Install Veeam PN on Ubuntu in IBM Cloud VPC and connect with SSL VPN

Overview

Check the actual machine with such an image.

Kobito.zLYedt.png

Version confirmation

Install in this Ubuntu environment.

python


# cat /etc/os-release
NAME="Ubuntu"
VERSION="18.04.1 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.1 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic

Installation

Follow the guide here to install.

  • It seems that it is no longer necessary to add a WireGuard repository.

python



# curl -k http://repository.veeam.com/keys/veeam.gpg | apt-key add -
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100  5469  100  5469    0     0  17641      0 --:--:-- --:--:-- --:--:-- 17641
OK

python



# echo "deb [arch=amd64] http://repository.veeam.com/pn/public pn stable" > /etc/apt/sources.list.d/veeampn.list
# apt-get update
Hit:1 http://mirrors.adn.networklayer.com/ubuntu bionic InRelease
Hit:2 http://mirrors.adn.networklayer.com/ubuntu bionic-updates InRelease             
Hit:3 http://mirrors.adn.networklayer.com/ubuntu bionic-backports InRelease            
Get:4 http://repository.veeam.com/pn/public pn InRelease [7,581 B]                                           
Hit:5 http://mirrors.adn.networklayer.com/ubuntu bionic-security InRelease        
Get:6 http://repository.veeam.com/pn/public pn/stable amd64 Packages [3,609 B]
Fetched 11.2 kB in 1s (8,616 B/s)     
Reading package lists... Done

python



apt-get -y install veeam-vpn-ui veeam-vpn-svc

If you answer "Yes" on the screen below, the installation is complete.

Kobito.huOZGL.png

Login / Initial settings

Access the Veeam PN portal to log in and make initial settings.

Username: root Password: "The same password as the Linux root user is the default"

Kobito.d0gERP.png

Set any password for the Veeam PN portal.

Kobito.VjCezL.png

The first thing you need to create is a Network hub. (Place a Site gateway at the site you want to add as a VPN connection destination after that.)

  • Deploying Network Hub - Veeam PN User Guide The first step of the VPN infrastructure configuration is to deploy the network hub. The network hub is the core component in the VPN infrastructure that provides VPN connections and services to remote sites and users. All traffic in the VPN is routed through the network hub.

Kobito.Yn9NYA.png

Set the organization name required to create a self-signed certificate.

Kobito.PLp64g.png

The self-signed certificate creation is complete.

Kobito.amAEeA.png

Set the IP address or DNS name to publish as the VPN connection endpoint. (This time, set the floating IP bound to Ubuntu.)

Kobito.LnOwX9.png

If this portal screen is displayed at the end, the setting is complete.

Kobito.7oCU5F.png

Point-to-site VPN server settings

Check the use case of Point-to-site VPN on the actual machine. Set "Standalone Computer" from "Client" creation.

Kobito.gv4aH4.png

Set the name of "Client".

Kobito.PHFmNC.png

Check the contents and complete the setting.

Kobito.dED74v.png

Then, a pop-up for downloading the OpenVPN configuration file for the client will be displayed. Download this and save it on the client PC.

Kobito.3mtEun.png

Finally, add the following settings to add routing into the remote site.

echo ' ' >> /etc/veeampn/EndpointOVPN.cfg
echo 'push "route 192.168.250.0 255.255.255.0"' >> /etc/veeampn/EndpointOVPN.cfg

Then restart the Point-to-Site service with OFF-> ON for the changes in the server configuration file to take effect.

Kobito.uF7Bjy.png

Point-to-site VPN client settings

Install the OpenVPN client on the VPN client.

For macOS, use Tunnelblick | Free open source OpenVPN VPN client server software for macOS.

Register the khayama-test.ovpn downloaded earlier as the connection destination.

Kobito.cZH8Om.png

When the connection is completed, the screen below will be displayed.

Kobito.gcNv7C.png

finally

The SSL-VPN connection in IBM Cloud Classic Infra isn't currently available in VPCs, so if you need a VPN, Veeam PN looks good to be easy to deploy. In addition, since VPNs are often single-configured at disaster recovery sites, it seems possible to easily connect sites with such a solution.

Reference: Default of /etc/veeampn/EndpointOVPN.cfg

For the changes in the server configuration file to take effect, restart the Point-to-Site service.

--To change the address band you want to assign to the client, change server 10.210.0.0 255.255.0.0 --Add push" route 192.168.250.0 255.255.255.0 " to add a route into the remote site to the client

/etc/veeampn/EndpointOVPN.cfg


mode server

port 6179
proto udp
server 10.210.0.0 255.255.0.0

dev tun.veeampn

persist-key
persist-tun

topology subnet

auth SHA256
auth-nocache
cipher AES-256-CBC

tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384

remote-cert-tls client

fast-io
mssfix 1380
txqueuelen 1000

sndbuf 1048576
rcvbuf 1048576

keepalive 10 20


management mgmtEndpointOVPN unix
auth-user-pass-optional
management-client-auth
management-hold

<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

</ca>

<cert>
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=CA, L=SanFrancisco, O=org, OU=Acme, CN=org CA/name=khayama.org/[email protected]
        Validity
            Not Before: Oct 23 08:39:05 2020 GMT
            Not After : Oct 21 08:39:05 2030 GMT
        Subject: C=US, ST=CA, L=SanFrancisco, O=org, OU=Acme, CN=EndpointOVPN/name=khayama.org/[email protected]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Cert Type: 
                SSL Server
            Netscape Comment: 
                Easy-RSA Generated Server Certificate
            X509v3 Subject Key Identifier: 
                C9:
            X509v3 Authority Key Identifier: 
                keyid:
                DirName:/C=US/ST=CA/L=SanFrancisco/O=org/OU=Acme/CN=org CA/name=khayama.org/[email protected]
                serial:

            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment
            X509v3 Subject Alternative Name: 
                DNS:EndpointOVPN
    Signature Algorithm: sha256WithRSAEncryption
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----

-----END PRIVATE KEY-----
</key>
<dh>
-----BEGIN DH PARAMETERS-----
-----END DH PARAMETERS-----
</dh>

Recommended Posts

Install Veeam PN on Ubuntu in IBM Cloud VPC and connect with SSL VPN
Install Ubuntu Server 20.04 in VirtualBox on Mac and connect with SSH
Install docker and docker-compose on ubuntu in the shortest process
Install JDK and JRE on Ubuntu 16.10
Install ruby on Ubuntu 20.04 with rbenv
Security settings around login for Ubuntu server on IBM Cloud VPC Gen 2
Put Zabbix in Ubuntu with Docker and monitor Docker on the same host
Install the IBM Cloud CLI in the container
Install NextCloud on CentOS 7 with Alibaba Cloud ECS
Build and install Wireshark Development Release (3.3.1) on Ubuntu
Install and switch between multiple Javas on Ubuntu
Install Ubuntu 20.04 in virtual box on windows10 and build a development environment using docker
Install mecab-ipadic-neologd on Sakura VPS (ubuntu18.04) with low memory and use it from python
Install Rust in WSL2 Ubuntu environment and build WASM build environment