Traefik frontend

Hello everyone!

I have been playing with OpenBalena on a Proxmox VM and everything works great as long as the devices are connected to the same LAN.

When trying to make OpenBalena accessible from the outside I’m facing an issue with the VPN connection (I guess, not sure). My setup is that I have a DMZ with a Traefik 2.3 reverse proxy on port 443 and I have configured my router to forward traffic on port 3128 directly to the VM.

Since OpenBalena is doing some trick on the TCP connection for the VPN, I’m configuring a TCP router on traefik to transparently forward traffic to the VM and only take care of the certificates.

This is my configuration on traefik:

tcp:
  
  routers:
    
    openbalena:
      entryPoints: "https"
      rule: "HostSNI(`openbalena.mydomain.com`,`api.openbalena.mydomain.com`,`vpn.openbalena.mydomain.com`,`s3.openbalena.mydomain.com`,`registry.openbalena.mydomain.com`)"
      service: "openbalena"
      tls: 
        passthrough: "true"

  services:
    
    openbalena:
      loadBalancer:
        servers:
          - address: "192.168.1.201:443"

All the subdomains are pointing to my router. Balena CLI works great, I can do everything with it form inside and outside the LAN.

When de device is inside my LAN, with the vpn.openbalena.mydomain.com pointing to my VM it works but as soon as it’s outside the LAN (and it goes through my router and my traefik) it always shows as offline. The application on the device works (it s a TTN gateway and I can see it posting to the TTN console), it registers (I can see it when typing “balena devices”), I can see the logs of the device but it’s always offline and I cannot SSH to it.

Any insights on what I should double check? I’m not 100% sure but my guess is that it’s got to be with the VPN connection and TCP trick HAProxy does. My traefik might be stripping out some info HAProxy requires to handle the connection properly.

Thank you!

BTW: awesome projec! !

Hey, openBalena maintainer and Traefik fan here.

Any insights on what I should double check? I’m not 100% sure but my guess is that it’s got to be with the VPN connection and TCP trick HAProxy does. My traefik might be stripping out some info HAProxy requires to handle the connection properly.

I agree. If you want to do this then you’d be better off configuring openBalena to use a different port than 443 for the VPN and handling it separately, or having 2 IPs on your host and binding each IP to 443, but route them accordingly; 1 to HTTPS and 1 to VPN.

If you look at how the included HAproxy does the forwarding, it basically has an ACL to match a TLS version or not. If it’s a certain TLS version then it gets handled as HTTPS traffic, and if not then it’s assumed to be VPN. OpenVPN does use TLS at some level, but it’s not a pure TLS connection so it cannot be treated as such. SNI etc cannot be used to infer it’s intended host.

Thank you!

Chaning the VPN port looks more natural to me. IFAICS it only involves modifying it in the services.yml file in two different places, right? I guess balena-cli configures the image correctly after querying the API service where the VPN server is. Am I right?

Maybe I could also move from HAProxy to Traefik completely then

Hey,

So you’d need to change the port in the services.yml that the container is binding to, but also change the ENV var on the API and VPN containers so that they know what ports to advertise to devices that they should send the traffic to. This is done from the API’s endpoint /os/v1/config – you can see in that JSON the openvpn client config your devices use.

Once you update the ENV vars, and map the ports properly, you should have some success or at least some different problems

Let us know if that works for you