Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tunnel: Expose tunnel service via TLS #101

Merged
1 commit merged into from Jan 22, 2021
Merged

tunnel: Expose tunnel service via TLS #101

1 commit merged into from Jan 22, 2021

Conversation

richbayliss
Copy link
Contributor

@richbayliss richbayliss commented Jan 21, 2021
edited by pdcastro

Connects-to: balena-io/open-balena-vpn/issues/149
Connects-to: balena-io/balena-cli/issues/2042

In order to support the new CLI and balenaCloud deployment
schemes for the tunnel service, the service is now exposed via
the TLS port 443 on the tunnel.{domain} server name.

Change-type: minor
Signed-off-by: Rich Bayliss rich@balena.io

@richbayliss richbayliss force-pushed the switch-tunnel-to-tls branch 2 times, most recently from 865b371 to 943c3ef Compare January 21, 2021 11:36
@richbayliss richbayliss marked this pull request as ready for review January 21, 2021 11:36
@richbayliss
tunnel: Expose tunnel service via TLS
b3d184c 
In order to support the new CLI and balenaCloud deployment
schemes for the tunnel service, the service is now exposed via
the TLS port 443 on the `tunnel.{domain}` server name.

Change-type: patch
Signed-off-by: Rich Bayliss <rich@balena.io>
@ghost ghost merged commit 296a746 into master Jan 22, 2021
@ghost ghost deleted the switch-tunnel-to-tls branch January 22, 2021 14:08
@bartversluijs
Copy link
Contributor

Just for my knowledge, what's the impact of this?
And are there any additional ports required to open (like the 3129) or any added domains to be maintained (like tunnel.domain)?

I'm asking this because I'm running it in Kubernetes, where I've to add these kind of changes manually.

Thanks in advance!

@pdcastro
Copy link

pdcastro commented Jan 25, 2021
edited

@bartversluijs, good question - thanks for asking. I had added some more details in some comments in a balena-cli and open-balena-vpn issues:

Before this PR and the respective changes to balena CLI v12.38.5 and later, the balena CLI's balena tunnel command would use the following backend endpoints:

  • vpn.<openBalena-domain>:3128 (openBalena) - unencrypted
  • vpn.balena-cloud.com:3128 (balenaCloud production) - unencrypted
  • vpn.balena-staging.com:3128 (balenaCloud staging) - unencrypted

After this PR and starting with CLI v12.38.5, a new hostname and port number are used:

  • tunnel.<openBalena-domain>:443 (openBalena) - TLS encrypted
  • tunnel.balena-cloud.com:443 (balenaCloud production) - TLS encrypted
  • tunnel.balena-staging.com:443 (balenaCloud staging) - TLS encrypted

Port 3129 is not used/exposed externally. I gather it is only used by haproxy (backend server) locally (127.0.0.1) for internal server routing / balancing after TLS decryption. Port 3128 also no longer needs to be exposed externally (it's still used internally).

By the way, to be clear, none of this affects how the VPN link to balenaOS devices used encryption. The VPN link to balenaOS devices has always used encryption and this has not changed. Communication between the backend and the devices has always been encrypted. The old vpn.<openBalena-domain>:3128 endpoint was only used by the CLI's balena tunnel command, and only traffic between the CLI's balena tunnel command (typically running on a developer's workstation) and the backend was missing encryption.

To avoid disruption when using the CLI's balena tunnel command, the balena CLI version should be matched to the openBalena version:

  • openBalena v3.1.2 or later: use CLI v12.38.5 or later
  • older openBalena releases: use older CLI releases

@bartversluijs
Copy link
Contributor

Thanks for your detailed explanation!
I'll update my Kubernetes fork asap.

dfunckt added a commit that referenced this pull request Jan 29, 2021
@dfunckt
Close tunneling port (3128)
4f32a51 
SECUTIRY: Port 3128, which was used for tunneling into devices, was plain TCP and has now been closed. Tunneling is now via `tunnel.mydomain.com:443` (see #101). balena-cli versions before v12.38.5 are now incompatible and using the tunnel command will throw an error.

Refs: #101
Change-type: minor
dfunckt added a commit that referenced this pull request Jan 29, 2021
@dfunckt
SECURITY: Close tunneling port (3128)
1399ca9 
Port 3128, which was used for tunneling into devices, was plain TCP and has now been closed. Tunnelling is now via `tunnel.mydomain.com:443` (see #101). balena-cli versions before v12.38.5 are now incompatible and using the tunnel command will throw an error.

Refs: #101
Change-type: minor
@dfunckt dfunckt mentioned this pull request Jan 29, 2021
Merged
dfunckt added a commit that referenced this pull request Jan 29, 2021
@dfunckt
SECURITY: Close tunneling port (3128)
da4c167 
Port 3128, which was used for tunneling into devices, was plain TCP and has now been closed. Tunnelling is now via `tunnel.mydomain.com:443` (see #101). balena-cli versions before v12.38.5 are now incompatible and using the tunnel command will throw an error.

Refs: #101
Change-type: patch
@bartversluijs bartversluijs mentioned this pull request Mar 31, 2021
Closed
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pdcastro pdcastro pdcastro left review comments

@dfunckt dfunckt dfunckt approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@richbayliss @bartversluijs @pdcastro @dfunckt @maggie44