Creating a site-to-site Azure VPN with PFSense

First I need to create a Azure Virtual Network and Subnet.  I go to All services image and find Virtual networks

I add a Virtual network called EastAzureVnet with a Subnet called EastServerSubnet and leave the defaults.  (Make sure this address space doesn’t overlap with your on-prem network)

image

Now I open my Virtual network I just created called EastAzureVnet and click Subnets and click Gateway subnet

image

Leave the defaults and click OK

image

Virtual Network Gateway

I need to create a Virtual Network Gateway.  I go to All services and find Virtual network gatewaysimage

I set the following values and click Create(Note: This will take about 15 minutes, so go have a Beer Mug on Google Android 9.0 or a Hot Beverage on Google Android 9.0)

Name: EastAzureVngVPN

SKU: Basic  (If this were for production I would choose VpnGw1 or higher)

Virtual network: EastAzureVnet

Public IP address: EastAzureIpVPN

image

Local network Gateway

Next we need to create a Local Network Gateway. I go to All services and find Local network gateways  image

I use my on-prem network information. 


My lab uses IP address range 192.168.2.1 – 192.168.2.255 (aka 192.168.2.0/24)

My Example External IP is 67.37.217.79

image

After it is created click on the Local Network Gateway called EastAzureLngVPN and click Connections,  Then click Add

image

I use the following information and Click OK.  Create and save your shared key as you will need this when setting up the PFSense side. (You will want your Shared key to be more complex then the example)

image


PFSense

In Azure go back to Virtual Network Gateways and get your public IP Address for your Azure VPN

image

Next I go over to my On-Prem PFSense Firewall and click VPN, IPSec

image

Click Add P1, I changed the following settings

For Remote Gateway use your Public IP Address from your Azure Virtual Network Gateway

For Pre-Shared Key use your Pre-Shared Key

image

image

Click Save

Then Apply Changes

image

Now Click Show Phase 2 Entries, and click Add P2

image

For P2 (Edit Phase 2).  I go back to Azure to get the address space.

image

Set the Remote network address to the address space in Azure.   (Not the Subnet)

image

Click Save, and Apply Changes.

Now if we go to Status, IPsec

image

I can see we have Established a connection

image


Lastly I need to create a firewall rule.  I go to Firewall, Rules.  The select IPsec and click Add

image

Change Protocol to Any.  You can lock this rule down to suit your needs.

image

Click Save and Apply

To get DNS working correctly. (So you can Add VMs to your Domain) 

I set you DNS server for your Virtual Network to my local On-Prem DNS server.

image


One note.  Azure blocks much of ICMP traffic.  So to test, create a VM with a Public IP Address of None.  Then connect with Remote desktop.

image

For general information on Azure Site-to-Site VPNs see https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal

13 Responses to Creating a site-to-site Azure VPN with PFSense

  1. Yana May 15, 2019 at 9:41 pm #

    Thank you very much! Your post helped me a lot

  2. santi May 25, 2019 at 5:30 am #

    Thank you!

  3. Ben July 29, 2019 at 6:50 pm #

    Thanks for taking the time to post this information.

  4. dave September 5, 2019 at 5:20 am #

    Thanks, Very good… followed several other guides but couldn’t get it to work until I found yours.

  5. Douglas September 16, 2020 at 9:37 am #

    great post. Worked first time which amazed me!

  6. Thang May 21, 2021 at 2:38 am #

    Thanks a bunch!

    Do we need to configure route table this?

    • admin May 21, 2021 at 9:28 am #

      No. Only if you want all azure internet traffic to traverse on prem. But most people only do that with express route.

  7. Ronny Prop June 22, 2021 at 4:38 pm #

    My pfsense configuration is correct.
    I can see connection status in azure as connected.

    Still I am unable to ping/ssh/rdp any Azure VM from a vm in client segment of pfsense.

    Any idea, why?

    Very nice and detailed write up.

  8. ErwinC October 20, 2021 at 5:17 pm #

    Thank you.
    Second time I needed this 🙂

  9. NateR October 1, 2023 at 1:33 am #

    Thanks! This is great, however my dns is not resolving from Azure back to my homelab. :sadface:

    • admin November 14, 2023 at 8:25 pm #

      In you vNet you need to set you DNS server to Custom and then point it at you homelab DNS server.

  10. Luiz March 19, 2024 at 1:13 pm #

    Hi there, hope you are still around.

    I have followed your tutorial with the intent of using Azure VPN to route all of my internet traffic, so i changed the Phase 2 from 10.0.0.0 to 0.0.0.0/0 and that made my internet stop working. Now i see lots of Bytes-out in Phase 2 but zero Bytes-in.

    Would you be able to help me identify what else i need to do in order to get this to work to tunnel all of my network traffic thru Azure VPN?

    Thanks

    • admin March 19, 2024 at 4:08 pm #

      Hi Luiz,

      Phase 2 is going to be your Azure network. It tell your router anytime you need to get to the Azure network use this tunnel. If you set it to 0.0.0.0/0 that would be all traffic. That is why you internet would stop working. It would route all traffic to Azure. It would be another hop to get out to the Internet.

Leave a Reply