[pfSense] VPN S2S with Azure

May 31, 2016 at 6:00 am in Azure, Microsoft, pfSense by Florent

Because I would like to have a VPN @ home and a VPN with Azure, we advise me to use pfSense. This distribution is very flexible and give you the possibility to connect your host/VM with PPPoE with you ISP but also, to have a performant firewall, doing VPN connections with IPSec, OpenVPN, L2TP, etc.

The idea of this article will be to create a S2S VPN with Azure RM via pfSense.

I started by connecting my pfSense VM (1vCPU, 512MB RAM), with PPPoE to my ISP. Because I have a dynamic public IP, I created an account noip.com with a DNS recording. I connected my pfSense to NOIP to update this public IP automatically in Services > Dynamic DNS:


When my VM will restart or my lease will be ended, my IP will be updated directly on my NOIP.


I will now create my VPN on Azure. Go on https://portal.azure.com and connect to your subscription. Be sure to create a virtual network, in Resource Manager:


After, you need to create your Virtual Network Gateway, by choosing the virtual network created previously, and by choosing a a subnet for the Gateway and a public IP. Choose the VPN type, with a VPN type of Route based:


After some minutes, our gateway is ready. We need to create a Local Network Gateway, that will host the public IP of the pfSense and local network where the pfSense is connected to access them:


If you have a public dynamic IP, you can check here: http://scug.be/florent/2016/05/30/powershell-update-your-azure-s2s-vpn-with-dynamic-public-ip/

Now, we need to associate our local network to our virtual gateway. Go on your gateway created previously and click on Add:


Choose Site-to-site (IPSec) with the gateway created previously. Provide a shared key. This key will be used in the pfSense configuration’s:


My connection:



Now, we will configure our pfSense to have the connectivity to Azure. Go in VPN > IPSec and add a new phase 1. Give the public IP address of your Azure gateway, with your shared key:


Deactivate DPD:


Save, and to this phase 1, add a phase 2 by giving the Azure network that you provide during the virtual network creation:


Apply change:


My S2S VPN is now connected:


You can deploy a VM on Azure, with the virtual network where the VPN is connected, without public IP and after, connect to it from your local network:


Enjoy your connectivity to AzureSourire