Home » Backup & Recovery » Veeam PN to connect from anywhere. Install and configuration

Veeam PN to connect from anywhere. Install and configuration

Veeam PN is a free virtual appliance which provides the options to securely connect virtually from anywhere to the desired network. It is based on a Linux Ubuntu operating system and uses OpenVPN as a backbone for different types of connections like point to site and site to site. Initially offered as the perfect companion to perform direct restores to Azure, in reality there are other interesting use cases which make Veeam PN a good choice:

  • Securely connects devices to the network
  • Extends networks to communicate with each other
  • Provides connectivity between local networks within sites

So to give a better understanding on how Veeam PN could be used these are few examples:

  • A remote worker that requires connection to company network. For example to network shares or internal website not published outside the corporate firewall
  • Branch offices that need to communicate with each other and the main Headquarters
  • Internal networks working “in silos” that require secure connections within same site or remote ones

In general the main requirements boil down to these scenarios which Veeam PN easily accomplishes leveraging OpenVPN to create the actual VPN connections. Veeam PN is completely wizard driven and is taking care of all these aspects reducing the need to run any command line or difficult configurations for network components including firewalls. In addition, all connections are secured with a certificate (either self-signed or from Certification Authority) making Veeam PN a flexible solution. There are other use case like sending data to the Cloud as well. Any Cloud. Really. All is required is to install the appliance to establish the connection. In the case of Microsoft Azure for example, Veeam PN is available for free from the Azure Market Place. This is a certified appliance from both Veeam and Microsoft. It could be used as a Hub for all remote connections or simply a network gateway to access the virtual networks running in Azure tenant site, thus extending the On-Premises network to the Cloud. Likewise this small appliance could also run into other Public Clouds offering the same capabilities. By leveraging the Veeam PN installation into a Cloud like the Azure and AWS options, all connections from sites, offices and even standalone devices can point to the same “Hub” which is highly available.

There are two major components: the “Network Hub” and “Site Gateways”

Network Hub: the Hub is the main appliance where all the remote connection will be pointing at. It’s the main component acting as VPN server. The Hub is responsible for creating and managing connections along with other settings including reporting and configuration for itself.

Site Gateways: for site to site scenarios the Hub can be installed in “Gateway mode” acting as a connection point between the primary and remote sites. In this case the Hub on primary site will generate a configuration file the Site Gateways will use to establish the VPN.

In this article we’ll explore the deployment and first configuration phase for Veeam PN.


Veeam PN appliance deployment

From Veeam website let’s download the free appliance. It comes in a format of VMware virtual appliance template. From the Data Center level in vSphere Client let’s deploy a virtual machine from a template and point to the .ova file.

domalab.com Veeam PN deploy ova

Let’s specify the name of the Veeam PN appliance and the desired location.

domalab.com Veeam PN ova select name

At this point we can select the vSphere Host which will be associated to Veeam PN appliance.

domalab.com Veeam PN ova compute resource

A review page shows the storage requirements for the Veeam PN deployment. When thick provisioned the size is not that big (about 16GB) so depending on resources we could choose between disk modes. Either initial 2.5 GB or allocated 16 GB.

domalab.com Veeam PN ova review details

In the next screen we can now select the location for the virtual disk files.

domalab.com Veeam PN ova select storage

The virtual appliance comes with a single vnic that should be connected to the same port group used for “production”.

domalab.com Veeam PN ova select network

And a final page shows the final option before amending changes.

domalab.com Veeam PN ova summary

The deployment is really a quick process. The Veeam PN appliance is then rebooted offering the console login.

domalab.com Veeam PN vmware remote console

Default username and password are “root” and “VeeamPN”.

domalab.com Veeam PN vmware remote console login

Let’s use the console to determine the current IP address assigned to the virtual appliance via DHCP.

domalab.com Veeam PN ifconfig

At this point we could configure Veeam PN using the command line or using a Web browser. The latter comes handy for sure!

domalab.com Veeam PN web console

On the first access we have to reset the password for root account.

domalab.com Veeam PN change password

Veeam PN can be installed as “Network Hub” or “Site Gateway”. First step is the Network Hub.

domalab.com Veeam PN initial configuration

Veeam PN generates a self-signed certificate to encrypt the VPN connections from the remote clients. Encryption level can be changed. Once configured, it is only possible to change the self generated certificate by running a reset from the system settings. This will also wipe the client connections files which have to be recreated. another option to add custom certificates (eg. from Let’s Encrypt) is to use the terminal connection directly from the VMware console, Azure or AWS in case Veeam PN is running in any of these environments. An example would be something like this:

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot python-certbot-apache

and to install the certificate:

sudo certbot –apache

More info are available here on the user-guide. For this setup the custom self-signed certificate will be used.

domalab.com Veeam PN certificate configuration

Veeam PN is now ready to generate the encryption keys.

domalab.com Veeam PN certificate generation

In this step we can configure essential parameters. Most importantly the public IP address or DNS name of the Veeam PN appliance. By default site to site and point to site VPN connections services are enabled. We can change this at any time. In addition the option to use custom ports for remote sites and clients to connect to the Network Hub. When running the Hub behind a firewall these ports should be forwarded accordingly.

domalab.com Veeam PN VPN settings

At this point the initial configuration for the Hub is concluded. The wizard suggests the next steps to configure additional sites and standalone devices. Let’s accept the message and proceed with a quick overview of the Hub settings.

domalab.com Veeam PN configuration summary

In Services tab we have the option to enable/disable VPN services for sites and devices. These are global settings. More information on Clients section for granular control over these.

domalab.com Veeam PN services

VPN tab is really important as the information specify here are used to create the configuration files both remote sites and standalone clients will use to connect to the main Hub. When these changes the remote connection need to download the new configuration files.

Alerts tab gives the option to configure actions like sending emails or even run custom scripts when specific event occur.

The SMTP tab provides the option to setup details about server and email to use for general notifications and alerts.

Very nicely Veeam PN has the option to check and run updates. This covers both operating system and security updates.

Last but not least in the System tab the option to enable SSH service to remotely access the Veeam PN appliance and the ability quickly backup and restore all settings including certificates.

This concludes the first part about Veeam PN deployment and configuration. In the next steps we’ll cover the configuration of standalone devices to securely connect to the main or production network.

About the author

Michele Domanico

Passionate about Virtualization, Storage, Data Availability and Software Defined Data Center technologies. The aim of Domalab.com is sharing with the Community the knowledge and experience gained with customers, industry leaders and like minded peers. Always open to constructive feedback and new challenges.


Click here to post a comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • Hi, Michele! In the end of installation VeeamPN appliance must have 2 vmnics? One for internal net and second for public net with public IP inside ubuntu? This public IP I must put in “network hub public ip” on VPN tab?

    • Hi Mike,
      Thanks for your comment. Actually just one nic is required. This is because VeeamPN does NAT with the chosen tunnel network (by default Hope this helps.

  • @Veeam PN generates a self-signed certificate to encrypt the VPN connections from the remote clients. Encryption level can be changed. Once configured, from the main GUI it is also possible to change the certificate with one trusted by Certification Authorities.@

    How to do it through the GUI?
    Question about change the certificate with one trusted by Certification Authorities.

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Browse articles

September 2023

Articles by Category


error: Content is protected !!
%d bloggers like this: