I have a Wireguard VPN connection to another computer. I am able to do split tunnel vpn using TunnlTo. I have it setup so I send only specific traffic over the vpn. I need to specify the executable name in the vpn client for it to go over the vpn instead of “off the side”.
I tried to get Veaam Backup & Replication to do it’s backups of the server and replicate to the off-site server via the vpn. The only way to get it to work is to allow all traffic over the vpn and not split tunnel. That’s because I don’t know what executables are executing during the backup copy.
What I need to know is, what executables are executing during the backup process and the backup copy process. There are just so many executables, I don’t know which to allow and which to ignore.
Page 1 / 1
To start I would look in Task Manager and use all EXE files that have Veeam in the name. There are many that run for jobs, etc. Will try to get a specific list but if it is just Veeam traffic then all of them should work.
What about just setting all traffic from that IP address to go over the tunnel?
What about just setting all traffic from that IP address to go over the tunnel?
That is another great option using network rules.
What about just setting all traffic from that IP address to go over the tunnel?
That won’t work. This computer is a Windows 10 computer that is used for many things, many that access the internet and we don’t want routed over the VPN. We just want the backup copy to be routed over the VPN.
@920cody - Keep in mind, the Backup Proxies are the components transferring the data. For Backup Copy: The source Proxy communicates with the source data (VMs) and then with the target Proxy. The target Proxy in turn communicates with the target Repository (2nd image below). This is essentially the same for Backups (1st image). (source) Proxies communicate with the source Data, which in turn communicates with the “local” Repository to transfer the data to it. VBR is nothing more than the ‘brains’ of it all, communicating with the Proxies, or other components if they’re used. Below images shows it real well:
So, with the above info, you should basically be able to allow specific Port-level traffic based off Veeam’s Port requirements (assuming your VPN solution allows you to configure ports?):
This is what I get when I try to split tunnel. This is when I do a rescan of Vitalia Off-site share. The share is not available through the split tunnel. I’m not sure how to get around this. Researching this part...
Suncoast is the computer Veaam is running on. Vitalia is the remote computer that I have the tunnel to. If I don’t do split tunnel and everything goes through the tunnel, everything works. But, if I attempt a split tunnel, this is the end result. I’m just not sure how to go about setting up the split. I can go about it where I simply send everything through the tunnel, except various applications, such as msedge, outlook, etc. But, that’s not what I want. I prefer just the necessary components of Veaam Backup Copy to be able to see the remote backup copy repository and transfer over the necessary files.
Not sure if checking with support is an option but may be at this point more technical assistance is needed.
Can you not add port traffic to allow in the VPN utility?
Do you have Proxies at both sites?...source and target? The communication channel should be for the Data Mover Service. If you use Windows servers as Proxies, you should be able to see what the .exe is for the service by going into Task Mgr and looking at the Details tab during a job run (or attempted job run). Then try to add that .exe to your VPN utility and see if it works.
Aside from that suggestion, if it doesn’t work, I agree with Chris on contacting Veeam Support.
Hi
I had a “similar issue” or need some time ago
Im using for my backup Tailscale
it works great, sends a backup remotely to a different location over IP, as a “split tunnel”.
check it out.
cheers.
Hi
I had a “similar issue” or need some time ago
Im using for my backup Tailscale
it works great, sends a backup remotely to a different location over IP, as a “split tunnel”.
check it out.
cheers.
I took a look at your article and it looks like what I want to do. But, I can’t figure out how to setup the protected group. I did the following:
Type: Individual Computers
When adding the computers, I added the remote computer using it’s full DNS name created by Tailscale. I selected to use the Admin credentials created on the remote computer.
I selected the defaults for everything else. It created the protected group.
When it does the machine rescan, it fails with the following error message:
8/14/2024 10:39:42 AM Succeeded Processing vitalia.tail123a1b.ts.net 8/14/2024 10:40:57 AM Failed Unable to install backup agent: failed to connect to vitalia.tail123a1b.ts.net Error: The network path was not found. The network path was not found. (ERROR_BAD_NETPATH). 8/14/2024 10:40:57 AM Failed Processing finished with errors at 8/14/2024 10:40:57 AM
I tried replacing vitalia.tail123a1b.ts.net with vitalia by itself and still not connecting.
The Tailscale site states both machines are connected. I can also ping vitalia and vitalia.tail123a1b.ts.net.
In regards to the above message, using Tailscale and VBR, it appears to be a firewall issue. I’m unable to connect to the remote computer unless I turn off the firewall. But, I thought that was the whole point of using Tailscale. No need to mess with the firewall.
In regards to the above message, using Tailscale and VBR, it appears to be a firewall issue. I’m unable to connect to the remote computer unless I turn off the firewall. But, I thought that was the whole point of using Tailscale. No need to mess with the firewall.
