Access to Balena cloud on networks with VPN blocking

n42 · February 12, 2021, 11:01pm

Hi,

We have a device deployed with a customer. The device is connected to an open network, but it appears the network has a firewall on it, which we do not control and it’s unlikely the customer would turn the firewall off. Having said that, we know the device can easily access any other HTTPS service - so it appears that the firewall specifically blocks VPN over 443.

Is there a way for the device (running BalenaOS) to reach BalenaCloud, most importantly for diagnostics and software upgrades, without using the VPN (ie, using regular HTTPS requests), even if some capabilities like SSH to device would be lost?

Thanks!

dtischler · February 13, 2021, 12:35am

Hi Rani, the best way to handle that situation would be by using a Proxy so that the device actually connects to the proxy instead of going through the current firewalled network. We have documentation on how to get started here: Network Setup on balenaOS 2.x - Balena Documentation

Hope that helps, thanks!

n42 · February 16, 2021, 12:38am

I assume this would be site specific and when deploying the units to a large set of customers it would be hard (or impossible) to set up a proxy for each site, or am I missing anything?

sradevski · February 16, 2021, 1:16pm

You can also do it dynamically from within a container by calling the supervisor API: Interacting with the balena Supervisor - Balena Documentation. Let me know if that works

n42 · February 16, 2021, 8:12pm

Great! Thank you. We will try that.

Quick question - with OpenBalena, if I understand it correctly, it uses a self signed certificate, which might be causing some firewalls to block the connection.

Do you know if Balena Cloud uses regular (not self signed) certificates?

Thank you!

ab77 · February 16, 2021, 8:44pm

Hi there, balenaCloud uses SSL certificates signed by CAs which are trusted by all browsers. Even without the VPN, the supervisor will perform updates, albeit it will be doing so on a default 15 minute poll rather than a notification from the cloud. Features such as device terminal and diagnostics won’t be available without a VPN connection.

Please note, that even through we use port 443 for VPN traffic, this traffic is not actually HTTPS and if an upstream firewall is performing traffic profiling, it may drop this traffic because it doesn’t meet the profile it expects.

n42 · February 18, 2021, 1:47am

Awesome - thank you. We actually found out today both worked for us. While device connected to open balena, with self signed certs failed to connect to VPN it did upgrade. We tested a different device on same setup to cloud balena (with CA certs) and everything worked. Very impressive.

Thank you!

bversluijs · February 18, 2021, 9:14am

Hi,

Sorry for hijacking this topic, but does openBalena facilitate in a proxy so that devices that are behind a firewall can connect to the VPN, or do we have to provide a proxy ourself?

We’ve devices running behind a strict firewall at our client which blocks the OpenVPN protocol at every port. They’re using a 4G router now, but I’m curious if this could be fixed using a proxy of some sort. I could built something in our software that enables / disabled the proxy per-device using a environment variable, so it’s definitely something we could use!

dfunckt · February 22, 2021, 4:15pm

You would indeed have to setup a proxy yourself but balenaOS devices can easily utilize it and route everything through it, even VPN traffic. There is documentation here: Network Setup on balenaOS 2.x - Balena Documentation