BackupPC assumes your mobile hosts will occassionally visit your network and allows backup of those hosts while they are on your local network. But what if you need to backup mobile Windows hosts that NEVER connect to your BackupPC LAN? We will use OpenVPN to build a VPN connection between the client and the BackupPC server. We will configure BackupPC server to backup via an Rsync Server on the BackupPC client. This solution is working well for several remote PCs (Windows XP) and Servers (Windows 2000).
Due to the nature of mobile users, the BackupPC server may not be able to reliably locate and connect to the SSH service on these PCs. Besides, numerous users have reported problems with BackupPC via SSH, due to an alleged bug in the Cygwin SSH server. If your Windows PC is accessible via SSH, running BackupPC via rsync over an SSH tunnel works fine. Simply write pre-backup and post-backup scripts to initiate an SSH tunnel and tear down the SSH tunnel when you are finished.
I have found that using a combination of OpenVPN and Cygwin Rsync Server works well when performing backups of mobile Windows PCs. We use OpenVPN to maintain a secure connection between the PC and the BackupPC server. We then configure BackupPC to connect to the Rsync Server on the Windows PC via the VPN connection. The ONLY problem we have had with this is reminding users to make sure their OpenVPN connection is always working. The Windows GUI for OpenVPN does not always automatically reconnect to the BackupPC server between suspend-power operations on laptops. It generally does fine between reboots, though.
The documentation below assumes you are already successfully using BackupPC to backup local hosts. The documentation does not cover installation or configuration of BackupPC for local hosts.
Preparing SSL Certificates for OpenVPN server
OpenVPN requires one SSL certificate for your OpenVPN server and one SSL certificate for each OpenVPN client. We will assume you do not already have a public key infrastructure in place. We will begin by creating a Certificate Authority (CA) key, then we will create a key for the server (signed by CA key) and a key for the first client (also signed by the CA key). You will need to create an additional key for each additional client.
NOTE: If you are managing a large number of hosts, you should replace the example common names and file names with actual hostnames for the BackupPC server (ie: backuppc.example.com) and each BackupPC client (ie: laptop3241.example.com). This will make it much easier for you to manage a large number of certificates.
# Create a directory for storing your certificates mkdir /opt/ssl chmod 700 /opt/ssl cd /opt/ssl # Generating Certificate Authority Keys (Common Name: "ca") openssl genrsa -des3 -out ca.key 1024 openssl req -new -x509 -days 3650 -key ca.key -out ca.cer # Generating OpenVPN Server Keys (Common Name: "server") openssl req -new -out server.csr openssl rsa -in privkey.pem -out server.key openssl ca -policy policy_anything -cert ca.cer -in server.csr \ -keyfile ca.key -days 365 -out server.crt # Generating OpenVPN Client Keys (Common Name: "client1") openssl req -new -out client1.csr openssl rsa -in privkey.pem -out client1.key openssl ca -policy policy_anything -cert ca.cer -in client1.csr \ -keyfile ca.key -days 365 -out client1.crt
Install and Configure OpenVPN on the BackupPC server
cd /opt/ wget http://dag.wieers.com/packages/openvpn/openvpn-2.0.7-1.el4.rf.i386.rpm wget http://dag.wieers.com/packages/lzo/lzo-1.08-4.2.el4.rf.i386.rpm rpm -ivh lzo-1* openvpn* cd /etc/openvpn/ vi server.conf cp /opt/ssl/ca.crt . cp /opt/ssl/server.crt . cp /opt/ssl/server.key . openssl dhparam -out dh1024.pem 1024 chkconfig openvpn on service openvpn restart
If you are running an IPtables Firewall, you must accept OpenVPN traffic (1194/udp) on the BackupPC server. Edit your iptables script and the rule shown below right above or right below similar UDP rules. Afterwards, restart iptables to force changes to take effect.
vi /etc/sysconfig/iptables -A RH-Firewall-1-INPUT -p udp -m udp --dport 1194 -j ACCEPT service iptables restart
Install and Configure OpenVPN on the BackupPC client
Download and install the newest Windows OpenVPN GUI package with TAP interface from the following website. During installation, accept all of the default options. You MUST reboot after installation, or else the VPN connections will not work properly. When you are finished, you should have a new OpenVPN GUI icon in your tray and a new TAP interface in you list of Network Connections.
Website Link: http://openvpn.se/
For this example, we used OpenVPN 2.09 GUI 1.0.3. We provided a link to the version we used for this example, but highly recommend installing the latest version once you have things up and running!
COMMON PROBLEM: The TAP interface does not appear in your Network Connections. If this happens, your registry is missing one of the following keys/folders that is required for TAP interface installation (who knows why, it doesn’t appear to be used). Simply create an empty key/folder in it’s place, then uninstall OpenVPN, then reinstall OpenVPN.
After installing the OpenVPN GUI, you need to copy several files to the following directory. Be sure to rename the client files to client.crt and client.key. This allows you to use the same OpenVPN config file (.ovpn) on each mobile computer.
C:\Program Files\OpenVPN\config\ ca.crt # copied from /opt/ssl/ca.crt on your BackupPC server client.crt # copied from /opt/ssl/client1.crt on your BackupPC server client.key # copied from /opt/ssl/client1.key on your BackupPC server server.ovpn # download via link below
Download Link: server.ovpn
You must edit “server.ovpn” and change “backuppc.example.com” (see line 41) to the actual hostname of your BackupPC server. Your mobile PCs should be able to PING the BackupPC server via this hostname.
