Make VPN port configurable in api service via environment variable

[matiasAS]

Description
This pull request modifies the docker-compose.yml file to allow the VPN port of the api service to be configurable via an environment variable (VPN_PORT). If the environment variable is not set, the default value 443 will be used.

Reason

Hetzner server
Proxmox
pfSense for networking
Nginx Proxy Manager as a reverse proxy for services
Cloudflare in front
I encountered the following error on devices connecting to the VPN:

Jun 30 04:05:08 a179fab openvpn[6532]: 2024-06-30 04:05:08 WARNING: Bad encapsulated packet length from peer (18516), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]

An alternative solution to getting a new dedicated public IP for the virtual machine hosting OpenBalena was to change the VPN port to 4443, and then set up port forwarding from the public IP of pfSense to port 443 of the virtual machine.

From my research, the error was due to using pfSense and/or Nginx Proxy Manager along with Cloudflare, causing OpenVPN to "confuse" it with an HTTPS connection.

I want this change to avoid modifying the docker-compose.yml file directly and to prevent errors when updating with git pull due to file modifications.

The ideal and correct solution might be to use a dedicated IP, but I also did this to save money, even if it's a little less than 2 euros; it's still worth it, right?

Best regards,
Matias Alvarez Sabate

[ab77]

Could you please add a change-type (see 52d0eb6)

[matiasAS]

I've added the Change-type: minor to the commit message as requested. The changes are now ready for review. Thank you!

[ab77]

We don't support merged commits in the CI workflow, see here. Can you please squash your work down to a single commit, annotated with the change-type property, rebase on master and re-push..

[matiasAS]

I've squashed the commits into a single commit and added Change-type: minor. The branch has also been rebased on master. The changes are now ready for review.
Sorry for the inconvenience, this is the first time I collaborate on an opensource project.

Thank you!

[ab77]

Fails tests due to commit being out of tree, need to think about how to solve this for external contributors..

+ sudo -u balena git config --global --add safe.directory /home/balena/open-balena
+ cd /home/balena/open-balena
+ sudo -u balena git checkout 2d6c85804ce7d707a10d858dad817e259c071383
fatal: reference is not a tree: 2d6c85804ce7d707a10d858dad817e259c071383

[matiasAS]

With the help of chat gpt, I have updated the fork:
1)git remote add upstream https://github.com/balena-io/open-balena.git
2)git fetch upstream
3)git rebase upstream/master
4)git push -f origin configurable-vpn-port-api

Will that be enough?

[ab77]

@matiasAS thank you, there are a few blockers on our side in relation to your PR, one I've already mentioned in this comment and the other is the way balena-cli currently handles env-var interpolation (different to compose). We are working on resolving both of these blockers and once we have a resolution, we should be able to hopefully merge this work.

[matiasAS]

ok, is the blocking of the previous comments ok now?

Is the problem with the environment variable related to the fact that the version of Docker Compose is 2.4 and that way of defining it is for a more current version like 3.8, for example?

[matiasAS]

@ab77
Sorry for asking again, do I have to do something else, or just wait for the other part of the environment variables to be resolved? Greetings

[matiasAS]

Hello @ab77 , any progress with my suggestion of making the VPN port customizable?

[ab77]

Great, now only the balena-ci blocker remains, this is on us @matiasAS: balena-io/balena-cli#2818

[ab77]

It's rather more likely that we'd migrate ll of this to Kubernetes before balena-compose understands env. var. interpolation. In the mean time, just use sed or similar to patch the composition.

[matiasAS]

@ab77 ok, I have learned that if I use docker-compose.override.yml by running "docker compose up -d" docker replaces the original docker compose in memory without applying changes. That is my solution, I have not decided to modify the original docker-compose.yml because if I update I will have a git conflict error.

I don't have much experience with kubernetes to be honest, but I think it looks good, I guess it will be better that way.

I take the opportunity to ask, do you plan to implement more Balena Cloud functionalities in Openbalena? For example: the public url of the devices, SSH connection without doing the tunnel, update delta, etc.

Greetings

[ab77]

do you plan to implement more Balena Cloud functionalities in Openbalena? For example: the public url of the devices, SSH connection without doing the tunnel, update delta, etc.

No plans at present.

[matiasAS]

@ab77 I am still on openbalena v3, and I have also tried v4, could there be breaking change updates that break the system?

[matiasAS]

@ab77 I am still on openbalena v3, and I have also tried v4, could there be breaking change updates that break the system?

[github-actions]

Website deployed to CF Pages, 👀 preview link https://f4d61b54.open-balena.pages.dev