(This was a little bit triggered by the ongoing VPN woes, but the origin of my concern predates today’s Balena VPN outage.)
We are competing with products that have as a network security benefit “only one outgoing encrypted TCP connection, no ports exposed to the public Internet”.
Is it possible to achieve this with Balena?
I feel like the VPN-based model could end up being an issue for Balena, long-term. This makes it non-trivial to firewall ports so that there is no exposure of something that could have security issues to the public internet. Personally I must admit that I find it an odd model with clear downsides.
Another network model would be one using outgoing multiplexed and encrypted connection (TCP+TLS? HTTP/2?) from each device to Balena, and then tunnelling things like e.g. ssh over this connection.
How married is Balena to the VPN setup? What advice can you offer customers who want to minimize the amount of exposed ports?