Using BackupPC with mobile Windows XP clients via OpenVPN and Cygwin Rsync Server

BackupPC assumes your mobile hosts will occassionally visit your network and allows backup of those hosts while they are on your local network. But what if you need to backup mobile Windows hosts that NEVER connect to your BackupPC LAN? We will use OpenVPN to build a VPN connection between the client and the BackupPC server. We will configure BackupPC server to backup via an Rsync Server on the BackupPC client. This solution is working well for several remote PCs (Windows XP) and Servers (Windows 2000).

Due to the nature of mobile users, the BackupPC server may not be able to reliably locate and connect to the SSH service on these PCs. Besides, numerous users have reported problems with BackupPC via SSH, due to an alleged bug in the Cygwin SSH server. If your Windows PC is accessible via SSH, running BackupPC via rsync over an SSH tunnel works fine. Simply write pre-backup and post-backup scripts to initiate an SSH tunnel and tear down the SSH tunnel when you are finished.

I have found that using a combination of OpenVPN and Cygwin Rsync Server works well when performing backups of mobile Windows PCs. We use OpenVPN to maintain a secure connection between the PC and the BackupPC server. We then configure BackupPC to connect to the Rsync Server on the Windows PC via the VPN connection. The ONLY problem we have had with this is reminding users to make sure their OpenVPN connection is always working. The Windows GUI for OpenVPN does not always automatically reconnect to the BackupPC server between suspend-power operations on laptops. It generally does fine between reboots, though.

The documentation below assumes you are already successfully using BackupPC to backup local hosts. The documentation does not cover installation or configuration of BackupPC for local hosts.

Preparing SSL Certificates for OpenVPN server

OpenVPN requires one SSL certificate for your OpenVPN server and one SSL certificate for each OpenVPN client. We will assume you do not already have a public key infrastructure in place. We will begin by creating a Certificate Authority (CA) key, then we will create a key for the server (signed by CA key) and a key for the first client (also signed by the CA key). You will need to create an additional key for each additional client.

NOTE: If you are managing a large number of hosts, you should replace the example common names and file names with actual hostnames for the BackupPC server (ie: backuppc.example.com) and each BackupPC client (ie: laptop3241.example.com). This will make it much easier for you to manage a large number of certificates.

# Create a directory for storing your certificates
mkdir /opt/ssl
chmod 700 /opt/ssl
cd /opt/ssl

# Generating Certificate Authority Keys (Common Name: "ca")
openssl genrsa -des3 -out ca.key 1024
openssl req  -new -x509 -days 3650 -key ca.key -out ca.cer

# Generating OpenVPN Server Keys (Common Name: "server")
openssl req -new -out server.csr
openssl rsa -in privkey.pem -out server.key
openssl ca -policy policy_anything -cert ca.cer -in server.csr \
	-keyfile ca.key -days 365 -out server.crt

# Generating OpenVPN Client Keys (Common Name: "client1")
openssl req -new -out client1.csr
openssl rsa -in privkey.pem -out client1.key
openssl ca -policy policy_anything -cert ca.cer -in client1.csr \
	-keyfile ca.key -days 365 -out client1.crt

Install and Configure OpenVPN on the BackupPC server

cd /opt/
wget http://dag.wieers.com/packages/openvpn/openvpn-2.0.7-1.el4.rf.i386.rpm
wget http://dag.wieers.com/packages/lzo/lzo-1.08-4.2.el4.rf.i386.rpm
rpm -ivh lzo-1* openvpn*

cd /etc/openvpn/
vi server.conf
cp /opt/ssl/ca.crt .
cp /opt/ssl/server.crt .
cp /opt/ssl/server.key .
openssl dhparam -out dh1024.pem 1024

chkconfig openvpn on
service openvpn restart

If you are running an IPtables Firewall, you must accept OpenVPN traffic (1194/udp) on the BackupPC server. Edit your iptables script and the rule shown below right above or right below similar UDP rules. Afterwards, restart iptables to force changes to take effect.

vi /etc/sysconfig/iptables
-A RH-Firewall-1-INPUT -p udp -m udp --dport 1194 -j ACCEPT

service iptables restart

Install and Configure OpenVPN on the BackupPC client

Download and install the newest Windows OpenVPN GUI package with TAP interface from the following website. During installation, accept all of the default options. You MUST reboot after installation, or else the VPN connections will not work properly. When you are finished, you should have a new OpenVPN GUI icon in your tray and a new TAP interface in you list of Network Connections.

