Feature Request: option to tunnel ALL traffic through a private VPN


#1

We want to use Resin to manage our devices in a very restricted environment. Even the Network Requirements from the docs are not specific enough for our use case. Ideally we only have to request outbound access to one port on IP for all traffic (including Resin.IO).

So ideally it should be possible to setup a VPN connection on host OS and route all traffic (resin + container) through that tunnel.

Could not find whether this is currently possible. If so, where can I find the documentation? If not, this would be somewhat blocking for us to really start using Resin.IO in production.


#2

@che - interesting request. This wouldn’t be possible with how the VPN is currently set up. However, we’re adding support for transparent use of HTTP and SOCKS proxies: https://github.com/resin-os/meta-resin/pull/618
With this, you should be able to set up a SOCKS5 proxy somewhere (which is quite simple: https://www.digitalocean.com/community/tutorials/how-to-route-web-traffic-securely-without-a-vpn-using-a-socks-tunnel ) and configure your devices to route all traffic through that. Would that work?


#3

@pcarranzav, thanks for the quick reply. This might work indeed.
What would be the easiest way to try if it would work right now?


#4

@che the only way I can think of is you building your own ResinOS from that meta-resin branch. If you wait a few days, though, I think this should make it into master and our staging server soon (though I can’t promise an exact date).


#5

Any updates on this? We currently use another device to do the tunneling within a VLAN. It would be much easier if we could do everything directly through resin :slight_smile:


#6

Currently proxy support to run traffic through a proxy you provide is in testing phase, just not quite ready to be released just yet. Will keep you posted! :construction:


#7

Hi @imrehg, thanks for the quick response.

Out of curiosity I checked the above mentioned pull request in meta-resin (618) and it looks like it is already available in the current ResinOS image (Resin OS 2.0.8+rev1 (prod)). Is that correct?

At first sight everything seems to be working, so we will already test everything thoroughly :wink:
Anything I should keep in mind when testing?

Keep up the good work guys!


#8

Ah, yes, here’s the Github pull request that added this change (and seems like starting in resinOS 2.0.7 already):

https://github.com/resin-os/meta-resin/pull/618

There are some details in the description regarding what to keep in mind and how to set things:

It introduces a resin-proxy-config service, which looks for redsocks.conf inside a system-proxy folder in the SD card’s resin-boot partition. The service creates the corresponding iptables rules and starts redsocks, only if the configuration file is found (otherwise it just exists).

Users wanting a device to connect behind a proxy would have to add a redsocks.conf file at the /resin-boot/system-proxy/`, specifying whatever proxy configuration they need but ensuring that:

  • daemon = off is set, so that redsocks doesn’t fork (because the service type is simple)
  • local_port = 12345 is set, so that the iptables rules and redsocks’ port match.

Additionally, resin-proxy-config can read a /mnt/boot/system-proxy/no_proxy file with a newline-separated list of IPs or subnets to not route through the proxy.

Besides this, we’d just love to hear if you have any feedback through your testing :slight_smile:


#9

Hi,

I’d be very interested in hearing if this works and whether it’s possible to get more detailed “how-to” about it?

As for being really newbie with Resin it seems unclear how to proceed with the installation and such.


#10

Be sure to always run an IP leak test so your VPN actually encrypts your data.


#11

Hi @Jipsu ,

Yes, this approach works since resinOS 2.7.7 and you can find more details on how to set it up in the related docs section: https://docs.resin.io/deployment/network/2.x/#connecting-behind-a-proxy