OpenBalena OpenVPN Service

wrboyce · June 25, 2019, 11:20am

@dganesh81 as of v8.15.0 of open-balena-vpn you can use VPN_BASE_SUBNET and VPN_INSTANCE_SUBNET_BITMASK to dictate the IP addresses handed out to VPN clients. I’ve also switched the default subnet over to the CGN address space (100.64.0.0/10) so the defaults should work in the majority of cases now.

dganesh81 · June 25, 2019, 6:14pm

wow. Thats awesome. If you dont mind, could you please let me know the procedure to change VPN_BASE_SUBNET and VPN_INSTANCE_SUBNET_BITMASK? Do i need to upgrade open Balena ?

Thank you for your wonderful support.

chrisys · June 25, 2019, 6:22pm

@dganesh81 VPN_BASE_SUBNET and VPN_INSTANCE_SUBNET_BITMASK would need to be set as environment variables. The version of open-balena-vpn that @wrboyce mentioned (v8.15.0) was only released a few hours ago so you’ll need to update to get that version.

dganesh81 · June 26, 2019, 7:07am

Hello [chrisys], Do i need to update complete open Balena or just VPN container? Somewhere i can find the procedure? please let me know.

wrboyce · June 26, 2019, 11:06am

Hi @dganesh81, if you do ./scripts/compose pull vpn && ./scripts/compose up -d vpn that should update and restart your vpn container inside openbalena.

dganesh81 · June 26, 2019, 12:58pm

@wrboyce,

It looks like it is still running on old version. Tried to stop and start again too.

root@balena:/home/balena/open-balena# ./scripts/compose pull vpn
Pulling vpn … done
root@balena:/home/balena/open-balena# ./scripts/compose up -d vpn
openbalena_s3_1 is up-to-date
openbalena_db_1 is up-to-date
openbalena_redis_1 is up-to-date
openbalena_api_1 is up-to-date
openbalena_vpn_1 is up-to-date
root@balena:/home/balena/open-balena# sudo docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
bf731bdfa0a6 openbalena_haproxy “/docker-entrypoint.…” 12 days ago Up 54 seconds 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 222/tcp, 5432/tcp, 0.0.0.0:3128->3128/tcp, 6379/tcp openbalena_haproxy_1
d6a1519002c3 balena/open-balena-vpn:v8.10.0 “/usr/bin/entry.sh” 12 days ago Up About a minute 80/tcp, 443/tcp, 3128/tcp openbalena_vpn_1
2c242b91dbd7 balena/open-balena-registry:v2.7.0 “/usr/bin/entry.sh” 12 days ago Up 56 seconds 80/tcp openbalena_registry_1
f5a2b9eab2f1 balena/open-balena-api:v0.19.5 “/usr/bin/entry.sh” 12 days ago Up About a minute 80/tcp openbalena_api_1
771414aa1ea1 balena/open-balena-db:v2.0.3 “docker-entrypoint.s…” 12 days ago Up About a minute 5432/tcp openbalena_db_1
1a309d8931ea redis:alpine “docker-entrypoint.s…” 12 days ago Up About a minute 6379/tcp openbalena_redis_1
e02de65409cf balena/open-balena-s3:v2.6.2 “/usr/bin/entry.sh” 12 days ago Up 2 minutes 80/tcp openbalena_s3_1
2a2ccea443a3 openbalena_cert-provider “/entry.sh /usr/src/…” 12 days ago Up 55 seconds 80/tcp openbalena_cert-provider_1
root@balena:/home/balena/open-balena#

richbayliss · June 26, 2019, 2:06pm

@dganesh81 hey - you need to edit the ./compose/versions file, here in the repo to set the version you would like to run, then do the pull and up commands

dganesh81 · June 26, 2019, 2:17pm

It is working now. perfect. Thanks a lot. I shall try the environment variable and post the output here.

root@balena:/home/balena/open-balena# sudo docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c1a573c20fee balena/open-balena-vpn:v8.15.1 “/usr/bin/entry.sh” 5 seconds ago Up 3 seconds 80/tcp, 443/tcp, 3128/tcp

dganesh81 · July 2, 2019, 2:02pm

Hi All, have tried to set following in VPN container. But no success. Any idea?

root@c1a573c20fee:/usr/src/app# cat /etc/environment
VPN_BASE_SUBNET=“172.17.15.0/24”
VPN_INSTANCE_SUBNET_BITMASK=“172.17.15.0/24”
root@c1a573c20fee:/usr/src/app#

After setting the above, tried to stop/start the balena service as well.

wrboyce · July 2, 2019, 3:27pm

The best way to configure this would be passing the environment via your config/docker-compose.yml, such as:

# Project-specific config.
#
# All paths must be defined relative to `compose/services.yml` regardless of
# the location of this file, i.e. refer to `my-open-balena-checkout/somedir`
# as `../somedir`. This is because of the way docker-compose handles paths
# when specifying multiple configs and open-balena always specifying
# `compose/services.yml` as the "base" config.
#
# You may view the effective config with `scripts/compose config`.

version: '2.1'

services:
  vpn:
    environment:
      VPN_BASE_SUBNET: 172.17.15.0/24
      VPN_INSTANCE_SUBNET_BITMASK: 24

Note that VPN_INSTANCE_SUBNET_BITMASK should just be the bitmask, as it indicates the size subnet each vpn instance will take from the base subnet.

dganesh81 · July 3, 2019, 11:23am

Perfect. I have modified as you suggested and it is working. I am also able to ssh using VPN client IP address. Thank you.