Website Link: http://openvpn.se/

For this example, we used OpenVPN 2.09 GUI 1.0.3. We provided a link to the version we used for this example, but highly recommend installing the latest version once you have things up and running!

Download Link: http://openvpn.se/files/install_packages/openvpn-2.0.9-gui-1.0.3-install.exe

COMMON PROBLEM: The TAP interface does not appear in your Network Connections. If this happens, your registry is missing one of the following keys/folders that is required for TAP interface installation (who knows why, it doesn’t appear to be used). Simply create an empty key/folder in it’s place, then uninstall OpenVPN, then reinstall OpenVPN.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

After installing the OpenVPN GUI, you need to copy several files to the following directory. Be sure to rename the client files to client.crt and client.key. This allows you to use the same OpenVPN config file (.ovpn) on each mobile computer.

C:\Program Files\OpenVPN\config\

ca.crt		# copied from /opt/ssl/ca.crt on your BackupPC server
client.crt	# copied from /opt/ssl/client1.crt on your BackupPC server
client.key	# copied from /opt/ssl/client1.key on your BackupPC server
server.ovpn	# download via link below

Download Link: server.ovpn

You must edit “server.ovpn” and change “backuppc.example.com” (see line 41) to the actual hostname of your BackupPC server. Your mobile PCs should be able to PING the BackupPC server via this hostname.

FIREWALL NOTE: If you are using firewall(s), you will need to allow OpenVPN traffic (1194/udp) from the mobile PCs to the server. Be sure to update firewalls that may restrict outbound traffic on the mobile PC network as well as firewalls that may restrict incoming traffic on the BackupPC server network. Most importantly, be sure to update your host based firewall on your BackupPC server so that it does not block these incoming connections. An example for updating the iptables firewall running on your BackupPC server was shown above.

When you are finished, you should be able to ping your BackupPC server (10.8.0.1) from your BackupPC client. You should also be able to ping your BackupPC client from your BackupPC server. The IP address assigned by the VPN should appear in a balloon popup window when your OpenVPN GUI tray icon changes to a green color.

NOTE: If you can ping the server from the client, but not vice-versa, check your Windows Firewall. You may need to allow Incoming Echo Requests under ICMP Settings on the Advanced firewall configuration tab.

Configure OpenVPN to Start Connection Automatically

OpenVPN GUI can start a connection automatically when it runs. To enable autoconnect simply add this string to the command that starts the OpenVPN app:

  --connect client1.ovpn

In Windows, you need to append it to the following registry key: OpenVPN-Startup.reg (right-click, save, and run)

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"openvpn-gui"="C:\\Program Files\\OpenVPN\\bin\\openvpn-gui.exe --connect client1.ovpn

Change client1 as needed for the name of each client config file.

Configure OpenVPN server Static IP for “client1” (first client)

You must assign a static IP address to each VPN client so that the BackupPC server can locate the correct client each time it performs a backup of the client.

cd /etc/openvpn/
vi ccd/client1	# file name MUST match the Common Name on client SSL certificate
ifconfig-push 10.9.0.1 10.9.0.2

vi /etc/hosts	# hostname MUST match the Common Name on client SSL certificate
10.9.0.1                client1

Configure OpenVPN server Static IP for “client2” (additional clients)

Routing for the static IP above had already been configured. You must configure routing for each new static IP block as shown below.

cd /etc/openvpn/
vi ccd/client2  # file name MUST match the Common Name on client SSL certificate
ifconfig-push 10.9.0.5 10.9.0.6

vi server.conf	# configure routing for new static IP (near similar line 152)
route 10.9.0.4 255.255.255.252

vi /etc/hosts   # hostname MUST match the Common Name on client SSL certificate
10.9.0.5                client2

Download Link: server.conf

Install and Configure Cygwin Rsync Server on the BackupPC client

CYGWIN NOTE: If you are only using Cygwin to run an Rsync Server on your client PC, they you can use the standalone installation package for the Cygwin Rsync Server below. If you are using other Cygwin items on the client PC, you need to install the Rsync Server through the standard Cygwin setup menu. We will assume no other Cygwin software is installed.

