SYSTEM Cited by 1 source
wggwd¶
wggwd is the Fly.io-authored daemon that runs on every
Fly gateway and manages the gateway's
WireGuard interfaces. Introduced alongside
the original push-based peer-provisioning system, extended in
place to support
JIT peer provisioning in
early 2024.
Role¶
- Bridge between the Fly control plane and the Linux kernel's WireGuard subsystem.
- Persist peer state locally in SQLite.
- Install / remove peers via Netlink
(using WireGuard's
wgctrl-golibraries per the post's mention of "WireGuard's Golang libraries").
Pre-JIT (push)¶
"On the gateway, a service called wggwd accepts that
configuration, saves it to a SQLite database, and adds it to the
kernel using WireGuard's Golang libraries. wggwd acknowledges
the installation of the peer to the API." (Source:
sources/2024-03-12-flyio-jit-wireguard-peers)
Configs arrive over NATS from the Fly GraphQL
API; wggwd saves to SQLite, installs via Netlink, ACKs.
Post-JIT (pull)¶
The same daemon now:
- Hooks the WireSockets packet-receive path (WebSocket transport) and a BPF socket (raw UDP transport) to observe handshake initiations.
- Runs the Noise-handshake first-leg unwrap to identify the initiator's public key.
- Rate-limit-caches lookups in SQLite; on cache miss, calls the Fly control plane's internal HTTP API.
- Installs the resulting peer via Netlink — as initiator, so
the kernel sends the next handshake back to
flyctlat install speed (canonical role-inversion instance). - Runs or coordinates a cron that evicts stale peers.
Seen in¶
- sources/2024-03-12-flyio-jit-wireguard-peers — canonical wiki instance; full before/after implementation sketch.
Related¶
- systems/fly-gateway — the host it runs on.
- systems/wireguard — the protocol it manages.
- systems/linux-netlink — the kernel config surface.
- systems/sqlite — the local store + rate-limit cache.
- concepts/jit-peer-provisioning — the architectural move
implemented inside
wggwd. - patterns/jit-provisioning-on-first-packet — the reusable pattern.
- companies/flyio.