Shulou(Shulou.com)06/03 Report--

For general enterprises, it is troublesome and complicated to do Site to Site PNV general configuration.

However, in order to facilitate backup to Azure, Veeam will be able to communicate from the intranet to the Azure cloud in 2017.

Launched a free product: Veeam PN

It can be used to make Site to Site / point to Site PNV conveniently.

Veeam PN can be installed directly on ubuntu 18.04 from 2. 0 instead of downloading his OVA virtual machine files.

Next, I will install Veeam PN directly on ubuntu to implement site to site PNV

The following is the environment I tested:

SiteA: 10.11.12.0/24

SiteB: 172.16.8.0/24

VeeamPN Hub is deployed on Site A (with public network IP)

VeeamPN Hub private network IP: 10.11.12.9

VeeamPN Gateway is deployed on Site B (no public network IP)

VeeamPN Gateway private network IP:172.16.8.8

VeeamPN System Requirements

Ubuntu 18.041 vCPU (Minimum) 1 GB vRAM (Minimum) 16 GB of Hard Drive spaceExternal Network Connectivity

1. At ubuntu 18.04VeeamPN

Log in to site A ubuntu to configure hostname: ni-pnv configure static IP: 10.11.12.9

Vi / etc/hostname

Vi / etc/netplay/01-necfg.yaml

Netplan apply Application configuration:

Download and add Veeam Software Repository Key:

Curl-k http://repository.veeam.com/keys/veeam.gpg | apt-key add-

There was a mistake because gnupng2 was not installed

Apt install gnupg gnupg2 gnupg1

Add the APT source list file for VeeamPN:

Vi / etc/apt/sources.list.d/veeampn.list

Or:

Echo "deb [arch=amd64] http://repository.veeam.com/pn/public pn stable" > / etc/apt/sources.list.d/veeampn.list

Then run apt update

Add WireGuard apt Repository:

Apt-add-repository ppa:wireguard/wireguard

Apt install software-properties-common-y

After installation, rerun apt-add-repository ppa:wireguard/wireguard

Then you can officially install VeeamPN:

Apt install veeam-pnv-ui veeam-pnv-svc

Until the installation is complete:

Open Veeam PN web Portal in browsing:

Change the root password:

Officially start the deployment of Veeam PN Hub:

Save this configuration file, which will be used when configuring Veeam PN on the Site B side.

Complete the configuration of Veeam PN on Site A side

Then configure the default route to the Site B side on the firewall on the Site A side.

At this point, the Site A side is all configured.

Next, install Veeam PN on Ubuntu on side B of Site

The method is exactly the same as Site A. Omit here... .

After installing Veeam PN, open Veeam PN web portal in your browser:

Locate the xml configuration file that was downloaded when Site A configured Client:

Click: finish to complete the configuration.

Next, you see server Connected:

Let's see if we can connect from site A to site B:

Run cmd on Site A's system

So far, it is possible to communicate from Site A to Site B.

Finally, we need to see if we can communicate from Site B to Site A.

Add a static route to site An on the firewall on side B of site:

Then see if ping Site A can be reached on site B's system:

From this point of view, it is impossible to communicate from site B to Site A.

By comparing the routing tables on the Veeam PN of site An and B, we find that there is no route to Site An on the Veeam PN of Site B.

Routing table for Site A:

Routing table for Site B:

Now is it possible to manually add a route to site B on Site B:

The result is:

Before, the request timed out, and the target machine cannot be accessed after routing is added.

Trace route discovery should be traffic that cannot be forwarded to site A by veeam pn on side B of site.

This problem is not solved for the time being. It should be the configuration of wireguard later.

This problem is not reflected in the official documents, and Veeam is a little too much on this.

Remember that veeam PN 1. 0 has the same problem. You can communicate with each other by adding a route manually.

At present, the same problem of Veeam PN 2.0 is still not mentioned in the official documentation.

Https://helpcenter.veeam.com/docs/veeampn/userguide/how_to_local_sites.html?ver=20

Someone in the official forum mentioned: https://forums.veeam.com/veeam-tools-for-microsoft-azure-f36/veeampn-working-but-only-in-one-direction-t62278.html

Attached:

Solution:

By comparing the configuration of Wireguard on Site An and Site B, it is found that:

Site A:

Site B:

Found in the allowed ips in the site B configuration and showed the address segment including site A: 10.11.12.0

So we need to add the address 10.11.12.0 to the allowed ips configuration of WireGuard in site B:

Wg set wg.veeampn peer * allowed-ips 10.11.12.0 Universe 24 10.211.0.0 Universe 16 10.210.0 Universe 16

Now let's see if site B to Site A can communicate properly:

In this way, we can communicate normally now.

Therefore, from this incident, we can see that sometimes it can be a problem to operate completely according to the official documents.

And updates like veeam PN have the same problem in successive versions and turn a blind eye.

I don't know whether the person who wrote the official document actually took the test, or whether he wrote the document out of thin air.

Through the test, it is found that the manually added routes and modifications will disappear after the system is restarted.

You can consider letting these commands load automatically when the system starts.

Since Ubuntu 18.04 does not enable rc.local by default, it must be enabled first:

Ubuntu18.04 no longer uses inited management system, but uses systemd instead

Systemd reads the configuration file under / etc/systemd/system by default, and the files in this directory link the files under / lib/systemd/system/. Generally, after the system is installed, there will be a rc-local.service file under / lib/systemd/system/. Link / lib/systemd/system/rc-local.service to the / etc/systemd/system/ directory:

Ln-fs / lib/systemd/system/rc-local.service / etc/systemd/system/rc-local.service

Vim / etc/systemd/system/rc-local.service

Add at the end of the file:

[Install]

WantedBy=multi-user.target

Alias=rc-local.service

Edit / etc/rc.local

Vim / etc/rc.local

The content is:

#! / bin/bash

Sleep 90

Wg set wg.veeampn peer * allowed-ips 10.11.12.0 Universe 24 minus 10.211.0.0 Universe 16

Route add-net 10.11.12.0 Compact 24 dev wg.veeampn

Exit 0

This enables real site to site to communicate with each other.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.