Trying to understand Threefold VM networking

I’m still trying to get some understanding on the networking of VMs on Threefold. I do understand the function of the public ip4 and ip6 adresses. But what about the other two possible networks? Yggdrasil/planetary and the other 10.x.x.x address you always get? Is latter one the Wireguard address?

• No Yggdrasil software and/or config can be found on a vm? Why/how?
• No Wireguard software and/or config can be found on a vm? Why/how?
• Is Yggdrasil useful for communication between Threefold hosts? Is traffic encrypted? Would I still need to put up a firewall on this interface?
• Is Wireguard useful for communication between Threefold hosts? Is traffic encrypted? Would I still need to put up a firewall on this interface?
• Is it possible to have communication on the 10.x.x.x interface from a non-Threefold environment to a threefold VM? Wireguard client should be used for this?

I can get a ssh connection on the planetary interface from my client when having an Yggdrasil client active.

I’m still trying to get some understanding on the networking of VMs on Threefold. I do understand the function of the public ip4 and ip6 adresses. But what about the other two possible networks? Yggdrasil/planetary and the other 10.x.x.x address you always get? Is latter one the Wireguard address?

Yes the 10.0.0.0 address is your nodes zero network/wiregaurd ip

• No Yggdrasil software and/or config can be found on a vm? Why/how?

The yggdrasil software runs at the hypervisor level, basically the way it works is the client established a /64 ygg subnet and then assigns workloads an address within the subnet
you can find the documentation related to this function here under "advertising a prefix

• No Wireguard software and/or config can be found on a vm? Why/how?

this works in the same way as yggdrasil as far as i understand, but with wiregaurd, the node manages the network and joining clients to it

• Is Yggdrasil useful for communication between Threefold hosts? Is traffic encrypted? Would I still need to put up a firewall on this interface?
  Your yggdrasil address functions in the same way as a public ipv6 address, except clients must be connected to the network to reach it, all clients on the yggdrasil network are in one “network”, traffic is end to end encrypted between hosts, this interface should be firewalled the same way you do your public ipv4/ipv6

• Is Wireguard useful for communication between Threefold hosts? Is traffic encrypted? Would I still need to put up a firewall on this interface?
  wiregaurd networks include clients of your choosing, currently you have to deploy with terraform to create multi vm deployments, but in a coming update this functionality is coming to the playground, this creates a private network between your vms, an example use case would be connecting the backend of a multi master database cluster to eachother

• Is it possible to have communication on the 10.x.x.x interface from a non-Threefold environment to a threefold VM? Wireguard client should be used for this?
  yes, again this is a terraform only feature currently, but when creating a deployment with a wiregaurd network you have the option output the wiregaurd configuration that will allow you to connect other devices into your private network

I can get a ssh connection on the planetary interface from my client when having an Yggdrasil client active.
you should be able to ssh with the planetary interface, this works well in linux, ive had alot of trouble with this in windows

Big thanks for your answers

RIght, these special interfaces are implemented at hypervirsor level. That’s why they are not exposed as tun0 and wg0, but like ensX.

It’s worthwhile to reread your answers a few times. Learning every day.

Tried to connect to 3fold vm using a local wireguard client, success!

(run as root)

apt update
apt install wireguard
vi /etc/wireguard/3f.conf

(copy+paste terraform wireguard info into 3f.conf)

wg-quick up 3f

Example output of wg-quick:

[#] ip link add 3f type wireguard
[#] wg setconf 3f /dev/fd/63
[#] ip -4 address add 100.64.32.2 dev 3f
[#] ip link set mtu 1420 up dev 3f
[#] ip -4 route add 100.64.0.0/16 dev 3f
[#] ip -4 route add 10.32.0.0/16 dev 3f

ssh now works to my 10.32.3.2 and 10.32.3.3. My terraform config did not have the output of the wireguard info, but it could be found in the terraform.tfstate file.

Example of config file:

[Interface]
Address = 100.xxx.xxx.xxx
PrivateKey = tvij...=

[Peer]
PublicKey = 5nd...=
AllowedIPs = 10.32.0.0/16, 100.64.0.0/16
PersistentKeepalive = 25
Endpoint = 83.2xx.xxx.xxx:6620

Beautiful! What are you working on deploying?

This was part of our decentral cloud workgroup. We are doing investigation, learning and experments on the Threefold Cloud.

Besides this, I think I can apply this wireguard knowledge to an already running social media on Threefold.

By the way, if you want to have your wireguard connection having started up automatically, this can be done by:

systemctl enable wg-quick@3f

This applies when your config is named /etc/wireguard/3f.conf

When you guys are are back at it next, reach out to me on telegram and I’d be glad to join the discussion to provide some live q/a.

image891×820 135 KB

I also host a tech call every Monday that is dedicated to answering questions from attendees or doing tech demonstrations. They are at noon central us time currently but I’ve considered some additional times since we have such a international community.

Very cool! If you document your investigation, learning and experiments on the Threefold Cloud, please do share it with the community I’m sure it could help lots of people! You can reach out to me as well to showcase and share your work!