Configuring Azure Site-to-Site Connectivity using VyOS behind a NAT – Part 1

You may also like...

4 Responses

  1. Rhys Goodwin says:

    Thanks very much, this helped me get my vyos to Azure VPN up and running.

    My network is a little differnt and I needed to specify:
    nat-traversal enable
    before it would work.


  2. Matheen says:

    Hi, Thanks for your article. I am trying to set the same setup using your blog series. But my home router don’t have DD-WRT.

    you mentioned “Arguably, you do have the option to configure masquerade source NAT on the VyOS to avoid the need for this command but I despise double-NAT and wanted to avoid it at all costs.”

    If I still setup a NAT on vyos, something like below

    set nat source rule 10 outbound-interface ‘eth0’
    set nat source rule 10 source address ‘’
    set nat source rule 10 translation address ‘masquerade’

    Eth0 – DMZ (where devices connected to home router)
    Eth1 – Internal (My domain controller, lab machines sit)

    Will it work? Do I need to follow special instructions anywhere?

  3. Matheen says:

    I managed to make it work. Since I am using NAT on Vyos, I need to exclude that NAT for Site to Site VPN to work.
    Step 7 on this article explains that

    Thank you very much for such useful blog.

  4. ryan says:

    Is this possible when you have VNETs behind a Virtual WAN? I have to migrate hundreds of client VPNs to Azure and will need to NAT.