Creating a site-to-site Azure VPN with PFSense

First I need to create a Azure Virtual Network and Subnet.  I go to All services image and find Virtual networks

I add a Virtual network called EastAzureVnet with a Subnet called EastServerSubnet and leave the defaults.  (Make sure this address space doesn’t overlap with your on-prem network)


Now I open my Virtual network I just created called EastAzureVnet and click Subnets and click Gateway subnet


Leave the defaults and click OK


Virtual Network Gateway

I need to create a Virtual Network Gateway.  I go to All services and find Virtual network gatewaysimage

I set the following values and click Create(Note: This will take about 15 minutes, so go have a Beer Mug on Google Android 9.0 or a Hot Beverage on Google Android 9.0)

Name: EastAzureVngVPN

SKU: Basic  (If this were for production I would choose VpnGw1 or higher)

Virtual network: EastAzureVnet

Public IP address: EastAzureIpVPN


Local network Gateway

Next we need to create a Local Network Gateway. I go to All services and find Local network gateways  image

I use my on-prem network information. 

My lab uses IP address range – (aka

My Example External IP is


After it is created click on the Local Network Gateway called EastAzureLngVPN and click Connections,  Then click Add


I use the following information and Click OK.  Create and save your shared key as you will need this when setting up the PFSense side. (You will want your Shared key to be more complex then the example)



In Azure go back to Virtual Network Gateways and get your public IP Address for your Azure VPN


Next I go over to my On-Prem PFSense Firewall and click VPN, IPSec


Click Add P1, I changed the following settings

For Remote Gateway use your Public IP Address from your Azure Virtual Network Gateway

For Pre-Shared Key use your Pre-Shared Key



Click Save

Then Apply Changes


Now Click Show Phase 2 Entries, and click Add P2


For P2 (Edit Phase 2).  I go back to Azure to get the address space.


Set the Remote network address to the address space in Azure.   (Not the Subnet)


Click Save, and Apply Changes.

Now if we go to Status, IPsec


I can see we have Established a connection


Lastly I need to create a firewall rule.  I go to Firewall, Rules.  The select IPsec and click Add


Change Protocol to Any.  You can lock this rule down to suit your needs.


Click Save and Apply

To get DNS working correctly. (So you can Add VMs to your Domain) 

I set you DNS server for your Virtual Network to my local On-Prem DNS server.


One note.  Azure blocks much of ICMP traffic.  So to test, create a VM with a Public IP Address of None.  Then connect with Remote desktop.


For general information on Azure Site-to-Site VPNs see

13 Responses to Creating a site-to-site Azure VPN with PFSense

  1. Yana May 15, 2019 at 9:41 pm #

    Thank you very much! Your post helped me a lot

  2. santi May 25, 2019 at 5:30 am #

    Thank you!

  3. Ben July 29, 2019 at 6:50 pm #

    Thanks for taking the time to post this information.

  4. dave September 5, 2019 at 5:20 am #

    Thanks, Very good… followed several other guides but couldn’t get it to work until I found yours.

  5. Douglas September 16, 2020 at 9:37 am #

    great post. Worked first time which amazed me!

  6. Thang May 21, 2021 at 2:38 am #

    Thanks a bunch!

    Do we need to configure route table this?

    • admin May 21, 2021 at 9:28 am #

      No. Only if you want all azure internet traffic to traverse on prem. But most people only do that with express route.

  7. Ronny Prop June 22, 2021 at 4:38 pm #

    My pfsense configuration is correct.
    I can see connection status in azure as connected.

    Still I am unable to ping/ssh/rdp any Azure VM from a vm in client segment of pfsense.

    Any idea, why?

    Very nice and detailed write up.

  8. ErwinC October 20, 2021 at 5:17 pm #

    Thank you.
    Second time I needed this 🙂

  9. NateR October 1, 2023 at 1:33 am #

    Thanks! This is great, however my dns is not resolving from Azure back to my homelab. :sadface:

    • admin November 14, 2023 at 8:25 pm #

      In you vNet you need to set you DNS server to Custom and then point it at you homelab DNS server.

  10. Luiz March 19, 2024 at 1:13 pm #

    Hi there, hope you are still around.

    I have followed your tutorial with the intent of using Azure VPN to route all of my internet traffic, so i changed the Phase 2 from to and that made my internet stop working. Now i see lots of Bytes-out in Phase 2 but zero Bytes-in.

    Would you be able to help me identify what else i need to do in order to get this to work to tunnel all of my network traffic thru Azure VPN?


    • admin March 19, 2024 at 4:08 pm #

      Hi Luiz,

      Phase 2 is going to be your Azure network. It tell your router anytime you need to get to the Azure network use this tunnel. If you set it to that would be all traffic. That is why you internet would stop working. It would route all traffic to Azure. It would be another hop to get out to the Internet.

Leave a Reply