Site-to-Site VPN between pfSense Firewall and Azure using BGP

Site-to-Site VPN between pfSense and Azure with BGP to allow dynamic discovery of your networks

This post explains how to set up a VPN connection from an open-source pfSense Firewall to Azure. We will use BGP running on top of the VPN IPSEC tunnel to enable our local network and Azure to dynamically exchange routes. This removes the burden of having to declare manually on your VPN gateways which subnets you want to advertise to the other end

First thing to bear in mind is that you cannot have overlapping IP address between your LAN side on the Firewall and the VNET address space. My home router sits on a and the pfSense is connected to the home router, using the pfSense WAN port. The Firewall has a LAN address space on and has a PC connected to the LAN port of the Firewall

Parameters to fill Values
My Home Router Public IP
LAN subnet behind pfSense (Local VPN Gateway)
Azure VNET Address Space
Azure VNET VM Subnet
Azure VNET Gateway Subnet
Azure VPN Gateway Public IP
Azure VPN Type Route-Based
Azure VPN BGP ASN 65515
Azure Gateway Type VPN
Azure Local Network Gateway Name LocalVPN-pfSense
Azure Local Network Gateway BGP peer address
Azure Local Network Gateway BGP ASN 65501
Azure VPN Connection Name VPN-conn2pfSense
Azure VPN Shared Key mySuperSecretKey123

We will start creating a Virtual Network (again make sure the address space you enter doesn't overlap with the space on your local network)

image of vnet

Followed by the gateway subnet (I decided to use /24 to keep the same subnetting scheme but the recommendation from Microsoft is to use a /27 or /28 for the gateway subnet)


Next, we will create the Virtual Network Gateway. We will chose to create a new public IP address. Also, we will use BGP to exchange routes between Azure and the pfSense firewall, so we need to mark the BGP option when creating the Gateway. We will use a private BGP ASN of 65515


You will find the BGP peer address on your VPN Gateway. This is the local address that BGP will use in your Azure VPN Gateway to initiate a BGP connection to your home gateway


Now we are going to create the Local Network Gateway. Azure refers to the VPN device that sits in your home network. You will need to indicate the BGP peer address, your local network behind the Firewall (or local VPN gateway) and a Private BGP ASN (I am using 65501)


Once the local gateway is created we will define a connection to our home VPN Gateway. We will use a private shared key to enable the IPSEC VPN to come up. Remember to mark BGP to 'enabled' on your Connection. This is how it looks like when the connection is up and running (assuming at this poit have done the similar on the other end)


Now, moving to the other end we will use the Web UI on the pfSense firewall to work on the Rules and VPN settings To configure a new tunnel, a new Phase 1 IPSEC VPN must be created. Remote Gateway will be the public IP address assigned to my Virtual Network Gateway in Azure. Leave 'auto' as IKE key exchange version, selecting WAN as the interface to run the VPN. For the authentication part, use the Pre-Shared Key you have defined. Use the encryption algorithm you need, in my case AES (256 bits), DH group and Hashing algorithm


We will then move to Phase 2. This phase is what builds the actual tunnel, sets the protocol to use, and sets the length of time to keep the tunnel up when there is no traffic. For remote network, use the VNET address space. Local subnet will the address space on the LAN side of the pFsense


Apply changes and go to IPSEC Status


You will need to create a rule to permit IPSEC traffic coming through your WAN interface

I have also open TCP port 179 on a rule on the IPSEC interface to permit incoming BGP connections from Azure


Now, in order to use BGP on pfSense you will need to install OpenGPD through the Packet Manager We will use BGP peer groups to define the BGP ASN of the Azure peer


With BGP, you only need to declare a minimum prefix to a specific BGP peer over the IPsec S2S VPN tunnel. It can be as small as a host prefix (/32) of the BGP peer IP address of your on-premises VPN device. The point of using BGP over VPN is that you can control dynamically which on-premises network prefixes you want to advertise to Azure to allow your Azure Virtual Network to access

My BGP settings are the following:


BGP neighbor will be the IP address of the Virtual Gateway on Azure, in my case with IP address


You can also visualize the whole BGP raw config in pfSense


Finally, you will be able to see the BGP session coming up after a few minutes



To test this, you can simply ping from a computer on the LAN side of the pfSense ( to a VM in Azure on the VNET address space (, and that should work! :)