This document is not maintained any longer.

Set Up VPN Between Remote Sites

In this article

    You can use Veeam PN to set up a VPN connection between remote company offices and sites. This scenario can be helpful if company services and applications are distributed between two or more sites, for example, a headquarters site and branch office. In this case, you can join several remote networks over the VPN and enable secure communication between them.

    Reference Environment

    This how-to assumes that your company environment is distributed between two remote sites:

    • Site A: part of your applications and services are hosted on Site A.
    • Site B: part of your applications and services are hosted on Site B.

    In this scenario, you will deploy Veeam PN components in the following way:

    • The network hub will be deployed on Site A.
    • A site gateway will be deployed on Site B.

    The network hub and site gateway will produce the two terminal points of a VPN tunnel. Application and services on Site A and Site B will be able to communicate securely with each other over the VPN. Users on one remote site will be able to access resources on the other site.

    Set Up VPN Between Remote Sites 

    Prerequisites

    To follow instructions of this how-to, check the following prerequisite:

    You must have a VMware vSphere host in each site. The network hub and site gateway are deployed as virtual appliances and placed on VMware vSphere hosts.

    Step-By-Step Walkthrough

    To set up a VPN connection between remote sites, you will:

    1. Deploy the network hub in a local site network.
    2. Register a client for a remote network.
    3. Deploy a site gateway in the remote network.
    4. Add static routes for outgoing traffic on default gateways.

    Step 1. Deploy Network Hub in Local Site Network

    The network hub is the core of the VPN infrastructure. If you want to join several remote networks, you must deploy the network hub in one of them.

    To deploy the network hub:

    1. Download the Veeam PN OVA package from: https://www.veeam.com/downloads.html and save it in a network shared folder accessible from the site where you plan to deploy the network hub.
    2. In VMware vSphere Web Client, open the hosts and clusters inventory list and select a host on which you want to place the network hub.
    3. From the menu at the top of the working area, select Actions > Deploy OVF Template.
    4. At the Select source step of the wizard, select Local file, click Browse and browse to the Veeam PN OVA package.

     Set Up VPN Between Remote Sites

    1. Follow the next steps of the wizard and specify network hub deployment settings: datastore on which the network hub disk must be placed, disk format, network to which the network hub must be connected and so on.
    2. At the last step of the wizard, select the Power on after deployment check box and click Finish.

    VMware vSphere will deploy the network hub on the selected host. The deployment process typically takes several minutes. Wait for this process to complete and proceed to network hub configuration.

     Set Up VPN Between Remote Sites

    1. In VMware vSphere Web Client, navigate to the Summary tab and get an IP address of the network hub.
    2. In a web browser, access the network hub portal by the following address: https://<applianceIP>.

    The browser will display a warning notifying that the connection is untrusted. Ignore the warning and agree to proceed to the portal.

    1. At the Welcome to Veeam PN screen of the portal, log in to the network hub portal using the credentials of the built-in account:
    • Username: root
    • Password: VeeamPN
    1. Click Login.
    2. When prompted, change the password for the built-in account.

     Set Up VPN Between Remote Sites

    1. At the first step of the Initial Configuration wizard, select Network hub and click Next.

     Set Up VPN Between Remote Sites

    1. Specify parameters for a self-signed certificate that Veeam PN will use to secure communication in the VPN: the certificate key length and click Next.

     Set Up VPN Between Remote Sites

    1. After the certificate is generated, click OK, then click Next to proceed to the network hub configuration.
    2. In the Network hub public IP or DNS name field, specify an IP address or full DNS name for the network hub. The IP address or DNS name must be public and accessible from remote user machines.
    3. Select the Enable site-to-site VPN check box. In the Protocol and Port fields, leave default settings.

     Set Up VPN Between Remote Sites

    1. Click Finish.

    Step 2. Register Client for Remote Network

    To add a remote network to the VPN, you must register a client for this network in the Veeam PN portal. Veeam PN will generate a configuration file for the remote network. You will use the configuration file to set up a site gateway in the network.

