open vpn in veeam sandbox

[ale666]

Good morning,
how could i make openvpn work in a vm inside veeam sandbox?

the proxy seems to block the connection

Thanks

[PetrM]

Hello,

Why do you think that this is a proxy who blocks connection? For example, you can try to connect to the appliance and probably adjust iptables there.
UPD 09/12/2021: manual adjustment of iptables is not supported

Thanks!

[ale666]

Code: Select all

2021-12-07 11:38:57 TCP connection established with [AF_INET]10.1.10.5:443
2021-12-07 11:38:57 Send to HTTP proxy: 'CONNECT x:10194 HTTP/1.0'
2021-12-07 11:38:57 Send to HTTP proxy: 'Host:x.com'
2021-12-07 11:38:57 HTTP proxy returned: 'HTTP/1.0 403 Access violation'
2021-12-07 11:38:57 HTTP proxy returned bad status

the sendbox have http enable with 443 port

[ale666]

Hello,

Why do you think that this is a proxy who blocks connection? For example, you can try to connect to the appliance and probably adjust iptables there.

Thanks!

can you tell me what to type to enable open vpn?
I have no experience on linux

[PetrM]

I never tested OpenVPN in sandbox but I just gave an idea to think about. If you don't have the same issue with your production VM, you may ask our support engineers to explain why does appliance drop packets. I guess it would be possible to get workaround only once we clearly understand what exactly happens.

One more question: could you please clarify why do you need to test OpenVPN from the external network? Basically, VM image is running in the isolated network and probably it would be enough to check connectivity from another VM which is running in the same isolated network (virtual lab) ? Thus, you get rid of the necessity to go through the proxy appliance during your tests.

Thanks!

[ale666]

double post

[ale666]

I never tested OpenVPN in sandbox but I just gave an idea to think about. If you don't have the same issue with your production VM, you may ask our support engineers to explain why does appliance drop packets. I guess it would be possible to get workaround only once we clearly understand what exactly happens.

One more question: could you please clarify why do you need to test OpenVPN from the external network? Basically, VM image is running in the isolated network and probably it would be enough to check connectivity from another VM which is running in the same isolated network (virtual lab) ? Thus, you get rid of the necessity to go through the proxy appliance during your tests.

Thanks!

veeam support linked me to this discussion for resolution
i tried to connect to the veeam proxy and then i made some changes but it still does not work https://arashmilani.com/post?id=53
in the sendbox environment I have to enable a vpn to be able to see the vendor's license server otherwise I can't start the program on which I have to do the test.
I would like to come up with a veeam system eng because this thing could be useful also to others.

thank you

[PetrM]

Hello,

Thanks for reply but I still have 2 questions:
1. Do you back up this license server? If yes, why don't start its image in SureBackup job and make the test inside Virtual Lab without leaving the isolated network?
2. Could you please provide a support case ID so that I can have a better idea of technical details? I'm not sure that I have a clear understanding why it does not work.

Thanks!

[ale666]

The licenses are in the vendor's datacenter that's why I have a VPN. Openvpn from the sendbox goes out over the internet to connect to the VM in the vendor datacenter where the licenses are. Case 05167681

Thanks

[ale666]

Hello,

Thanks for reply but I still have 2 questions:
1. Do you back up this license server? If yes, why don't start its image in SureBackup job and make the test inside Virtual Lab without leaving the isolated network?
2. Could you please provide a support case ID so that I can have a better idea of technical details? I'm not sure that I have a clear understanding why it does not work.

Thanks!

in the post above my answers; I don't know why but it didn't quote me from my phone.

thanks

[PetrM]

Hello,

Thanks for reply. Maybe my fault that I didn't say it explicitly from the very beginning but the current behavior is the behavior by design. You cannot access external resources: the main idea of Sandbox is to validate backups in the environment which is fully-fenced from the production one. I misunderstood the description of your setup and mistakenly suspected a technical issue.

I'd suggest to try to make OpenVPN to work over 80/443 port and check the option "Allow proxy appliance to act as internet proxy for virtual machines in this lab" in this step of Virtual Lab wizard. One more important point is that the workaround with manual adjustment of iptables could work in theory but is unsupported officially.

Thanks!

[ale666]

@petrm
I have already activated internet proxy and it works fine
my difficulty is that I don't know well how to modify iptables; I have anyway opened the tcp ports that I needed but it still doesn't work.

the problem is that there are no logs to understand what the proxy blocks.

[PetrM]

You don't need to modify iptables or change some settings on Veeam side, it's enough to make OpenVPN work over 80/443 port as long as the mentioned checkbox "Allow proxy appliance to act as internet proxy for virtual machines in this lab" is selected.

Thanks!

[ale666]

80 and 443 are used in openvpn server
in iptables I can open the ports if only it saves them!

Thanks!

[PetrM]

Hello,

If OpenVPN uses 80 and 443 ports and the option "Allow proxy appliance to act as internet proxy for virtual machines in this lab" is selected in the settings of Virtual Lab, then I don't see a reason why it's not working. There is no need to touch iptables. Please let me speak to our support team once again.

Thanks!

[ale666]

thanks for the answers.

"Allow proxy appliance to act as internet proxy for virtual machines in this lab" is enabled on port 8080

openvpn uses port 443 80 but it also needs 10194.

the firewall address to which i connect in vpn is 150.60.60.40 : 10194 (the supplier tells me he cannot change it with 443, 8080 or 80)

from the firewall logs i can see that the proxy lets out only the 443 and 80 traffic

I would also need the port 10194

[PetrM]

I've got it, thanks for clarifying! Only 443 and 80 ports are allowed, other traffic is blocked and it is by design. We can consider an option to specify the ports that you want to open in Virtual Lab settings as a feature request. However, it's difficult to provide you with any estimations as we don't have enough similar requests so far.

Thanks!

[ale666]

but considering that the linux based proxy is accessible with the root user and allows you to change iptables but does not save.
maybe asking to a system administrator or to a veeam programmer is enough a 1 second "change" to fix it or even better they will turn me the exact string to type in the proxy to allow me to save the iptables changes.
In my opinion it is a 2 seconds "hassle" if I could talk to an expert system administrator or programmer.

[PetrM]

It's no as easy as it might seem at first sight. It's necessary to edit the startup script of the appliance but it is unsupported. But probably you can skip the test with license server if 10194 port is mandatory? The main point of Sandbox is to validate workloads in the isolated environment: perhaps, it would be enough to go with the default ping and script-tests?

Thanks!