Site-to-Site VPN between on premise network and Azure using DD_WRT and Entware / StrongSwan – part 1 of 5
This article describes how to set up a site-to-site VPN between a home network and Azure using a consumer-grade wireless router.
Once completed this will allow you to access the resources (virtual machines, databases, etc. ) in Azure as if they were part of your home LAN. You can also access the resources on your network at home from Azure.
The following diagram shows what the site-to-site VPN will look like at the end:
This article is based on work other people did before me and a would like to give them credit for this. Here are the main sources I used:
The two links above and all the other resources linked from there helped me to successfully replace the T-Mobile firmware and replace it with DD-WRT.
Viorel’s article helped me a great deal while installing Entware-NG and configuring strongSwan. In his set-up he uses Tomato Shibby Mod, so if you are using this instead of DD-WRT make sure to check it out.
One bite at a time
This whole process can be divided in several steps and I will create a separate posts for each of it. Here I will give the high level overview.
In order to set up a site-to-site VPN with Azure you need a “VPN Device” that can act as a VPN gateway in your on premise network. It can be a hardware device – for example Barracuda NextGen Firewall F-series or a software – Routing and Remote Access Service (RRAS) that comes with Windows Server 2012 R2.
The specialized hardware VPN devices can be expensive. Windows Server license plus a machine to run it on is also expensive. Luckily there is another way – you can use an inexpensive router to achieve the same goal. You may be even lucky to use your existing router if it meets certain requirements.
You router need to support IPsec and IKEv2 . If the stock firmware does not support it you may be able to install alternative firmware that does or install additional software like strongSwan. This is what I did.
Once you get the router the rest of the process is roughly as follows:
- Get rid of the T-Mobile firmware. You want to do this because it is locked and does not allow you to flash non-tmobile firmwares.
- Install DD-WRT. This is an alternative firmware which I have been using for some time. It allows you to install strongSwan
- Install Entware-ng-3x and strngSwan.
- Configure the site-to-site VPN
Please, read the second part where I describe how to replace the T-Mobile firmware with DD-WRT: