How to Configure VPN with VeeamPN

Steps to configure Site to Site VPN with VeeamPN

Veeam PN is is based on the WireGuard® for Site to Site Tunnel* and OpenVPN technology for Remote Client and features a web-based interface that simplifies VPN configuration and administration.

WireGuard which is implemented in Linux Kernel does not support TCP, but Veeam PN eliminates this limitation by tunneling UDP encrypted traffic in TCP tunnel

We are using the same component in How to Configure VPN with WireGuard in this tutorial

Provisioning of Veeam PN OVA as Hub Site

  1. Download Veeam PN 2.1 (322MB)
  2. Convert the OVA to OVF and import to ESXi host by following Import OVF with PowerCLI

Resources assigned to VeeamPN Virtual Appliance

Site to Site VPN with VeeamPN

Power on VeeamPN which is running on Ubuntu 18.04, and with default username & password, root, VeeamPN

Check the DHCP assigned IP Address with ip addr show

root@localhost:~# ip addr show | grep ens160
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    inet 192.168.1.236/24 brd 192.168.1.255 scope global ens160

There is no GUI way to configure static IP Address in VeeamPN configured as Network Hub

Refer to Appendix – how to assign static IP Address if static IP Address is needed

Go to https://IP_VEEAMPN and login with default username & password

Change the default password

Select Network Hub

Network Hub is the core of the VPN infrastructure and is responsible for all background work: traffic routing, encryption, user management, authentication and so on.

Enter a Name and leave the default encryption level = 2048

VeeamPN will generate a selfsign certificate for VeeamPN Portal and it can be replaced with trusted SSL Certificate by following Replace Selfsign SSL Certificate ()

Refer to VeeamPN UserGuide to use Let’s Encrypt SSL Certificate

Enter the PUBLIC IP address configured in Firewall and check both Enable Site-to-Site VPN & Enable Point-to-Site VPN

We had change the default port for Site to Site VPN from default 1194 to 34897

TCP guarantees delivery of data packets, UDP which is recommended ensures faster data transmission since it does not require any data flow control

Dashboard of VeeamPN

Register Hub Site

If you set up the network hub in a local site and want to make machines in this site accessible over the VPN, you must register this local site as a client in the network hub portal.

Hub Site client always remains in the Disconnected state, which is an expected behavior.

Click Client – Add – HUB Site

Enter the Network Address allowed via Site to Site Tunnel in Site Gateway

Network Address is the allowed ips in Site Gateway

root@localhost:~# wg
interface: wg.veeampn
  public key: VXqtRcu3TvJ25d+doU+lRuvYvToyiKpTHyxJ+xOjSBU=
  private key: (hidden)
  listening port: 34897

peer: 8WGjkwMnbuF4obyfDcgkB49pPSRmevwpUjy8GSY21yw=
  preshared key: (hidden)
  endpoint: 103.18.246.222:34897
  allowed ips: 10.211.0.0/16, 10.210.0.0/16, 10.10.10.0/24
  latest handshake: 2 seconds ago
  transfer: 92 B received, 180 B sent
  persistent keepalive: every 20 seconds

Register Entire Site

This is the Network in Site Gateway to be accessible via Site to Site VPN tunnel

Click Client – Add – Entire Site

Enter Name & Network Address

Click download to save an import the configuration to Site Gateway

image-20200408000329887

Register OpenVPN Client

Register users who can access via OpenVPN Client in point-to-site scenario.