Download and install the newest Cygwin Rsync Server (cwRsync Server) package from the following website. During installation, accept all of the default options. You can ignore the service account password. No need to reboot after installation. When you are finished, confirm that you have a new Rsync Server service in your list of Windows Services. Configure the service for “automatic” startup rather than “manual” startup.

Website Link: http://www.itefix.no/phpws/

For this example, we used Cygwin Rsync Server 2.0.10. We provided a link to the version we used for this example, but highly recommend installing the latest version once you have things up and running!

Download Link: http://superb-west.dl.sourceforge.net/sourceforge/sereds/cwRsync_Server_2.0.10_Installer.zip

COMMON PROBLEM: The “Rsync Server” service would not appear in the service list. Conflicting versions of Cygwin software on a system WILL cause you problems, so uninstall other Cygwin software packages if possible. We had to uninstall an older Cygwin-based SSH tools we previously used to backup these Windows PCs before we could successfully install a working copy of the Cygwin Rsync Server.

After installing the Cygwin Rsync Server, you need to copy several files to the following directory. I recommend you generate a new randon password for the rsyncd.secrets file on each client computer. Each line of the rsyncd.secrets file contains a valid username/password for the Rsync Server.

C:\Program Files\cwRsyncServer\

rsyncd.conf		# downloaded via link below
etc\rsyncd.secrets	# downloaded via link below

Download Link: rsyncd.conf
Download Link: rsyncd.secrets

After you have finished configuring rsync (above), start/restart the Rsync Server service. You can do this through Windows Services or by using the following commands.

net stop rsyncserver
net start rsyncserver

NOTE: You can confirm that the Rsync Server is running via “netstat -an” and confirming that TCP port 873 is LISTENING. You can also confirm that the Rsync Server is running via “telnet localhost 873” which should show you “@RSYNCD: 29” (press CTRL+] to exit, then type “quit” to close telnet). If either of these tests fail, restart Rsync Server and test again.

You should be able to connect to the Rsync Server from the BackupPC server over the VPN. If you cannot, you will need to allow an exception for “Rsync Server” port “873” protocol “TCP” in your Windows Firewall.

[root@backuppc backuppc]# telnet 10.9.0.1 873
Trying 10.9.0.1...
Connected to client1 (10.9.0.1).
Escape character is '^]'.
@RSYNCD: 29

Once you have confirmed you can connect to the Rsync Server on the Windows client from the BackupPC server, you can configure of client backups on the BackupPC server.

Configure client on the BackupPC server

Edit the following files within your BackupPC directory.

conf/hosts		# add host entry similar to example below.
pc/client1/config.pl	# downloaded via link below

Example Host Entry:
client1		0       admin@example.com	client1user

Download Link: config.pl

You must update the client IP address in config.pl (line 8, line 16) to reflect the VPN address you assigned to the client. BackupPC will connect to the Rsync Server on this IP address.

You must update the client password in config.pl (line 19) to reflect the password you assigned in “rsyncd.secrets” file.

NOTE: Use WordPad to edit these files (not NotePad). Be sure that you have several blank lines at the end of your “rsyncd.secrets” file. Due to a bug with the Cygwin Rsync Server, it cannot read a username/password pair if it is in the last line of the secrets file.

Afterwards, reload the BackupPC server so that it will read these new configuration settings.

[root@backuppc pc]# service backuppc reload

The new client should appear in your BackupPC interface and can now be backed up!

2006/12/01 – Jason Klein

Leave a Reply

Your email address will not be published. Required fields are marked *