    To register a client for the remote network:

    1. In the Veeam PN portal, in the configuration menu on the left click Clients.
    2. At the top of the clients list, click Add.
    3. At the Type step of the wizard, select Entire site.

    Set Up VPN Between Remote Sites 

    Note

    If you add a client for the Hub site, it will make machines on the Hub site accessible over the VPN. To see how to add a client for the Hub site, see Registering Hub Site.

    1. At the Site step of the wizard, enter a name and address of the remote network using the CIDR notation.

    Set Up VPN Between Remote Sites 

    1. At the Summary step of the wizard, click Finish.

    Veeam PN will generate an XML file with VPN settings for the remote network. The XML file will be automatically downloaded to the default downloads folder. Save the downloaded file in a network shared folder accessible from the remote network.

    Step 3. Deploy Site Gateway in Remote Network

    When you deploy the network hub in Site A, you configure one point of the VPN tunnel. To configure the other point of the VPN tunnel, you must deploy a site gateway in Site B. The network hub will establish a connection with the site gateway, which lets data to travel securely between remote sites over a public connection.

    To deploy a site gateway in the remote network:

    1. Download the Veeam PN OVA package from: https://www.veeam.com/downloads.html and save it in a network shared folder accessible from the remote network.
    2. In VMware vSphere Web Client, open the hosts and clusters inventory list and select a host on which you want to deploy the site gateway.
    3. From the menu at the top of the working area, select Actions > Deploy OVF Template.
    4. At the Select source step of the wizard, select Local file, click Browse and browse to the Veeam PN OVA package.

    Set Up VPN Between Remote Sites 

    1. Follow the next steps of the wizard and specify site gateway settings: datastore on which the site gateway VM disk must be placed, disk format, network to which the site gateway must be connected and so on.
    2. At the last step of the wizard, select the Power on after deployment check box and click Finish.

    The deployment process typically takes several minutes. Wait for the process to complete and proceed to site gateway configuration.

    Set Up VPN Between Remote Sites 

    1. In VMware vSphere Web Client, navigate to the Summary tab and get an IP address of the deployed site gateway.
    2. In a web browser, access the site gateway portal by the following address: https://<sitegatewayIPaddress>.

    The browser will display a warning notifying that the connection is untrusted. Ignore the warning and agree to proceed to the portal.

    1. At the Welcome to Veeam PN screen of the portal, enter credentials for the built-in account:
    • Username: root
    • Password: VeeamPN
    1. Click Login. When prompted, change the password for the built-in account.

    Set Up VPN Between Remote Sites 

    1. At the first step of the Initial Setup wizard, select Site gateway.

     Set Up VPN Between Remote Sites

    1. Click Browse and browse to the configuration file generated by Veeam PN.

     Set Up VPN Between Remote Sites

    1. Click Finish.

    Step 4. Add Static Routes for Outgoing Traffic on Default Gateways

    By default, when a machine in one remote site needs to communicate with a machine in another remote site, it sends a request over the default site gateway. To route traffic going between sites over the VPN tunnel, you need to add static routes on default gateways on both sites. These static routes will destine the traffic from the default gateway to the Veeam PN appliance — network hub or site gateway, which, in its turn, will route traffic through the VPN tunnel between the two sites.

    For example, Site A and Site B have the following configuration:

    Site A: 192.168.0.0/24

    Site B: 172.17.53.0/24

    If a machine in Site A needs to communicate with a machine in Site B, the traffic will first be sent to the default gateway 192.168.0.1. The default gateway must then route the traffic to the site gateway that, in its turn, will route the traffic through the VPN tunnel. For this reason, you must add the following route on the default gateway 192.168.0.1:

    route add 172.17.53.0 mask 255.255.255.0 192.168.0.2

    In a similar manner, you must add a route on the default gateway 172.17.53.1 in Site B:

    route add 192.168.0.0 mask 255.255.255.0 172.17.53.2

    Result

    You have set up a VPN connection between two remote sites. VMs running on one site are now accessible for machines running on the other site.