Site-to-Site VPN between on premise network and Azure using DD_WRT and Entware / StrongSwan – part 1 of 5

Introduction

This article describes how to set up a site-to-site VPN between a home network and Azure using a consumer-grade wireless router.

Once completed this will allow you to access the resources (virtual machines, databases, etc. ) in Azure as if they were part of your  home LAN. You can also access the resources on your network at home from Azure.

The following diagram shows what the site-to-site VPN will look like at the end:

Credit

This article is based on work other people did before me and a would like to give them credit for this. Here are the main sources I used:

Asus RT-AC68U
Asus T-Mobile Cellspot

The two links above and all the other resources linked from there helped me to successfully replace the T-Mobile firmware and replace it with DD-WRT.

ON-PREMISES SITE 2 SITE VPN WITH AZURE USING TOMATO SHIBBY MOD (ENTWARE-NG AND STRONGSWAN SETUP) – PART 1

Viorel’s article helped me a great deal while installing Entware-NG and configuring strongSwan. In his set-up he uses Tomato Shibby Mod, so if you are using this instead of DD-WRT make sure to check it out.

One bite at a time

This whole process can be divided in several steps and I will create a separate posts for each of it. Here I will give the high level overview.

In order to set up a site-to-site VPN with Azure you need a “VPN Device” that can act as a VPN gateway in your on premise network. It can be a hardware device – for example Barracuda NextGen Firewall F-series  or a software – Routing and Remote Access Service (RRAS) that comes with Windows Server 2012 R2.

The specialized hardware VPN devices can be expensive. Windows Server license plus a machine to run it on is also expensive. Luckily there is another way – you can use an inexpensive router to achieve the same goal. You may be even lucky to use your existing router if it meets certain requirements.

You router need to support IPsec and IKEv2 . If the stock firmware does not support it you may be able to install alternative firmware that does or install additional software like strongSwan. This is what I did.

I did not want to mess up my existing network, so I decided to buy a new router to play with. I picked a T-Mobile branded router that is actually the same as ASUS RT-AC68U but is just half the price.

Once you get the router the rest of the process is roughly as follows:

  1. Get rid of the T-Mobile firmware. You want to do this because it is locked and does not allow you to flash non-tmobile firmwares.
  2. Install DD-WRT. This is an alternative firmware which I have been using for some time. It allows you to install strongSwan
  3. Install Entware-ng-3x and strngSwan.
  4. Configure the site-to-site VPN

 

Please, read the second part where I describe how to replace the T-Mobile firmware with DD-WRT:

Site-to-Site VPN between on premise network and Azure using DD_WRT and Entware / StrongSwan – part 2 of 5

 

Tagged with: , , , ,

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.