OpenBalena OpenVPN Service

Hello All,

I would like to customize the VPN Base subnet and mask. Is it possible in openVPN? If so, could you please advise how to do that? Also how to verify the devices are connected using vpn?

Hi dganesh81, this isn’t currently possible but probably should be. I will look into making these changes and let you know here if I have any updates.

Hi wrboyce, Thank you for the update. Could you please let me know how can i verify the enpoints are connected using VPN. Also what is the default pool used in Balena VPN?

Hi dganesh81.

How are you looking to verify connectivity? For most purposes simply verifying the existence of a /sys/devices/virtual/net/resin-vpn directory should be sufficient (if this directory exists, then the VPN interface is up).

If you wanted to go a step further and verify L7 connectivity, then I think pinging the remote peer address would be your best bet but I’m struggling to find a nice way to programatically get that address, the best I can do is something like:

if [ -d "/sys/devices/virtual/net/resin-vpn" ]; then
  echo "VPN interface is UP"
  peer=$(ip addr show resin-vpn | awk '/inet .+ peer/ {split($4, peer, "/"); print peer[1]}')
  if ping -c1 "${peer}" &>/dev/null; then
    echo "VPN connectivity is UP"
  else
    echo "VPN connectivity is DOWN"
  fi
else
  echo "VPN interface is DOWN"
fi

Hi wrboyce,

I think it will help. But i am not able to find resin-vpn folder. Do you think i can find it somewhere else?

admin@balena:/sys/devices/virtual/net$ ls
br-7cbd177c4b31 docker0 lo veth3506329 veth3cf43f3 veth4ca2dc1 veth557aa32 veth57a868a veth6bbbe07 veth799ac3d vethd51747c
admin@balena:/sys/devices/virtual/net$

@dganesh81 can you show me the output of ifconfig -a ; systemctl status openvpn please?

Here it is.

br-7cbd177c4b31: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.18.0.1 netmask 255.255.0.0 broadcast 172.18.255.255
inet6 fe80::42:37ff:fe72:c999 prefixlen 64 scopeid 0x20
ether 02:42:37:72:c9:99 txqueuelen 0 (Ethernet)
RX packets 1143523 bytes 120272422 (120.2 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1026841 bytes 534194226 (534.1 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
inet6 fe80::42:e1ff:fe7b:2cf5 prefixlen 64 scopeid 0x20
ether 02:42:e1:7b:2c:f5 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 5 bytes 446 (446.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

ens18: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.1.44.186 netmask 255.255.255.0 broadcast 10.1.44.255
inet6 fe80::3076:f5ff:feab:c5aa prefixlen 64 scopeid 0x20
ether 32:76:f5:ab:c5:aa txqueuelen 1000 (Ethernet)
RX packets 5845713 bytes 1286937954 (1.2 GB)
RX errors 0 dropped 809 overruns 0 frame 0
TX packets 1192175 bytes 140667144 (140.6 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 1000 (Local Loopback)
RX packets 484 bytes 48076 (48.0 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 484 bytes 48076 (48.0 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

veth3506329: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::2cef:e2ff:fecd:f9a4 prefixlen 64 scopeid 0x20
ether 2e:ef:e2:cd:f9:a4 txqueuelen 0 (Ethernet)
RX packets 1895635 bytes 153472100 (153.4 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1116620 bytes 109856723 (109.8 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

veth3cf43f3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::3470:b7ff:fe18:844e prefixlen 64 scopeid 0x20
ether 36:70:b7:18:84:4e txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 173 bytes 12324 (12.3 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

veth4ca2dc1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::3002:80ff:fee3:c45b prefixlen 64 scopeid 0x20
ether 32:02:80:e3:c4:5b txqueuelen 0 (Ethernet)
RX packets 427818 bytes 45372670 (45.3 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 541386 bytes 54116345 (54.1 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

veth557aa32: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::8473:f3ff:fec0:3a35 prefixlen 64 scopeid 0x20
ether 86:73:f3:c0:3a:35 txqueuelen 0 (Ethernet)
RX packets 144972 bytes 10418972 (10.4 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 278171 bytes 19202690 (19.2 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

veth57a868a: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::7087:2fff:fe28:b309 prefixlen 64 scopeid 0x20
ether 72:87:2f:28:b3:09 txqueuelen 0 (Ethernet)
RX packets 255424 bytes 20390654 (20.3 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 440930 bytes 37588493 (37.5 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

veth6bbbe07: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::ec5f:89ff:feae:6926 prefixlen 64 scopeid 0x20
ether ee:5f:89:ae:69:26 txqueuelen 0 (Ethernet)
RX packets 451917 bytes 54360892 (54.3 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 665567 bytes 59220910 (59.2 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

