Direct Restore to Microsoft Azure | VeeamPN software-defined networking
Post Reply
SBarrett847
Service Provider
Posts: 310
Liked: 40 times
Joined: Feb 02, 2016 5:02 pm
Full Name: Stephen Barrett
Contact:

VeeamPN - working, but only in one direction

Post by SBarrett847 » Oct 09, 2019 10:01 am

This is probably going to be something trivial.

I have a basic VeeamPN test setup I'm attempt to get working. I have 2 Ubuntu servers with VeeamPN installed. I have a Network Hub at Site A and a Site Gateway at Site B. They connect fine, and I can access the whole of Site B from my Server on Site A.

However I cannot access Site A from B. Everything seems to be correct, but its like there is a firewall on the Site B Site gateway, preventing traffic being routed across the Tunnel.

This is my IP scheme.....

Site A: 192.168.202.0/24

Network mask: 255.255.255.0
Site gateway IP address: 192.168.202.138
Default gateway IP address: 192.168.202.2
Test Server IP address: 192.168.0.250
Route on Server --> route add 192.168.0.0 MASK 255.255.255.0 192.168.202.138 METRIC 10

Site B: 192.168.0.0/24

Network mask: 255.255.255.0
Site gateway IP address: 192.168.0.138
Default gateway IP address: 192.168.0.254
Test Server IP address: 192.168.0.110
Route on Server--> route add 192.168.202.0 MASK 255.255.255.0 192.168.0.138 METRIC 10

Site A VeeamPN Network Hub VM route table

Code: Select all

root@veeampn:/etc/netplan# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         _gateway        0.0.0.0         UG    0      0        0 eth0
10.211.0.0      0.0.0.0         255.255.0.0     U     0      0        0 wg.veeampn
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 wg.veeampn
192.168.202.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0
Site B VeeamPN Site Gateway VM Route table.

Code: Select all

root@veeampn:/home/veeampn# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         _gateway        0.0.0.0         UG    0      0        0 eth0
10.210.0.0      0.0.0.0         255.255.0.0     U     0      0        0 wg.veeampn
10.211.0.0      0.0.0.0         255.255.0.0     U     0      0        0 wg.veeampn
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

The Route table on the Site gateway VM is missing a route to 192.168.202.0/24, this looks suspicious, or is this intended?

Anybody have any ideas?

IGolovenko
Veeam Software
Posts: 10
Liked: 4 times
Joined: Jul 31, 2018 12:37 pm
Full Name: Ilya Golovenko
Contact:

Re: VeeamPN - working, but only in one direction

Post by IGolovenko » Oct 09, 2019 1:49 pm

Hello Stephen,

In your configs I see that test server on site A has the following IP:

Test Server IP address: 192.168.0.250

Shouldn't this be from 192.168.202.0/24 network, e.g. 192.168.202.250?

SBarrett847
Service Provider
Posts: 310
Liked: 40 times
Joined: Feb 02, 2016 5:02 pm
Full Name: Stephen Barrett
Contact:

Re: VeeamPN - working, but only in one direction

Post by SBarrett847 » Oct 09, 2019 2:14 pm

Arghh apologies - a typo when creating the post - it is indeed 192.168.202.250

The more I look at this the more confused I get.

XML config file for remote Site Gateway.

Code: Select all

<?xml version="1.0" encoding="UTF-8"?>
-<Site xmlns="http://veeam.com/veeam-pn/2.0/site-config">
<Name>XXXXXXX</Name>
<Proto>udp</Proto>
<Port>1194</Port>
<Address>10.211.0.2/16</Address>
<PrivateKey> </PrivateKey>
<PresharedKey> </PresharedKey>
<ServerAddress>x.x.x.x/ServerAddress>
<ServerPublicKey> </ServerPublicKey>
<TunSecretKey></TunSecretKey>
<TunLocalAddress>10.212.0.2</TunLocalAddress>
<TunRemoteAddress>10.212.0.1</TunRemoteAddress>
</Site>
It would appear that the Client VeeamPN Site Gateway side doesn't get the correct config from the server? I've no idea where in the config the 10.210.0.0/16 network (seen on the allowed IPs on the Site gateway) is coming from. The XML doesn't contain it at all and the 10.212.0.1,2 tunnel endpoints aren't in use at all??

