Hello. We have a customer who is very picky with their IT security, I actually appreciate it. However, they do not like the idea of a device sitting on their network which allows remote access to shell. Is there a way I can disable the VPN connection permanently?
Hi @pinter,
You can disable the Cloudlink service by setting the Device Configuration variable Enable / Disable Cloudlink service on device to false in the UI, or using the API or the CLI by toggling the environment variable BALENA_SUPERVISOR_VPN_CONTROL.
Note that you will lose more functionalities than just SSH access: you won’t be able to carry out device actions remotely, or perform an OS update. You can read more about it in our docs: Security | balena
That all very well. But you say to download the product, which we do. Only to be left with a useless download..
Make the product runable, all we have now is a downloaded set of useless files.
Thanks
Charlie Calvert
halifaxjack@aol.com
I disabled it from the cloud but when the device restarted it called home and checked, ie it can be re-enabled at any time. I know this is a weird use case but it is what it is.
Thanks
Charlie Calvert
halifaxjack@aol.com
So part of the issue is it can be re-enabled from the cloud? If the customer takes issue with that then they will truly be out of luck if they need temporary remote access or need to perform host updates (e.g. to get security patches).
To accomplish this in a way that could not be re-enabled via the API, I would suggest their IT team block outbound OpenVPN traffic from these devices on port 443 at the network level.
There are ways of stopping the openvpn service via a user application service with dbus, but there will always be a time window on startup where openvpn can start before the application can stop it.
That’s great thank you! I think that’s exactly what we’ll do and that way the customer can determine when access is available.