FIREWALL NOTE: If you are using firewall(s), you will need to allow OpenVPN traffic (1194/udp) from the mobile PCs to the server. Be sure to update firewalls that may restrict outbound traffic on the mobile PC network as well as firewalls that may restrict incoming traffic on the BackupPC server network. Most importantly, be sure to update your host based firewall on your BackupPC server so that it does not block these incoming connections. An example for updating the iptables firewall running on your BackupPC server was shown above.
When you are finished, you should be able to ping your BackupPC server (10.8.0.1) from your BackupPC client. You should also be able to ping your BackupPC client from your BackupPC server. The IP address assigned by the VPN should appear in a balloon popup window when your OpenVPN GUI tray icon changes to a green color.
NOTE: If you can ping the server from the client, but not vice-versa, check your Windows Firewall. You may need to allow Incoming Echo Requests under ICMP Settings on the Advanced firewall configuration tab.
Configure OpenVPN to Start Connection Automatically
OpenVPN GUI can start a connection automatically when it runs. To enable autoconnect simply add this string to the command that starts the OpenVPN app:
In Windows, you need to append it to the following registry key: OpenVPN-Startup.reg (right-click, save, and run)
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "openvpn-gui"="C:\\Program Files\\OpenVPN\\bin\\openvpn-gui.exe --connect client1.ovpn
Change client1 as needed for the name of each client config file.
Configure OpenVPN server Static IP for “client1” (first client)
You must assign a static IP address to each VPN client so that the BackupPC server can locate the correct client each time it performs a backup of the client.
cd /etc/openvpn/ vi ccd/client1 # file name MUST match the Common Name on client SSL certificate ifconfig-push 10.9.0.1 10.9.0.2 vi /etc/hosts # hostname MUST match the Common Name on client SSL certificate 10.9.0.1 client1
Configure OpenVPN server Static IP for “client2” (additional clients)
Routing for the static IP above had already been configured. You must configure routing for each new static IP block as shown below.
cd /etc/openvpn/ vi ccd/client2 # file name MUST match the Common Name on client SSL certificate ifconfig-push 10.9.0.5 10.9.0.6 vi server.conf # configure routing for new static IP (near similar line 152) route 10.9.0.4 255.255.255.252 vi /etc/hosts # hostname MUST match the Common Name on client SSL certificate 10.9.0.5 client2
Download Link: server.conf
Install and Configure Cygwin Rsync Server on the BackupPC client
CYGWIN NOTE: If you are only using Cygwin to run an Rsync Server on your client PC, they you can use the standalone installation package for the Cygwin Rsync Server below. If you are using other Cygwin items on the client PC, you need to install the Rsync Server through the standard Cygwin setup menu. We will assume no other Cygwin software is installed.
Download and install the newest Cygwin Rsync Server (cwRsync Server) package from the following website. During installation, accept all of the default options. You can ignore the service account password. No need to reboot after installation. When you are finished, confirm that you have a new Rsync Server service in your list of Windows Services. Configure the service for “automatic” startup rather than “manual” startup.
Website Link: http://www.itefix.no/phpws/
For this example, we used Cygwin Rsync Server 2.0.10. We provided a link to the version we used for this example, but highly recommend installing the latest version once you have things up and running!
COMMON PROBLEM: The “Rsync Server” service would not appear in the service list. Conflicting versions of Cygwin software on a system WILL cause you problems, so uninstall other Cygwin software packages if possible. We had to uninstall an older Cygwin-based SSH tools we previously used to backup these Windows PCs before we could successfully install a working copy of the Cygwin Rsync Server.
After installing the Cygwin Rsync Server, you need to copy several files to the following directory. I recommend you generate a new randon password for the rsyncd.secrets file on each client computer. Each line of the rsyncd.secrets file contains a valid username/password for the Rsync Server.
C:\Program Files\cwRsyncServer\ rsyncd.conf # downloaded via link below etc\rsyncd.secrets # downloaded via link below
After you have finished configuring rsync (above), start/restart the Rsync Server service. You can do this through Windows Services or by using the following commands.
net stop rsyncserver net start rsyncserver
NOTE: You can confirm that the Rsync Server is running via “netstat -an” and confirming that TCP port 873 is LISTENING. You can also confirm that the Rsync Server is running via “telnet localhost 873” which should show you “@RSYNCD: 29” (press CTRL+] to exit, then type “quit” to close telnet). If either of these tests fail, restart Rsync Server and test again.
You should be able to connect to the Rsync Server from the BackupPC server over the VPN. If you cannot, you will need to allow an exception for “Rsync Server” port “873” protocol “TCP” in your Windows Firewall.
[root@backuppc backuppc]# telnet 10.9.0.1 873 Trying 10.9.0.1... Connected to client1 (10.9.0.1). Escape character is '^]'. @RSYNCD: 29
Once you have confirmed you can connect to the Rsync Server on the Windows client from the BackupPC server, you can configure of client backups on the BackupPC server.
Configure client on the BackupPC server
Edit the following files within your BackupPC directory.
conf/hosts # add host entry similar to example below. pc/client1/config.pl # downloaded via link below Example Host Entry: client1 0 email@example.com client1user
Download Link: config.pl
You must update the client IP address in config.pl (line 8, line 16) to reflect the VPN address you assigned to the client. BackupPC will connect to the Rsync Server on this IP address.
You must update the client password in config.pl (line 19) to reflect the password you assigned in “rsyncd.secrets” file.
NOTE: Use WordPad to edit these files (not NotePad). Be sure that you have several blank lines at the end of your “rsyncd.secrets” file. Due to a bug with the Cygwin Rsync Server, it cannot read a username/password pair if it is in the last line of the secrets file.
Afterwards, reload the BackupPC server so that it will read these new configuration settings.
[root@backuppc pc]# service backuppc reload
The new client should appear in your BackupPC interface and can now be backed up!
2006/12/01 – Jason Klein