VeeamPN Network Hub

Code: Select all

root@veeampn:/etc/netplan# wg
interface: wg.veeampn
  public key: 
  private key: (hidden)
  listening port: 1194

peer: 
  preshared key: (hidden)
  endpoint: x.x.x.x:34723
  allowed ips: 10.211.0.2/32, 192.168.0.0/24
  latest handshake: 8 seconds ago
  transfer: 512 B received, 656 B sent
  persistent keepalive: every 20 seconds
ifconfig

Code: Select all

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.202.138  netmask 255.255.255.0  broadcast 192.168.202.255
        inet6 fe80::215:5dff:feca:fa2d  prefixlen 64  scopeid 0x20<link>
        ether 00:15:5d:ca:fa:2d  txqueuelen 1000  (Ethernet)
        RX packets 125585729  bytes 122141702655 (122.1 GB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 125205167  bytes 124162344653 (124.1 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wg.veeampn: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1420
        inet 10.211.0.1  netmask 255.255.0.0  destination 10.211.0.1
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC
)
        RX packets 53  bytes 4688 (4.6 KB)
        RX errors 9  dropped 0  overruns 0  frame 9
        TX packets 56  bytes 5392 (5.3 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0



VeeamPN Site Gateway

Code: Select all

root@veeampn:/home/veeampn# wg
interface: wg.veeampn
  public key:  
  private key: (hidden)
  listening port: 1194

peer:  
  preshared key: (hidden)
  endpoint: x.x.x.x:1194
  allowed ips: 10.211.0.0/16, 10.210.0.0/16
  latest handshake: 29 seconds ago
  transfer: 124 B received, 420 B sent
  persistent keepalive: every 20 seconds
ifconfig

Code: Select all

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.138  netmask 255.255.255.0  broadcast 192.168.0.255
        inet6 fe80::215:5dff:fe00:6e09  prefixlen 64  scopeid 0x20<link>
        ether 00:15:5d:00:6e:09  txqueuelen 1000  (Ethernet)
        RX packets 121216743  bytes 120699998809 (120.6 GB)
        RX errors 0  dropped 329  overruns 0  frame 0
        TX packets 110455989  bytes 115163640795 (115.1 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wg.veeampn: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1420
        inet 10.211.0.2  netmask 255.255.0.0  destination 10.211.0.2
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 72  bytes 7244 (7.2 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 76  bytes 6548 (6.5 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

IGolovenko
Veeam Software
Posts: 10
Liked: 4 times
Joined: Jul 31, 2018 12:37 pm
Full Name: Ilya Golovenko
Contact:

Re: VeeamPN - working, but only in one direction

Post by IGolovenko » Oct 09, 2019 2:53 pm

Addresses from 10.210.x.x network are used by OpenVPN endpoint clients.
Addresses from 10.212.x.x network are used by TUN interfaces (tun.veeampn) when site is configured to operate using TCP protocol.

Regarding the routing issue. I think you need to add a HUB site client on Veeam PN hub to enable routing for site A: https://helpcenter.veeam.com/docs/veeam ... ver=20#hub. This will add necessary IP routes and Allowed IPs to allow routing of Site A network.

SBarrett847
Service Provider
Posts: 310
Liked: 40 times
Joined: Feb 02, 2016 5:02 pm
Full Name: Stephen Barrett
Contact:

Re: VeeamPN - working, but only in one direction

Post by SBarrett847 » Oct 09, 2019 3:13 pm

I knew it would be something relatively simple. :D
Regarding the routing issue. I think you need to add a HUB site client on Veeam PN hub to enable routing for site A: This will add necessary IP routes and Allowed IPs to allow routing of Site A network.
That was it. As soon as I added a Hub with the Site A IP, I had 2 way communication. Ideally the Documentation should have an ELI5 diagram for this. I didn't see it in any of the setup walk throughs.

Many thanks Ilya.

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest