VeeamPN and static client ip

[doublem]

I am running Veeam PN as a HUB on-prem and use it successfully for a number of point-to-site clients, both Windows and Linux.

I can connect clients and I have communication in both directions. Good.

In one use-case I want one client to always get the same ip number. I have looked at several guides for openvpn and tried the following modifications in VeeamPN but not got it to work. Anyone have any suggestions?

This have I done:

1) ssh to veeampm

2) Added those two lines to file

Code: Select all

file: /etc/veeampn/EndpointOVPN.cfg

ifconfig-pool-persist /etc/veeampn/ccd/ipp.txt
client-config-dir /etc/veeampn/ccd

3) Created dir and created one "client file" where 5075084332071946027 matches the CN= in the clients .ovpn file

Code: Select all

mkdir /etc/veeampn/ccd
cat /etc/veeampn/ccd/507508433207194602s

ifconfig-push 10.9.0.4 255.255.255.0
push "dhcp-option DOMAIN example.se"

4) Created /etc/veeampn/ccd/ipp.txt

Code: Select all

cat /etc/veeampn/ccd/ipp.txt

5075084332071946027,10.9.0.4

5) Restarted veeampn-server

When I test this I know that the client specific part is executed because I see the "DOMAIN example.se" in the client log file. But the static ip number is not set. I always get the lowest free ip numbers in the 10.9.0.0/24 when expecting the ip number 10.9.0.4 at the client.

[AVasilyev]

Hi doublem!

I'm sorry - the way the VeeamPN is developed it is not possible to alternate IP address assignments.

I can suggest another workaround - would it be OK with you if you will be able to resolve the client ip address by its DNS name. I can give you a script which can refresh all clients and IP addresses into a text file which can be used as a source information with DNSmasq server or /etc/hosts file.
Or if this is not working - explain me more about your use case.

Thank you,
Alexey

[doublem]

Hi and thanks for your reply.

> ... it is not possible to alternate IP address assignments.

OK. Good information. Now I do not need to try to figure this out.
(Maybe a "Request for Enhancement"?)


> resolve the client ip address by its DNS name. I can give you a script which can refresh
> all clients and IP addresses into a text file which can be used as a source information
> with DNSmasq server or /etc/hosts file.

Thanks. I would be interested in this workaround.


> explain me more about your use case.

Use case: NAS-backup-software which backup data to a remote client (the vpn-client). The client establishes the initial tcp connection because I can not open ports from "out side" at the client-side (the backup target site).

I can probably use dynamically updated DNS/host-names.

[AVasilyev]

Please find the code below
Login into the VeeamPN server by ssh and paste the code to a file.

every time you are running the script it writes IP addresses into /etc/hosts_veeampn file (you can change filename by editing value of OUTPUT_FILE variable
the script should be started under admin account - it requires root privileges to access to local UNIX socket to obtain authorization

This result file can be used by DNSmasq if you would like to install it on VeeamPN server. Please refer to the DNSmasq manual - I would suggest to use the following option

Code: Select all

-H, --addn-hosts=<file>
Additional hosts file. Read the specified file as well as /etc/hosts. If --no-hosts is given, read only the specified file. This option may be repeated for more than one additional hosts file. If a directory is given, then read all the files contained in that directory.

Just a note - to make DNSmasq re-read the file you should send a signal SIGHUP (http://www.thekelleys.org.uk/dnsmasq/do ... .html#lbAG)

Code: Select all

#!/bin/sh

source /usr/share/veeampn/azure_cfg/api/hub_utils.sh
source /usr/share/veeampn/azure_cfg/api/ovpn_api.sh
source /usr/share/veeampn/azure_cfg/api/mgmt_api.sh
source /usr/share/veeampn/azure_cfg/api/azure_api.sh

DNS_SUFFIX=".veeampn.loc"
OUTPUT_FILE="/etc/hosts_veeampn"

