Query for Gateway Tunnelling setup

mbrizu74 · December 11, 2024, 7:59am

From what I’ve read in the documentation, the Gateway tunnelling function can only be performed using AWS ROUTE 53 DNS.
If my central instance is in another cloud, it would not be possible to use this function, is that correct?

Thank you very much.

michal · December 11, 2024, 9:46am

If you’re hosting your central instance on another cloud and cannot use AWS Route 53 for the Gateway tunneling function, here are alternative approaches:

1. Alternative DNS Solutions:

Use another DNS provider: Configure wildcard DNS records (e.g., *.yourdomain.com) with your cloud provider’s DNS or another public DNS service.
Local DNS server: Set up a lightweight DNS server like Dnsmasq or Bind on your central instance to handle subdomains locally.
/etc/hosts file (limited): For testing, manually map subdomains to your central instance’s IP in /etc/hosts (not scalable and lacks HTTPS support).

Sish, which the Gateway function uses under the hood, is flexible with DNS systems as long as subdomains resolve to the server’s IP. You’re not limited to AWS Route 53.

2. VPN Tunnel Alternative:

If DNS setup is impractical, consider using a VPN tunnel:

Deploy a VPN server: Use a VPN solution like OpenVPN or WireGuard on your central instance to securely connect remote clients.
Route traffic internally: Once connected, services can communicate using private IPs (e.g., 10.8.0.1:8080), removing the need for public DNS or subdomains.

martin.peeters · December 11, 2024, 10:42am

FYI: No, the gateway tunneling functionality is not specific to AWS.

@Rich anything to add? Since the documentation is not very clear on this

michal · December 11, 2024, 10:50am

Route53 is definitely an AWS-specific term, so setting AWS_ROUTE53_ROLE makes perfect sense. Tunneling, however, shouldn’t be tied to any specific cloud provider. That said, the implementation described in the docs seems to be tightly integrated with AWS.

Rich · December 11, 2024, 3:15pm

AWS_ROUTE53_ROLE is not coupled to tunnelling specifically but is used by the proxy container to allow auto wildcard cert generation with LetsEncrypt which requires adding txt records to DNS.

Wildcard cert is needed for gateway as SISH uses subdomains for routing.

It is perfectly fine to provide your own wildcard cert (and we have customers that do); the AWS mechanism is there primarily for our benefit but others can use it and/or the proxy container can be enhanced to add additional plugins rather than just the certbot-dns-route53 plugin.

mbrizu74 · December 12, 2024, 3:45pm

Thank you very much for everyone’s prompt response. My intention was to test the OR Tunneling features. I use Cloudflare as my DNS server. I’ll do some research on how to implement it and let you know the result.

As Michal suggested in point 2, I currently have Wireguard implemented and thus I can remotely access the EDGE instances. It works very well and I have no problems.

I simply wanted to look for an alternative to a VPN.

Regards.