Cannot not connect to vpn tunnel after renewing certs

hi all, i’ve been running an openbalena 2.0.0 server for a couple years now,
recently the certificates of my openbalena server expired so i followed [VPN Certs seems to be expired - #10 by wolf_karl]

The api is now working ok and i can list apps and devices with no problem. Mi issue is with the vpn tunneling, I’ve been using proxytunnel to connect to devices but after re creating the certificates I get the following message from the vpn container every time i try to fordward a new connection.

Nov 19 11:46:16 0fd5ab5fdf13 balena-connect-proxy[186]: info: tunnel requested to device d0a4bdb4ff8840bd5b40e999327201348dbf822fe97959d4eea4e013d6e717 on port 22222
Nov 19 11:46:16 0fd5ab5fdf13 balena-connect-proxy[186]: info: forwarding tunnel request for d0a4bdb4ff8840bd5b40e999327201348dbf822fe97959d4eea4e013d6e717:22222 via
error: error forwarding request for d0a4bdb4ff8840bd5b40e999327201348dbf822fe97959d4eea4e013d6e717:22222 (could not connect to vpn tunnel: connect ETIMEDOUT

Why is it trying to connect to it looks like a docker local ip but there are no containers registered with such address.

I need help here, thanks in advance.

1 Like

Can you tell what version of balenaOS you are running on the devices?
The current release has balenaOS v2.58.3 as the minimum OS version that’s required on the devices.


error: error forwarding ... not connect to vpn tunnel: connect ETIMEDOUT

netstat -lptn on the openbalena server shows me that the as of now current git head of openbalena no longer exports port 3128:

git log -p compose/services.yml
commit da4c1678eccc54f61987e07add0830e14ea1fdcb
Author: Akis Kesoglou <>
Date:   Fri Jan 29 17:02:31 2021 +0200

    SECURITY: Close tunneling port (3128)
    Port 3128, which was used for tunneling into devices, was plain TCP and has now been closed. Tunnelling is now via `` (see #101). balena-cli versions before v12.38.5 are now incompatible and using the tunnel command will throw an error.
    Refs: #101
    Change-type: patch

diff --git a/compose/services.yml b/compose/services.yml
index 726c3ae..3d3a09e 100644
--- a/compose/services.yml
+++ b/compose/services.yml
@@ -154,9 +154,9 @@ services:
       - "80:80"
       - "443:443"
-      - "3128:3128"
       - "222"
+      - "3128"
       - "5432"
       - "6379"

You may revert this change, but it was closed because this tunnel unencrypted, the data was in the clear for anyone to sniff at it.

Newer versions of balena CLI should no longer attempt to connect to the openbalena server’s 3128, but use tunnel.${OPENBALENA_HOST_NAME}:443 via TLS (see the commit before the quoted commit in the git log of that file), but there might be other issues instead.

@jose_barrero in line with the excellent sleuthing done by @bkaindl, can you try with the latest CLI?