Hello Guys
I am new to openBalena, and i got an Issue.
My Setup already has a traeffik Reverse Proxy that i configured to be a tcp router for the openBalena Domains. I configured Traefik to simply route the TCP Traffic to HAProxy so TLS is terminated from HAProxy.
HAProxy has SSL certificates. i used make pki-custom with my certificates i got from traefik.
So i can access device list but as soon as the device registers it shows up as IS ONLINE = false. I suspect something with the VPN is misconfigured.
If i ssh into the device and look at the logs with journalctl -f -n 200 -u openvpn.service i get the following:
Oct 09 06:16:53 e2cbdcd openvpn[2271]: 2025-10-09 06:16:53 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Oct 09 06:16:53 e2cbdcd openvpn[2271]: 2025-10-09 06:16:53 TCP/UDP: Preserving recently used remote address: [AF_INET]<ip>
Oct 09 06:16:53 e2cbdcd openvpn[2271]: 2025-10-09 06:16:53 Socket Buffers: R=[131072->131072] S=[16384->16384]
Oct 09 06:16:53 e2cbdcd openvpn[2271]: 2025-10-09 06:16:53 Attempting to establish TCP connection with [AF_INET]<ip> [nonblock]
Oct 09 06:16:53 e2cbdcd openvpn[2271]: 2025-10-09 06:16:53 TCP connection established with [AF_INET]<ip>
Oct 09 06:16:53 e2cbdcd openvpn[2271]: 2025-10-09 06:16:53 TCP_CLIENT link local: (not bound)
Oct 09 06:16:53 e2cbdcd openvpn[2271]: 2025-10-09 06:16:53 TCP_CLIENT link remote: [AF_INET]<ip>
Oct 09 06:17:53 e2cbdcd openvpn[2271]: 2025-10-09 06:17:53 WARNING: Bad encapsulated packet length from peer (18516), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Oct 09 06:17:53 e2cbdcd openvpn[2271]: 2025-10-09 06:17:53 Connection reset, restarting [0]
Oct 09 06:17:53 e2cbdcd openvpn[2271]: 2025-10-09 06:17:53 SIGUSR1[soft,connection-reset] received, process restarting
Oct 09 06:17:53 e2cbdcd openvpn[2271]: 2025-10-09 06:17:53 Restart pause, 120 second(s)
To setup the server i followed the official Getting Started guide.
if i check the logs of the vpn container with docker compose logs vpn
vpn-1 | [1179091.481328] vpn[1613]: notice: [vpn-2.2] TCP connection established with [AF_INET]127.0.0.1:34860
vpn-1 | [1179091.481506] vpn[1613]: notice: [vpn-2.2] Socket flags: TCP_NODELAY=1 succeeded
vpn-1 | [1179091.481533] vpn[1613]: notice: [vpn-2.2] 127.0.0.1:34860 Connection reset, restarting [-1]
vpn-1 | [1179091.481566] vpn[1613]: notice: [vpn-2.2] 127.0.0.1:34860 SIGUSR1[soft,connection-reset] received, client-instance restarting
HAProxy also has some Errors in the logs:
haproxy-1 | ::ffff:<ip> [09/Oct/2025:06:27:45.455] tcp-router redirect-to-https/localhost 1/1/18 4515 -- 1/1/0/0/0 0/0
haproxy-1 | ::ffff:<ip> [09/Oct/2025:06:27:45.455] tcp-router redirect-to-https/localhost 1/1/18 4515 -- 1/1/0/0/0 0/0
haproxy-1 | ::ffff:<ip> [09/Oct/2025:06:27:45.645] https/1: SSL handshake failure (error:0A000438:SSL routines::tlsv1 alert internal error)
haproxy-1 | ::ffff:<ip> [09/Oct/2025:06:27:45.645] https/1: SSL handshake failure (error:0A000438:SSL routines::tlsv1 alert internal error)
I have no Idea from where the Issue with the device IS ONLINE = false could originate and I already lost so much time.
I hope you guys can help me with my issue.
I also saw on the device it will connect to cloudlink.mydomain.com and not tunnel.mydomain.com.
Best regards
k4linx
Edit: The device I am testing with is a Raspberry Pi 3B+ running 64bit balenaOS 17.0.3.