We have a use case where our customers require all traffic from a Balena device to be routed via a proxy. We have configured a proxy server in redsocks and that seems to be routing all traffic from the application via the configured proxy. However, it is not clear if any of the VPN traffic is being routed via the proxy.
Can some one clarify if the VPN traffic also gets routed via proxy? If not, is there a way to do that?
Hi @aniruddhc-sct,
One of our OS engineers recently replied to this request in another post, so I will reshare that answer here. Please let us know if you have any questions upon reading it!
For networks that restrict access to balena-cloud.com subdomains the solution is to route the traffic to Balena servers through a proxy. For this purpose we include Redsocks in the host OS, which is a TCP-to-proxy redirector.
Enabling Redsocks will redirect outbound TCP traffic through the specified proxy server. So not only connections to Balena servers will go through the proxy, but all outbound TCP traffic. Redirection of the traffic to Redsocks is done through a set of iptables rules defined in the balena-proxy-config service: https://github.com/balena-os/meta-balena/blob/master/meta-balena-common/recipes-connectivity/balena-proxy-config/balena-proxy-config/balena-proxy-config
For configuring a proxy I would suggest doing that through the Balena Supervisor API: Interacting with the balena Supervisor - Balena Documentation
Q: Does OpenVPN traffic go through the proxy?
A: The OpenVPN client that runs in the host OS is configured to use the TCP protocol and the connection itself is encrypted with SSL. Currently it connects to cloudlink.balena-cloud.com on port 443. It is running on top of TCP (instead of UDP) and uses port 443 (which is also used for HTTPS traffic) as those are usually allowed on restrictive networks.
Since the OpenVPN client is configured to run on top of TCP under balenaOS that means that if Redsocks is enabled, the VPN traffic will also go through the proxy.
I was under the impression that the only traffic that will go over the redsocks proxy was the Balena API traffic, and not the Balena Registry traffic or the BalenaVPN traffic. Is this a certainty that redsocks will work and how can we verify it at the device level that it’s working?
I have seen the repo that Balena made, and even tho it’s good to verify the API traffic, we need to be able to check that the registry traffic and the VPN traffic, delta traffic as well can go and will be forced to go over that proxy via redoscks.
Regards