Configuring Azure Site-to-Site Connectivity using VyOS behind a NAT – Part 1

You may also like...

4 Responses

  1. Rhys Goodwin says:

    Thanks very much, this helped me get my vyos to Azure VPN up and running.

    My network is a little differnt and I needed to specify:
    nat-traversal enable
    before it would work.


  2. Matheen says:

    Hi, Thanks for your article. I am trying to set the same setup using your blog series. But my home router don’t have DD-WRT.

    you mentioned “Arguably, you do have the option to configure masquerade source NAT on the VyOS to avoid the need for this command but I despise double-NAT and wanted to avoid it at all costs.”

    If I still setup a NAT on vyos, something like below

    set nat source rule 10 outbound-interface ‘eth0’
    set nat source rule 10 source address ‘’
    set nat source rule 10 translation address ‘masquerade’

    Eth0 – DMZ (where devices connected to home router)
    Eth1 – Internal (My domain controller, lab machines sit)

    Will it work? Do I need to follow special instructions anywhere?

  3. Matheen says:

    I managed to make it work. Since I am using NAT on Vyos, I need to exclude that NAT for Site to Site VPN to work.
    Step 7 on this article explains that

    Thank you very much for such useful blog.

  4. ryan says:

    Is this possible when you have VNETs behind a Virtual WAN? I have to migrate hundreds of client VPNs to Azure and will need to NAT.

Discover more from

Subscribe now to keep reading and get access to the full archive.

Continue reading