Veeam PN is a free virtual appliance which provides the options to securely connect virtually from anywhere to the desired network. It is based on a Linux Ubuntu operating system and uses OpenVPN as a backbone for different types of connections like point to site and site to site. Initially offered as the perfect companion to perform direct restores to Azure, in reality there are other interesting use cases which make Veeam PN a good choice:
- Securely connects devices to the network
- Extends networks to communicate with each other
- Provides connectivity between local networks within sites
So to give a better understanding on how Veeam PN could be used these are few examples:
- A remote worker that requires connection to company network. For example to network shares or internal website not published outside the corporate firewall
- Branch offices that need to communicate with each other and the main Headquarters
- Internal networks working “in silos” that require secure connections within same site or remote ones
In general the main requirements boil down to these scenarios which Veeam PN easily accomplishes leveraging OpenVPN to create the actual VPN connections. Veeam PN is completely wizard driven and is taking care of all these aspects reducing the need to run any command line or difficult configurations for network components including firewalls. In addition, all connections are secured with a certificate (either self-signed or from Certification Authority) making Veeam PN a flexible solution. There are other use case like sending data to the Cloud as well. Any Cloud. Really. All is required is to install the appliance to establish the connection. In the case of Microsoft Azure for example, Veeam PN is available for free from the Azure Market Place. This is a certified appliance from both Veeam and Microsoft. It could be used as a Hub for all remote connections or simply a network gateway to access the virtual networks running in Azure tenant site, thus extending the On-Premises network to the Cloud. Likewise this small appliance could also run into other Public Clouds offering the same capabilities. By leveraging the Veeam PN installation into a Cloud like the Azure and AWS options, all connections from sites, offices and even standalone devices can point to the same “Hub” which is highly available.
There are two major components: the “Network Hub” and “Site Gateways”
Network Hub: the Hub is the main appliance where all the remote connection will be pointing at. It’s the main component acting as VPN server. The Hub is responsible for creating and managing connections along with other settings including reporting and configuration for itself.
Site Gateways: for site to site scenarios the Hub can be installed in “Gateway mode” acting as a connection point between the primary and remote sites. In this case the Hub on primary site will generate a configuration file the Site Gateways will use to establish the VPN.
In this article we’ll explore the deployment and first configuration phase for Veeam PN.
Veeam PN appliance deployment
From Veeam website let’s download the free appliance. It comes in a format of VMware virtual appliance template. From the Data Center level in vSphere Client let’s deploy a virtual machine from a template and point to the .ova file.
Let’s specify the name of the Veeam PN appliance and the desired location.
At this point we can select the vSphere Host which will be associated to Veeam PN appliance.
A review page shows the storage requirements for the Veeam PN deployment. When thick provisioned the size is not that big (about 16GB) so depending on resources we could choose between disk modes. Either initial 2.5 GB or allocated 16 GB.
In the next screen we can now select the location for the virtual disk files.
The virtual appliance comes with a single vnic that should be connected to the same port group used for “production”.
And a final page shows the final option before amending changes.
The deployment is really a quick process. The Veeam PN appliance is then rebooted offering the console login.
Default username and password are “root” and “VeeamPN”.
Let’s use the console to determine the current IP address assigned to the virtual appliance via DHCP.
At this point we could configure Veeam PN using the command line or using a Web browser. The latter comes handy for sure!
On the first access we have to reset the password for root account.
Veeam PN can be installed as “Network Hub” or “Site Gateway”. First step is the Network Hub.
Veeam PN generates a self-signed certificate to encrypt the VPN connections from the remote clients. Encryption level can be changed. Once configured, it is only possible to change the self generated certificate by running a reset from the system settings. This will also wipe the client connections files which have to be recreated. another option to add custom certificates (eg. from Let’s Encrypt) is to use the terminal connection directly from the VMware console, Azure or AWS in case Veeam PN is running in any of these environments. An example would be something like this:
sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot python-certbot-apache
and to install the certificate:
sudo certbot –apache
More info are available here on the user-guide. For this setup the custom self-signed certificate will be used.
Veeam PN is now ready to generate the encryption keys.
In this step we can configure essential parameters. Most importantly the public IP address or DNS name of the Veeam PN appliance. By default site to site and point to site VPN connections services are enabled. We can change this at any time. In addition the option to use custom ports for remote sites and clients to connect to the Network Hub. When running the Hub behind a firewall these ports should be forwarded accordingly.
At this point the initial configuration for the Hub is concluded. The wizard suggests the next steps to configure additional sites and standalone devices. Let’s accept the message and proceed with a quick overview of the Hub settings.
In Services tab we have the option to enable/disable VPN services for sites and devices. These are global settings. More information on Clients section for granular control over these.
VPN tab is really important as the information specify here are used to create the configuration files both remote sites and standalone clients will use to connect to the main Hub. When these changes the remote connection need to download the new configuration files.
Alerts tab gives the option to configure actions like sending emails or even run custom scripts when specific event occur.
The SMTP tab provides the option to setup details about server and email to use for general notifications and alerts.
Very nicely Veeam PN has the option to check and run updates. This covers both operating system and security updates.
Last but not least in the System tab the option to enable SSH service to remotely access the Veeam PN appliance and the ability quickly backup and restore all settings including certificates.
This concludes the first part about Veeam PN deployment and configuration. In the next steps we’ll cover the configuration of standalone devices to securely connect to the main or production network.
Hi, Michele! In the end of installation VeeamPN appliance must have 2 vmnics? One for internal net and second for public net with public IP inside ubuntu? This public IP I must put in “network hub public ip” on VPN tab?
Hi Mike,
Thanks for your comment. Actually just one nic is required. This is because VeeamPN does NAT with the chosen tunnel network (by default 10.9.0.0). Hope this helps.
Thanks,
Michele
@Veeam PN generates a self-signed certificate to encrypt the VPN connections from the remote clients. Encryption level can be changed. Once configured, from the main GUI it is also possible to change the certificate with one trusted by Certification Authorities.@
How to do it through the GUI?
Question about change the certificate with one trusted by Certification Authorities.
Hi CA,
Thanks for your comment. You’re right the option is not there in the GUI other than running a reset which will restore initial settings before first setup. I will update the article!
Another way to import custom certificates is with command line. In this example using free SSL certs from Let’s Encrypt. More info here https://helpcenter.veeam.com/docs/veeampn/userguide/install_ssl_cert.html?ver=21
Hope this helps,
Michele