ISCSI over VPN

[dhayes16]

Hello All. Small non for profit using Veeam Community Edition which is loaded on a windows 2019 host running Hyper-V. They have a BuffaloBox NAS device setup locally as a backup target using ISCSI and it has been working well. They now want to backup to another Buffalo Box at another location over a high speed VPN. I have been reading SMB should be avoided (and it does not even appear to be supported properly on the Buffalo Box). So I was thinking of just going ISCSI there as well as a backup copy target repo.

But my main concern with ISCSI is the security aspect. For instance, if a hacker gained admin access to the server the "mounted" iscsi shares would be easy to wipe out since they are mounted to the server session as a mapped drive. As opposed to something like SMB where there is a different password challenge to get to the repo so there is some degree of protection. Is there any way around this situation? I would really prefer to use ISCSI since it has been working quite well.

Now we are working on them to get REAL backup targets instead of these cheap nas devices and get to a cloud provider we use but alas funding is the issue...

Thanks for any ideas.
Dave

[Mildur]

First, you are forbidden by Veeam EULA to provide them your services, as long as they are on community license.
Anton Gostev will surely confirm that.
They have to buy a regular license

https://www.veeam.com/eula.html

You may not use the Free and Community Licenses to provide services to third parties or to process third party data.

Second, iscsi over an unstable internet connection is a pain.
I had customers with this design.
After many weeks with problems, we have decided to configure a gateway server on remote locations site to manage the backup repo.

For security aspects, as soon the hacker is onthe backup server, he can delete all restore points on each backup repo, smb or iscsi.
The restore points need to be completly offline (airgapped) or hackers have access