Site-to-Site VPN between on premise network and Azure using DD_WRT and Entware / StrongSwan – part 1 of 5



This article describes how to set up a site-to-site VPN between a home network and Azure using a consumer-grade wireless router.

Once completed this will allow you to access the resources (virtual machines, databases, etc. ) in Azure as if they were part of your  home LAN. You can also access the resources on your network at home from Azure.

The following diagram shows what the site-to-site VPN will look like at the end:


This article is based on work other people did before me and a would like to give them credit for this. Here are the main sources I used:

Asus RT-AC68U
Asus T-Mobile Cellspot

The two links above and all the other resources linked from there helped me to successfully replace the T-Mobile firmware and replace it with DD-WRT.


Viorel’s article helped me a great deal while installing Entware-NG and configuring strongSwan. In his set-up he uses Tomato Shibby Mod, so if you are using this instead of DD-WRT make sure to check it out.

One bite at a time

This whole process can be divided in several steps and I will create a separate posts for each of it. Here I will give the high level overview.

In order to set up a site-to-site VPN with Azure you need a “VPN Device” that can act as a VPN gateway in your on premise network. It can be a hardware device – for example Barracuda NextGen Firewall F-series  or a software – Routing and Remote Access Service (RRAS) that comes with Windows Server 2012 R2.

The specialized hardware VPN devices can be expensive. Windows Server license plus a machine to run it on is also expensive. Luckily there is another way – you can use an inexpensive router to achieve the same goal. You may be even lucky to use your existing router if it meets certain requirements.

You router need to support IPsec and IKEv2 . If the stock firmware does not support it you may be able to install alternative firmware that does or install additional software like strongSwan. This is what I did.

I did not want to mess up my existing network, so I decided to buy a new router to play with. I picked a T-Mobile branded router that is actually the same as ASUS RT-AC68U but is just half the price.

Once you get the router the rest of the process is roughly as follows:

  1. Get rid of the T-Mobile firmware. You want to do this because it is locked and does not allow you to flash non-tmobile firmwares.
  2. Install DD-WRT. This is an alternative firmware which I have been using for some time. It allows you to install strongSwan
  3. Install Entware-ng-3x and strngSwan.
  4. Configure the site-to-site VPN


Please, read the second part where I describe how to replace the T-Mobile firmware with DD-WRT:

Site-to-Site VPN between on premise network and Azure using DD_WRT and Entware / StrongSwan – part 2 of 5


2 thoughts on “Site-to-Site VPN between on premise network and Azure using DD_WRT and Entware / StrongSwan – part 1 of 5

  1. Thanks for posting this article. Im looking for parts 2 to 5 but I didn’t find. Have you already published that?

    • I haven’t had time to maintain this blob properly. Parts 2 to 5 are there but for some reason only the title is visible. When I go into edit mode I see the full article.
      I will try to fix it but I am not sure if it will be soon. I will try to create PDF files and email them. Thanks.

Leave a Reply