Correct way to configure SOCKS5 proxy on isolated Balena device

I have a Balena device that is using static IP on a completely isolated network (no default gateway). However one machine on the network is multi-homed and has internet access. I would like to set up a SOCKS5 proxy on that machine so that the Balena device can access the dashboard via it (including access for my container that accesses HTTPS services on the internet). What is the correct way to do this? I have tried to send a PATCH command for host-config, and it gets correctly updated in the system-proxy folder, however it doesn’t work, there’s no access attempted to my socks proxy.
If I set a fake default gateway then at least I can see the access attempts, but the dashboard only reports heartbeat, the VPN doesn’t connect. I assume it’s related to DNS, but how can I resolve this via host-config commands (I don’t have access to the device when it’s deployed)? I can access HTTP sites fine when I test the proxy using curl and IPs.

Issues

  1. Tunnel DNS via SOCKS5 proxy (I assume that’s part of the problem)
  2. Use proxy even if there’s no default gateway configured (iptables related?)

To configure a SOCKS5 proxy on an isolated Balena device, you’ll need to modify the proxy settings in the network configuration file. First, SSH into the device and locate the network configuration file, typically found at /etc/network/interfaces or /etc/network/interfaces.d/*. Then, add the SOCKS5 proxy configuration using the syntax provided by your proxy provider, including the server address, port, and any authentication details if required. Save the changes and restart the networking service for the changes to take effect.

But there is a supervisor API request for this, can’t that be used? In my scenario a user may want to enable/disable the proxy for their device via the touchscreen UI (and they won’t have ssh access). The SOCKS5 proxy server basically just has an IP and port (no auth), but I still had the two issues listed above.

I think you need to configure redsocks on your Balena device
sample configuration /mnt/boot/system-proxy/redsocks.conf:

base {
log_debug = off;
log_info = on;
log = "syslog:local7";
daemon = off;
redirector = iptables;
}
redsocks {
type = socks5;
ip = <your-socks-proxy-ip-address>;
port = 8123;
local_ip = 127.0.0.1;
local_port = 12345;
}

You can also check this document: https://docs.balena.io/reference/OS/network/#connecting-behind-a-proxy

1 Like

Right, but that’s what the request Supervisor API is supposed to do, right (and it does, the file is created)? But it doesn’t work with DNS, it seems there’s something missing there. And I couldn’t get it to work if there was no default gateway.