I often use my lab on the road for demo’s and to prove that something works or doesn’t work. On one of my last trips, or the one before that, my View license – provided thanks to vExpert, had expired and I had forgotten to update it. So I was not able to use my lab. This was quite an issue for me. So View is working again – even with new public IP’s but I need an emergency plan. And that plan is Veeam PN so that I can get an easy VPN connection to my lab when I need it. Not sure how well things will work when I am flying, or on the other side of the world but we will see.
I know people that only have and use Veeam PN to access their labs and they like it. I am fond of the fact that you can get clients to use with it for every platform – including Mac.
This article was done with version 126.96.36.1990 of Veeam PN but checked with 188.8.131.525.
Things to have ready
- FQDN and IP address for the Veeam PN appliance that works inside your network
- A public FQDN so that the VPN clients can connect to the Veeam PN hub.
- Ports – for a client to PN connection you need to have TCP / UDP 6180 (default is 6179 but it has been recommended to me to use 6180 instead) open in your firewall (port is selectable). Update – suggested if possible to use TCP 8443 instead (more sites will have that open).
- The appliance has a need for TCP / UDP 1194, 6179, and TCP 443 (some ports are selectable) – inside ports.
- DHCP – you need DHCP as there is no network setup during the deploy.
- Client – I am using Tunnelblick Mac which can be found here.
- Veeam PN can be found here, and the release notes, and don’t worry you see the Azure word as it is not relevant or necessary here. BTW, be sure to check out the v2 release notes, there are some big changes, that can in Site to Site environments really seriously boot performance.
We have one network that Veeam PN will provide access to via a VPN. So that means we install network hub and then our clients can connect to it. If we had other network – as defined by IP schemes, we could place site gateways in them so that our VPN connections could connect to them as well.
Deploy the OVA
This is a most simple deployment as there is almost no configuration involved – just name, storage, network and review. Once it is done you need to start the appliance. I did not have the option to do that while deploying.
- Use a web browser and access the DHCP supplied IP.
- You will need to use the root / VeeamPN credentials to log in (root / VeeamPN), and you will be forced to change the password right away.
- You first prompt is about Network Hub or Site Gateway (or restore config). We are doing Network Hub.
- Next you will need to add a name, and encryption level. I suggest you leave the encryption level as it is.
- When you hit Next you should see the certificate generated.
- The generation of the key will take a few minutes.
- You will see your VPN settings next.
- The name that is prompted for above needs to be a public FQDN and in fact even better it should be accessible from inside or outside your company.
- As I mentioned earlier in the article I have only a need to access my home lab so no need for a site to site VPN.
- After we select Finish we will see a popup.
- This doesn’t really apply to us, as we already have the OVA, and it is deployed. We do need to create a config for our client though.
- After we select OK, we see the main UI.
- We will now configure SMTP so that we can configure alerts – for things like learning there is an update available.
- Change to Settings / SMTP.
- Fill in the form as it works for you and make sure to do a test! BTW, the email that comes through is a little light in details. But the fact it makes it through is what is important.
- Change to the Alerts tab now,
- On the Alerts tab you can click on the no Action link to change it. In my case, I want an email when an update is available.
I also enable for email the High CPU, Fatal VPN failure and Client connected. Choose what you need for yourself.
You can enable – as seen above – an email when there are updates available. But you can also manually check and do the update via the Updates tab.
As you might guess, don’t do updates when users are connected and working via VPN!
Client configuration creation
So this all started as I wanted an emergency way into my lab. So now we need to create a configuration that will support that so I can use it to configure my laptop.
We need to start on the Clients tab.
Then use the green + to start.
On the screen above, the HUB option means a special client type that will allow for you to connect to other than the main Veeam PN appliance.
On the next screen you will need to identify who this client connection is for. In my case it is for my MacBook Pro.
What is interesting on this screen is the option to route all of the Internet destined traffic on my connect MBP via the VPN and the Veeam PN appliance. I have enabled that for the start so that I have a better chance of making things work, but once working will deselect that feature. In that case VPN traffic will go to the Veeam PN appliance but other internet traffic will exit locally to the internet (via my MBP) and that will be better Internet performance normally.
Also, make sure the name has no spaces in it.
On the next screen we will see a summary and a Finish button. Lets finish.
Once you have hit the Finish button you are back in the UI. There is still something important we need to do.
Notice in the top right of the UI you can see an option for mwhiteMBP of Download? That is the configuration file for your desktop app. If your firewall has been adjusted that config file and your client will combine to connect you to your home lab.
I think maybe every device as a client. I noticed there is a number of them on the iOS App store, and on the web for all flavors of OS. I am using the Tunnelblick Mac client.
During the install of the client you will be notified about the configuration file.
We do have one so the highlighted button is correct.
Next you drag your config file (mine is named mwhiteMBP.ovpn) and drop it on the icon of the Tunnelblick icon in the menu bar. Once dropped you will be prompted about who to install the config for.
The default again is likely best. Now if you look at the Tunnelblick icon it will look different.
So it would be very easy now to connect your VPN! Just select the Connect option.
Once I test, and it works, then I add my Veeam PN appliance to a backup job!
Remember that you need to do the incoming firewall rule with the DHCP address, and have your external DNS configure with the proper DNS name. These two things need to be working before you test!
BTW, due to my selections of point to site, and enabling Hub I cannot change easily the IP address. If no hub, or site to site, you can – in the Systems area – change IP info. But I have a reserved DHCP for it that I used in the firewall so it should be consistent.
- 5/26/19 – checked that this still worked with v2 of PN. Improved some readability too.
- 10/4/18 – I head from the R&D dev lead that instead of UDP 6180 I should use TCP 8443 as it is open in more places. I would love to do that but currently I use that port for my View infrastructure. But very good for you to know!
- 9/30/18 – small changes to improve readability and usability.
- 5/5/18 – some small edits to improve clarity – thanks to Alexey!
- Anthony has a number of interesting articles on this subject – link
- Veeam PN product site – link
- Veeam PN documentation – link
- Veeam PN 2.0 release notes – link
- Mac client Tunnelblick- link
- Mac Client Tunnelblick uninstall – link
You have seen how to install, and configure Veeam PN, and then use an exported config from it to configure your client. I now have a secure way to connect back to my lab.
=== END ===