# connect to localhost
function LOCAL_call_authorize
{
    AUTH_USERNAME=$(check_val "$1" "Need username - 1st argument")
    AUTH_URL=$(check_val "$2" "Need URL - 1st argument")

    AUTH_RES=""
    TRY=0

    while [ ${TRY} -ne 5 ] && [ "$AUTH_RES" = "" ] ; do
        AUTH_RES=$(echo -e "getToken\t$AUTH_USERNAME" | socat UNIX-CONNECT:$AUTH_URL -)

        if [[ $? != 0 ]]; then
            log "Failed to Local Autorize"
            exit -1
        fi

        if [[ "$AUTH_RES" = "" ]]; then
            log "Failed to obtain auth token from LOCAL_AUTH - $TRY"
            sleep 1
        fi


        ((TRY=TRY+1))
    done

    if [[ ${TRY} -eq 5 ]]; then
        log "Cannot connect to LOCAL_AUTH - 5 retries"
        exit -1
    fi

    AUTH_TOKEN=$AUTH_RES
}

function main
{
    VEEAMPN_TEST_LOG_FILE=/var/log/Veeam/veeampn/dns.log
    mkdir -p ${VEEAMPN_TEST_LOG_FILE%/*}

    LOCAL_UNIX_SOCKET="/var/run/veeampn/auth_srv"
    LOCAL_PORT=12345

    LOCAL_call_authorize "localavas" "$LOCAL_UNIX_SOCKET"

    URL="http://localhost:$LOCAL_PORT"

    mgmt_get_version $URL/mgmt
    log "-VERSION=$VERSION-" $(echo $CALL_RES | jq '.result')
    mgmt_get_op_mode $URL/mgmt
    log "-CURRENT_MODE=$OPMODE-"

    if [[ -r "$OUTPUT_FILE"temp ]];
    then
        rm  "$OUTPUT_FILE"temp
    fi
    touch   "$OUTPUT_FILE"temp

    call_jsonrpc '{ "jsonrpc":"2.0","method" : "getConnections", "params" : { "showOnlyConnected":false}, "id" : 123 }'   "$URL/monitor"
    for name in $(echo $CALL_RES | jq -r '.result.connections[]? |.name') ;
        do
                if [[ "$(echo $CALL_RES | jq -r '.result.connections[]? |select(.name=="'$name'").ip?')" != "null" ]] ; 
                then
                        echo -ne "$(echo $CALL_RES | jq -r '.result.connections[]? |select(.name=="'$name'").ip?')  $name $name$DNS_SUFFIX\n" >> "$OUTPUT_FILE"temp
                fi
        done

    mv  "$OUTPUT_FILE"temp  "$OUTPUT_FILE"
}


main

[bru57330]

Hi,
I have the same needs, for backups with 2 Synology NAS.
I have a VeeamPN in my house it's works perfect for mobile devices, I need fixed ip for 1 Device wich is in my father house.
I try the same like "doublem" the OpenVPN standard configuration with "client-config-dir" option but this doesn't work, and I don't understand why because Veeampn use OpenVPN binary...

Anyone have an solution to force an IP to 1 client? I would like to keep VeeamPN for my Home VPN. Everything works great I just only need to fixed IP.

Regards.

[HannesK]

Hello,
and welcome to the forums.

chances are low that anyone found a solution as my colleague from above is directly involved in the development of this product.

As chances for new features in foreseeable future are low, I suggest to try the DNS workaround or an alternative VPN solution.

Best regards,
Hannes

[bru57330]

Hello, thank you for the response,
It is a pity for the lack of possibility of fixed IP per customer, but ok.

I try to put the script but, I have this error:

2021/10/08 19:33:25 socat[24886] E connect(5, AF=1 "<anon>", 2): Invalid argument
createhost.sh: 23: createhost.sh: [[: not found
createhost.sh: 28: createhost.sh: [[: not found
2021/10/08 19:33:25 socat[24890] E connect(5, AF=1 "<anon>", 2): Invalid argument

Regards.