Click Client – Add – Standalone Computer

Enable Use HUB server as default gateway only when you want to tunnel all traffic from client back to Site Hub

Download the OpenVPN Client configuration file and import to client PC later

Provisioning of Veeam PN OVA as Site Gateway

Provision a new VeeamPN appliance at Remote Office as Site Gateway by following the same steps

Select Site Gateway during the initial configuration wizard

Click Browse to import the configuration file exported from Hub Site

Verify the tunnel is connected in VeeamPN in Hub Site

Verification of Site to Site VPN with VeeamPN

Verify Servers located at both side can communicated via Site to Site VPN

  1. Server (10.10.10.100) at Hub Site can ping to Server (192.168.1.232) at Site Gateway
  2. Server (192.168.1.232) at Site Gateway can ping to Server (10.10.10.100) at Hub site

Login to VeeamPN via SSH at Hub Site to verify the status of wg

wg status in Hub Site

root@localhost:~# wg
interface: wg.veeampn
  public key: 8WGjkwMnbuF4obyfDcgkB49pPSRmevwpUjy8GSY21yw=
  private key: (hidden)
  listening port: 34897

peer: VXqtRcu3TvJ25d+doU+lRuvYvToyiKpTHyxJ+xOjSBU=
  preshared key: (hidden)
  endpoint: 121.121.43.50:34897
  allowed ips: 10.211.0.2/32, 192.168.1.0/24
  latest handshake: 52 seconds ago
  transfer: 2.08 KiB received, 2.43 KiB sent
  persistent keepalive: every 20 seconds

Login to VeeamPN via SSH at Site Gateway to verify the status of wg

wg status in Site Gateway

root@localhost:~# wg
interface: wg.veeampn
  public key: VXqtRcu3TvJ25d+doU+lRuvYvToyiKpTHyxJ+xOjSBU=
  private key: (hidden)
  listening port: 34897

peer: 8WGjkwMnbuF4obyfDcgkB49pPSRmevwpUjy8GSY21yw=
  preshared key: (hidden)
  endpoint: 103.18.246.222:34897
  allowed ips: 10.211.0.0/16, 10.210.0.0/16, 10.10.10.0/24
  latest handshake: 1 minute, 37 seconds ago
  transfer: 2.24 KiB received, 2.07 KiB sent
  persistent keepalive: every 20 seconds

OpenVPN Client for Windows 10

  1. Download and install OpenVPN Client for Windwos 10 by accepting the default value
  2. Right click on the OpenVPN Client icon, and select import file to import the OpenVPN Configuration file prepared in VeeamPN Hub Site

Connected to VPN tunnel successfully, and can access servers in Site Hub now

Appendix

How to assign static IP Address

Install nano editor and open /etc/netplan/01-netcfg.yaml

#Update
atp update 
#Install nano editor
apt install nano 
#Modidy the 01-netcfg.yaml file 
nano /etc/netplan/01-netcfg.yaml

Paste the codes below to Visual Studio Code with yaml format and replace the value for your own environment

# This file describes the network interfaces available on your system
# For more information, see netplan(5).
network:
  version: 2
  renderer: networkd
  ethernets:
    ens160:
      dhcp4: no
      addresses: [192.168.1.236/24]
      gateway4: 192.168.1.1
      nameservers:
        addresses: [8.8.8.8,8.8.4.4]

Reboot and verify the static IP Address is configured successfully

ip addr show | grep ens160
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    inet 192.168.1.236/24 brd 192.168.1.255 scope global ens160

Replace Selfsign SSL Certificate

Extract unencrypted PEM & Key file from PFX by following this link

Upload aventislab.pem & aventislab.key to VeeamPN

scp aventislab.pem [email protected]:/tmp
scp aventislab.key [email protected]:/tmp

Replace the veeampn.key & veeampn.pem with aventislab.pem & aventislab.key.

Reboot VeeamPN

root@localhost:/etc/veeampn/ssl# mv veeampn.key veeampn.key.bak
root@localhost:/etc/veeampn/ssl# mv veeampn.pem veeampn.pem.bak
root@localhost:/etc/veeampn/ssl# mv aventislab.key veeampn.key
root@localhost:/etc/veeampn/ssl# mv aventislab.pem veeampn.pem
root@localhost:/etc/veeampn/ssl# reboot

VeeamPN portal is linked with trusted SSL Certificate now

Reference Links

VeeamPN 2.1 User Guide

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top