgKey,
+WGListenPort: 3011,
+Peers: []zos.Peer{
+ {
+  Subnet:      gridtypes.MustParseIPNet("10.1.2.0/24"),
+  WGPublicKey: "4KTvZS2KPWYfMr+GbiUUly0ANVg8jBC7xP9Bl79Z8zM=",
+
+  AllowedIPs: []gridtypes.IPNet{
+   gridtypes.MustParseIPNet("10.1.2.0/24"),
+   gridtypes.MustParseIPNet("100.64.1.2/32"),
+
+```
+
+> **Note:** make sure to use valid two wg key pairs for the container and your local machine.
+
+- After the deployment the network can be accessed through wg with the following config.
+
+```conf
+[Interface]
+Address = 100.64.1.2/32
+PrivateKey = <your private key>
+
+[Peer]
+PublicKey = cYvKjMRBLj3o3e4lxWOK6bbSyHWtgLNHkEBxIv7Olm4=
+AllowedIPs = 10.1.1.0/24, 100.64.1.1/32
+PersistentKeepalive = 25
+Endpoint = 192.168.123.32:3011
+```
+
+- Bring wireguard interface up `wg-quick up <config file>`
+- Test the connection `wg`
+![image](https://github.com/user-attachments/assets/ca0d37e2-d586-4e0f-ae98-2d70188492bd)
+
+- Then you should be able to ping/access the container `ping 10.1.1.2`
+![image](https://github.com/user-attachments/assets/d625a573-3d07-4980-afc0-4570acd7a21f)
+
+- Then you should be able to ping to the container `ping 10.1.1.2`
+
 ### Full Picture
 
 ![full](png/full.png)
@@ -104,7 +104,7 @@ require (
 	github.com/gtank/ristretto255 v0.1.2 // indirect
 	github.com/hanwen/go-fuse/v2 v2.3.0 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
-	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/hashicorp/go-multierror v1.1.1
 	github.com/hashicorp/go-retryablehttp v0.7.7
 	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
 	github.com/holiman/uint256 v1.2.3 // indirect

@@ -29,6 +29,28 @@ type NetworkLight struct {
 	// if no mycelium configuration is provided, vms can't
 	// get mycelium IPs.
 	Mycelium Mycelium `json:"mycelium,omitempty"`
+
+	// wg config
+	// IP range of the network, must be an IPv4 /16
+	// for example a 10.1.0.0/16
+	NetworkIPRange gridtypes.IPNet `json:"ip_range"`
+
+	// The private wg key of this node (this peer) which is installing this
+	// network workload right now.
+	// This has to be filled in by the user (and not generated for example)
+	// because other peers need to be installed as well (with this peer public key)
+	// hence it's easier to configure everything one time at the user side and then
+	// apply everything on all nodes at once
+	WGPrivateKey string `json:"wireguard_private_key"`
+
+	// WGListenPort is the wireguard listen port on this node. this has
+	// to be filled in by the user for same reason as private key (other nodes need to know about it)
+	// To find a free port you have to ask the node first by a call over RMB about which ports are possible
+	// to use.
+	WGListenPort uint16 `json:"wireguard_listen_port"`
+
+	// Peers is a list of other peers in this network
+	Peers []Peer `json:"peers"`
 }
 
 // Valid checks if the network resource is valid.

@@ -56,7 +56,7 @@ func TestAddrSet(t *testing.T) {
 		mustParseAddr("192.168.0.10/24"),
 	})
 	assert.Equal(t, 3, s.Len())
-	assert.Equal(t, []netlink.Addr{
+	assert.ElementsMatch(t, []netlink.Addr{
 		mustParseAddr("192.168.0.1/24"),
 		mustParseAddr("192.168.1.1/24"),
 		mustParseAddr("192.168.0.10/24"),