This post is about connecting my homelab to Microsoft Azure. For that purpose I built a site-to-site VPN using pfSense. I wanted to make a site-to-site VPN using my ASUS internet router. But since that router does not support site-to-site VPN, I had to come up with another solution, which I found in pfSense. So, now I can access my Azure resources through a secure- and private connection. In this tutorial I explain how to build this.
But before we start off with the solution I must emphasise that I would not recommend this for a business solution. There is no packet inspection with this solution. For businesses I prefer a NextGen Firewall solution in the Cloud and On-premises. For example FortiGate Next-Generation Firewall on Microsoft Azure along with the on premises counterpart. Those offer more advanced protection like Application Control, Intrusion Prevention and Advanced Threat Protection.
But since I cannot afford those services at home, I implemented the solution below.
Homelab components and solution
At home I use a Asus router for basic internet access. For pfSense I build a virtual machine on my Synology DS218+ NAS. The Site-to-Site VPN is build between Azure and the pfSense virtual machine. In the picture below a schematic picture of the solution.
Step 1. Prepare the Azure Network
To make this solution work we need a network to connect to. Login to https://portal.azure.com and start to create a Virtual Network. Virtual Networks and subnets are free.
Hit “Add” or the “Create virtual network” button.
1) Choose name for your virtual network
2) Enter an address space which does not overlap your homenetwork. I chose an address space in which I can create 64 subnets of 255 addresses
3) Choose a subscription. If you do not have one you have to create a subscription. See my post about Azure Automation for instructions about creating a subscription.
4) Select or create a Resource Group
5) Select a Location
6) Choose a name for the first subnet in the virtual network
7) Enter an address range for the first subnet that fits in the address space
8) Hit “Create”
Step 2. Create the Virtual Network Gateway
Next, create a Virtual Network Gateway
- Select a subscription
- Choose a name for your gateway
- Select a region
- Pick a SKU. Setting up a virtual network is free of charge. However, Microsoft does charge for the VPN gateway that connects to on-premises and other virtual networks in Azure. This charge is based on the amount of time that gateway is provisioned and available. Pricing is based on available bandwith and number of connections. The cheapest is Basic which costs about €22/$26 a month. Details can be found at https://azure.microsoft.com/en-us/pricing/details/vpn-gateway/
- Select the virtual network you just created
- All gateways need an own Gateway Subnet. If not already created, you can create one here. Fill in a subnet that fits in your VNET’s address space.
- Since the VPN connects over the internet we need a public IP. Choose a name for your Public IP
- Hit Review + Create
Be aware that creating a virtual gateway takes about 30 minutes
Once the gateway is created view the details and write down the created public ip. We need that in a later stage.
Step 3. Create the Local Gateway
Once the virtual network gateway is created we need to create a local gateway. A local gateway represents the subnet of your local home network.
- Choose a name for your Local Network Gateway
- Fill in the public IP address from your home/business. You probably can find it in your internet router. Otherwise websites like https://whatismyip.com and several others can display your ip
- Fill in your home subnet
- Select a Subscription
- Pick a Resource Group
- Choose a location
- Hit Create
Step 4. Create a connection
Go to your Local Network Gateway and add a connection
Fill in the details and choose a long Shared Key, write it down. You’ll need it at the pfSense configuration
Step 5. Install pfSense
For this installation I created a virtual machine with 1 CPU, 256MB memory, 10GB harddisk and 1 network interface attached to my home network. You can download the free community edition of pfSense here. https://www.pfsense.org/download/
After you created the virtual machine attach the pfSense ISO file, start it up and connect to the console.
Step 6. Configure pfSense
After the pfSense vm boots we need to do some configuration.
Choose 2 for “Set interface(s) IP address. Type an address in your LAN for your pfSense IP. Enter thet subnet bit count and gateway. Pick (n)o for ipv6
Connect to the pfSense installation through a webbrowser at https://<ipaddress>. Login with the username/password : admin/pfsense
After that the setup wizard starts automatically.
The last two steps of the wizard are just summary screens.
Step 7. Forward the correct IP ports to pfSense
Forward the appropriate ports in your internet router to you pfSense installation. Ports 500, 1701 and 4500 are the necessary ports. Optionally you can limit the access to the Azure Virtual Network Gateway public IP. In that case the VPN is only accessible from your own IP in Azure.
Step 8. Configure VPN on pfSense
in pfSense, Select VPN -> IPsec
4. Fill in the Public IP you got in the Virtual Network Gateway in Azure
5. Fill in the same Preshared key you used when creating the Connection in Azure.
3/4. Fill in the Address space you used when creating the Virtual Network in Azure
Now the VPN is configured. You can check if it is established at Status -> IPSec
Step 9. Allow traffic through the VPN connection
Now that the VPN is working traffic must be allowed. Again this is a pfSense configuration item. Please go to Firewall -> Rules
Click IPsec and Add
Since this is a not a tradtional firewall installation we need to do the same on the WAN side. So click WAN and Add
Finally hit “Appy changes”
Step 10. Final step – update your routing table.
In your default gateway which is probably your internetrouter you have to add a route. By adding a route your networkdevices know the route to your Microsoft Azure route.
So, this was obviously a long read. But now you fixed it. A dedicated site-to-site VPN with Microsoft Azure.
“3/4. Fill in the Address space you used when creating the Virtual Network in Azure”
The first entry should be “LAN subnet” instead of “WAN subnet”
Thanks for this, I am not sure why port forward is needed. Would there be situations that traffic originates from Azure towards the router? Would the router also need a static Public IP in this case?