Balena Tunnel - Direct Connection?

We are planning to use balenaCloud for deployment of our app across multiple client sites. Our app includes server and client components that talk to each other. Some of our client devices will be remote to the server devices, and use cellular for connectivity. In those cases, we need to establish a VPN tunnel from the remote devices to the server for communication.

We have tried out the balena tunnel functionality and it works great (we are planning to use it for remote VNC-based support). What I am wondering is whether I can use the balena tunnel for client-server connectivity as well. Given this will be transmitting sensitive client data, I would like to understand if the tunnel is established directly from device A to device B, rather than having data transmitted from device A to balenaCloud and then relayed from balenaCloud to device B. In an ideal world, the devices would just find each other via balenaCloud but establish direct tunnels.

If anyone is familiar with how this works I would appreciate any insights into this. Otherwise I suppose we could always just set up our own VPN tunnels - but would be nice to be able to use all of this pre-built architecture to achieve our goal. Thanks in advance.

Hi, the Balena VPN functionality cannot be used for intra-device communication – it is only used for balenaCloud to establish connections with the devices and does not support any type of forwarding.

Thanks for the quick reply. Just to clarify I am referring to the “tunnel” functionality:

It appears this is meant to allow direct connections to devices, as it gives the example of accessing a web server running on a device. Presumably in that case, the web traffic is not being forwarded through balena but rather directly from the device? How would this be different from one device accessing a web server on another device using balena tunnel?

Oh I see, I think I’ve misunderstood your initial question in that case. Yes, by using balena tunnel would you be able to achieve device-to-device comms although as you have eluded to it will not be a direct device-to-device connection – the connection will be tunnelled through at least one of our servers.

Understood. Is there some kind of overview or whitepaper on the balena VPN? I’m trying to get a sense of the level of security, location of servers, etc. This is something we need to understand regardless of the balena tunnel functionality as all devices will be connecting to it unless we explicitly disable it. We have some defense customers who will need to understand these details before opening up an on-prem device to an external network.

Balena VPN is actually open source, so I would say that is the most definitive answer to your question. As luck would have it I am the VPN maintainer so if you have any further questions fire them over and I’ll get back to you. Location wise, we currently use AWS’ US regions.

Whoops, forgot to link you to the repo! Here you go:

Thanks - very helpful. How would we enable device to device communication using balena tunnel? Can balena tunnel be used from one device to another without a login? Each device will be connected to the balena VPN by virtue of being a balena cloud managed device, but I don’t think balena-cli is part of the image so presumably that would also need to be installed?

Hi, indeed the host OS image does not contain the cli so if you would need to use the cli you would need to install it in your container. As for the tunnel from one device to another, I would say yes, you need to login and follow the procedure like you would when tunneling from your development machine to the device but let me ask if we ever had such a request and see if this has come up until now.


Were you able to get this working using the balena-cli on the device?

We haven’t pursued this further because balena tunnel requires a balena login. We are deploying a fleet of IIoT devices across many different clients - so requiring a balena login for each client deployment is not practical. I think it would be a valuable feature to allow devices running balenaOS who are already connected to the balena VPN to establish balena tunnel connections to other devices on the balena VPN (which are under the same account) without requiring a login - since they are effectively “authenticated” by being on the balena VPN in the first place. If you have any thoughts on how we can accomplish this I would welcome them; it would be a shame to not be able to use the already established VPN tunnel for device to device communication.

Hi @drcnyc thanks for following up. I think unfortunately the only way to do what you want today would be to create your own VPN setup on your fleet of devices. The way our VPN and its scaling for 100 000s of devices is setup its not easy for us to limit connection and discoverability to with in specific applications or groups of devices, so those device to device connections are completely shutdown for now. We have discussed this for the future, but it will require re-architecting the way our VPN is set up and scaled.

From a marketing perspective we are going to move away from calling it a VPN because we don’t actually offer the usual Virtual Private Network features people would associate with the name VPN, we rather use it as a server to device tunneling service :slight_smile:

OK, I appreciate the follow up. Hypothetically speaking, if we wanted to use balena tunnel despite the login requirement, could we have a single balena login that is used for all fleet devices? We would need to manage scope limitations via our code, i.e. restricting which devices any particular device can connect to, but it could potentially work if a single login could be purposed for this vs. needing a separate login for each device / client location.

Yes it should work with a single user for sure, I think you could possibly even use the “Operator” role for that member so that the scope of that key/login is restricted to only allow device interaction but wouldn’t be able to set any fleet level config or push code.

Thank you - this is helpful. We are going to test this functionality. One question I have is whether it is possible to limit an operator user’s permissions to a subset of devices within an application? We have multiple apps that are part of our solution (client and server apps) and we maintain all customers’ devices within the same app instances in balena (ie each of our client and server apps have multiple customers’ devices within them). To maintain security protocols we would need one operator account per customer and the ability to restrict that operator account to just that customers’ devices. Is this possible? I would like to avoid having to create separate apps for each customer, as this will make release rollouts a lot more cumbersome.

Hi, limiting an operator user’s permissions to a subset of devices is not currently possible as access is determined at the application level. You would have to split devices into multiple applications and assign specific users to each application.