veth799ac3d: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::2468:40ff:fec6:a87e prefixlen 64 scopeid 0x20
ether 26:68:40:c6:a8:7e txqueuelen 0 (Ethernet)
RX packets 140623 bytes 10162692 (10.1 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 273788 bytes 18952031 (18.9 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

vethd51747c: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::3cd5:47ff:fe04:f80c prefixlen 64 scopeid 0x20
ether 3e:d5:47:04:f8:0c txqueuelen 0 (Ethernet)
RX packets 28 bytes 2792 (2.7 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 207 bytes 20373 (20.3 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

Unit openvpn.service could not be found.

Curious, can you just confirm your OS version for me please? The output of cat /etc/os-release would be perfect.

Here you go.

NAME=“Ubuntu”
VERSION=“18.04.2 LTS (Bionic Beaver)”
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME=“Ubuntu 18.04.2 LTS”
VERSION_ID=“18.04”
HOME_URL=“https://www.ubuntu.com/
SUPPORT_URL=“https://help.ubuntu.com/
BUG_REPORT_URL=“https://bugs.launchpad.net/ubuntu/
PRIVACY_POLICY_URL=“https://www.ubuntu.com/legal/terms-and-policies/privacy-policy
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic

Aah I think we’ve got our wires crossed a bit here, sorry!

Just to go back to your question about confirming VPN connectivity… From which end of the connection are you wanting to verify? I’ve been giving you commands to run on the client/device.

I would like to verify from OpenBalena Server. I can see the device is registered. But unable to SSH to RasPi using Ethernet IP address and dont know the VPN client IP address of RasPI.

root@Balena-CLI:~# balena device a4577b3
== COOL SHAPE
ID: 1
DEVICE TYPE: raspberrypi3
STATUS: idle
IS ONLINE: true
IP ADDRESS: 172.29.163.200
APPLICATION NAME: myApp
UUID: a4577b32eac2a8a92eb7bec468916db7
SUPERVISOR VERSION: 9.15.0
OS VERSION: balenaOS 2.36.0+rev2

Gotcha, in that case the best way is probably to grep /var/run/openvpn/server-*.status for the device UUID (in the VPN container).

Thank you. I am able to see the VPN status and IP address. However not able to SSH to RasPI. Is it possible from VPN container? or is there any other way? sorry to ask lot :frowning: . also is ther any default credential configured in Balena OS?

Virtual Address,Common Name,Real Address,Last Ref
10.240.0.3,a4577b32eac2a8a92eb7bec468916db7,127.0.0.1:41036,Mon Jun 24 11:55:27 2019

root@d6a1519002c3:/var/run/openvpn# ping 10.240.0.3
PING 10.240.0.3 (10.240.0.3) 56(84) bytes of data.
64 bytes from 10.240.0.3: icmp_seq=1 ttl=64 time=1.61 ms
^C
— 10.240.0.3 ping statistics —
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.613/1.613/1.613/0.000 ms

SSH is getting connection refused. :frowning:

root@d6a1519002c3:/var/run/openvpn# ssh 10.240.0.3
ssh: connect to host 10.240.0.3 port 22: Connection refused

@dganesh81 SSH on BalenaOS is bound to port 22222, to pass -p 22222 to your SSH command and see if that works.

It is a good hint… But still getting denied by Pubkey.

root@Balena-CLI:~# ssh -p 22222 172.29.163.200
The authenticity of host ‘[172.29.163.200]:22222 ([172.29.163.200]:22222)’ can’t be established.
RSA key fingerprint is SHA256:Dm4eu0XAc1EMq8hq1Tbq7vGkuiN+cTqPjEFjPhCgOEI.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘[172.29.163.200]:22222’ (RSA) to the list of known hosts.
root@172.29.163.200: Permission denied (publickey).

@dganesh81 are you using a production image, rather than a development one?

If you’re using a production image then you must use a public/private key for auth and it should be provided in your device’ config.json. See here for details.

I am using production image. which one is better? I am currently checking whether Balena is suitable for our project. If i use production image, do i need to generate RSA key in each RasPI manually? or can i use Balena CLI to generate it? please suggest.

@dganesh81 the images are the same in the main part, it’s just that services are more restricted (for security) on a production image.

I suggest that you want to put your machine’s public key in the config.json of all your fleet you want access to, rather than a different one per-device. I haven’t looked at using Balena CLI to do this, as the link I shared makes it easy enough to do.

@ [richbayliss]. Understood. Thank you for the details.