Site-to-site VPN

In this article

    A site-to-site VPN allows you to establish a secure connection between remote networks over a public network. You can implement the site-to-site VPN scenario if you need to join on-premises networks and private cloud networks in Microsoft Azure or AWS. For example, if some of your VMs are restored to Microsoft Azure or Amazon EC2, you can join the cloud network to which these VMs are connected with company on-premises networks.

    Veeam PN also lets you set up a VPN exclusively for on-premises networks. This scenario lets you extend the company network and make resources in one remote site available to machines and users in another remote site. For example, you can join several company networks into a single private network or allow machines and users from company branch offices to connect to the company datacenter.


    Site-to-site VPN functionality of Veeam PN is based on WireGuard technology. WireGuard does not support TCP, but Veeam PN eliminates this limitation by tunneling UDP encrypted traffic in TCP tunnel. WireGuard has significant performance advantage compared to OpenVPN:

    • It is implemented inside the Linux kernel, so no userspace-kernel cycles wasted.
    • WIreGuard scales up to all available CPU's (not stuck only on one CPU as in case of OpenVPN).

    To learn more about WireGuard functionality, see the WireGuard's White Paper.


    In the VPN, all traffic between remote networks is routed over a secure communication channel — VPN tunnel. To establish a VPN tunnel, Veeam PN uses its appliances: network hub and site gateways.

    The Veeam PN VPN is organized around the network hub. The network hub is the core of the VPN infrastructure. The hub is responsible for all background work: traffic routing, encryption, user management, authentication and so on.

    The network hub is accessible from all remote networks added to the VPN. Veeam PN supports two deployment scenarios for the network hub: you can deploy the network hub in Microsoft Azure or in an on-premises network.

    The network hub acts as one point of the VPN tunnel. To create the other point of the VPN tunnel, you must deploy a site gateway in a remote network that you plan to add to the VPN. The site gateway is a virtual appliance that establishes a secure connection with the network hub.

    In the site-to-site scenario, all traffic in the VPN is handled by the network hub and site gateways. You do not need to additionally configure VPN settings on standalone machines in remote sites.

    Site-to-site VPN 

    The VPN organized with Veeam PN has the star network topology. All traffic in the VPN is always routed through the network hub. For example, you add three remote networks to the VPN: 2 on-premises networks and a cloud network in Microsoft Azure. With such configuration, you must deploy the network hub in Microsoft Azure, and a site gateway in each on-premises network. All traffic will be routed through the network hub in Microsoft Azure, even if machines from one on-premises network need to communicate with machines in the other on-premises network.

    DNS forwarding

    Since version 2.0, Veeam PN supports DNS forwarding and client configuration:

    • Fully automatic detection of DNS settings
    • Endpoint clients automatically receive DNS settings to resolve all FQDNs in all connected sites

    In the network hub console, you can disable DNS forwarding, and see the list of DNS servers and DNS suffixes for configured sites. For details, see Enabling and Disabling DNS.


    To bring DNS forwarding feature on site configuration an administrator should change configuration of local DNS server, so all requests to domain suffixes of other sites should be forwarded to local Veeam PN site appliance or change DNS server IP address settings individually on each client machine.


    Related Topics