OpnVPN configuration and reachability

banto_78 · July 12, 2019, 11:48am

Hi, where can i find more information on OpnVPN with Balena, its VPN architecture and how is configured.
Is it possible to reach a BalenaOS device from a backend (e.g. VM) through the VPN?

thanks

nazrhom · July 12, 2019, 4:06pm

Hello, our vpn is open source, you can have a look at the readme on https://github.com/balena-io/open-balena-vpn as a general guideline. Its possible to connect to a device from outside: you can either use balena cli (through ssh or tunnel) or talk directly to the http connect proxy on vpn.balena-cloud.com:3128

banto_78 · July 13, 2019, 12:10pm

@nazrhom thanks. Actually that readme file has no much architecture information
Do I understand correctly that every decive runs an OpenVPN server? Hence BalenaCloud is an OpenVPN Client? The connection to a device is through BalenaCloud using either BalenaCLI or the Cloud proxy, right?

Also, I know that an OpenVPN Server is not license free. I mean the free tier allows 2 connections only. Does it mean that a device can only receive 2 connections? However I assume that if a connection is mediated by the BalenaCloud then all connections are multiplexed through that only one connection?

About

you can either use balena cli (through ssh or tunnel)

this means that ssh is tunnelled into the established VPN channel, right?
Regarding the tunnel, is it like an SSH port forwarder?
Is it possible to use a device like a “Jump Server” to access a machine in the same internal network? Something like you do in SSH:

ssh -L 80:myInternalService.example.com:80 myDevice.example.com

thanks lot for the feedback and sorry for the many questions in only one post.

imrehg · July 15, 2019, 8:53am

@banto_78 that is not correct. What happens, is that an openVPN client is run on the balena OS devices, and they are connecting to the balenaCloud openVPN server server . That backend also has a proxy, that enables the CLI or the UI to connect through that to the device. (some mentions in the docs regarding this, but I guess it’s too high level for this discussion, and not enough details).

Yes, the connections to the device should be multiplexed through that original connection.

The openVPN daemon as much as I can tell is GPL licensed, and thus open source. OpenVPN has commercial offerings as well, but that’s not what’s in use here.

For the balena tunnel command of the CLI, see the help for more information:

Usage: tunnel <deviceOrApplication>

Use this command to open local ports which tunnel to listening ports on your balenaOS device.

For example, you could open port 8080 on your local machine to connect to your managed balenaOS
device running a web server listening on port 3000.

You can tunnel multiple ports at any given time.

Examples:

	# map remote port 22222 to localhost:22222
	$ balena tunnel abcde12345 -p 22222

	# map remote port 22222 to localhost:222
	$ balena tunnel abcde12345 -p 22222:222

	# map remote port 22222 to any address on your host machine, port 22222
	$ balena tunnel abcde12345 -p 22222:0.0.0.0

	# map remote port 22222 to any address on your host machine, port 222
	$ balena tunnel abcde12345 -p 22222:0.0.0.0:222

	# multiple port tunnels can be specified at any one time
	$ balena tunnel abcde12345 -p 8080:3000 -p 8081:9000

Options:

    --port, -p <port>                   The mapping of remote to local ports.

You also ask:

the balena tunnel command is something similar, but that happens on your development machine, not on the device.

That is not possible as much as I understand, by default. I guess you could do a combination of an application which deploys an SSH server in a container, does the port forwarding on the device’s local network, and then use balena tunnel to forward a local port of your development machine to the port that is opened by the application, and do the forwarding in this two step.

[dev machine] -- balena tunnel --> [balena device][ssh app service] -- ssh forwarding --> [LAN service]

I’m guessing, though have not tried this.

Does this help?

banto_78 · July 15, 2019, 9:25am

@imrehg thanks. I will think about it and give a try.
Just as follow up: if the OpenVPN Server is on the BalenaCloud, does it also mean that all devices in the same Application are in the same VPN network?

thanks.

imrehg · July 15, 2019, 9:56am

No, the devices cannot talk to each other over the VPN, each of them are isolated, as much as I know.

Having said that, it’s an interesting idea, and will check with the team, whether it would be a feature that we can consider to add in the future.