How to create a site to site vpn tunnel using the meraki cloud firewall?

How to create a site to site vpn tunnel using the meraki cloud firewall?

This article will walk you through the process of setting up a site-to-site VPN tunnel using the Meraki Cloud Firewall. You can use this article regardless if you are an IT professional or just someone who prefers to do things themselves! This is great for people that have multiple offices and need secure access between their sites without having to use expensive third-party services.

The article is divided into a few sections:

  1. Requirements
  2. Configuration of the MX Security Appliance for Site to site VPN.
  3. Configuring your devices that need remote access to connect to the VPN tunnel.


These are things you will have before going through this process, so read them beforehand! Some may not apply to you, but it is good information to know.

  • MX Security Appliance (Meraki Cloud Firewall)
  • Your Own Certificate Authority Server (if needed for client auth certificates). The CA’s public certificate should be installed on the Meraki MCF.
  • A second network interface on your MX that is connected to the network you want your second office devices to connect through. This interface will only be used for VPN traffic, so it doesn’t need much bandwidth or configuration!
  • Static Routes on both sides of the connection pointing at each other’s interfaces (the MX Security Appliance needs a route to your local subnet, and your local router needs a route to the MX Security Appliance’s external IP address).


Now that we have everything we need it is time to configure the Meraki MCF. Log into your account and click on ‘Add New Device’ in the top right corner of the screen next to where you name your devices. Then select the MX Security Appliance and click next.

  • Change Device Type to VPN Concentrator
  • Enter a descriptive name for this device (this is what will show up in the list of all your other Meraki MCF’s, so you can use something that makes sense like ‘HQ Site to Site VPN’)
  • Make a note of the Public IP Address for this device. This is what you will need to configure on your remote side in order to connect through it. Keep in mind that the MX Security Appliance has two network cards, and we want traffic going from our local router/firewall out interface (external), NOT the interface that is connected to our local subnet (internal).
  • For VPN Connectivity, select Site To Site VPN.
  • Enter your Local Network IP Address Range in CIDR format for this location’s network on each side of the connection. Since we are using a /24 range it will be:
  • For Authentication, select ‘Accept all connections’ as this is a trusted network and by default the Meraki MCF will allow any device to connect without requiring authentication (the MX Security Appliance should only be accessible from your remote site). If you want to require some sort of certificate based authentication you can do so by selecting ‘Require authentication’ and then specifying the CA certificate that should be used for authenticating devices on this side of the connection.
  • For VPN Tunnel Interface, select a secondary network interface from the drop down list (this is why we needed to have a second one). This will automatically change all the other settings underneath to be compatible with the subnet that this interface is on.
  • Click ‘Save’, and your MX Security Appliance will start creating its VPN tunnel! Give it a minute or two (or five) for everything to be configured correctly. If you want to verify if the device has received an IP address from your Meraki Dashboard you can check under the ‘General’ tab on its device management page.

Configuring Your Devices:

Now that our MX Security Appliance is configured, it’s time to configure our devices!  We are going to configure our local router/firewall which is on the side of your office that you want devices to connect through.

We will need to specify the IP address of your MX Security Appliance under ‘Static Route’. You can do this automatically by adding a route to via (you can find the Public IP Address under ‘General’ on the device management page).

Now that your local router/firewall knows to send all traffic through the MX Security Appliance, you need to tell your devices to do the same! In order to connect through a site-to-site VPN, you will need either a dynamically assigned or static IP address. Your local router/firewall will also need to be configured as a DHCP Server and supply the correct routes for your devices, so if you don’t already have it configured to do so make sure and add this functionality.

On your remote side:

we will need to configure the same thing as on our local side, only we will be specifying a different IP address for your MX Security Appliance. Also make sure and use an interface that is NOT connected to your internal network (in my case it would be ‘em0’ since I have another Ethernet port on this firewall   that is connected to the internal side).

You will also need to configure your local router/firewall on your remote site with a static route for all traffic going back through the VPN tunnel. The public IP address of this Meraki MCF should be, and keep in mind that it won’t be the same subnet that your local side is on.

To configure a static route, go to ‘Network > Static Routes’ where you will need to specify the network interface it applies to (in this case em0), and then enter with a gateway of

Once you have configured your remote and local side with the proper static routes, devices should now be able to connect through a site-to-site VPN connection!  If you want to verify if the device has received an IP address from your Meraki Dashboard you can check under the ‘General’ tab on its device management page.


This should be everything that you need to get your Site-to-Site VPN tunnel up and running! If you are trying to connect two of your own private networks together then all you will need to do is configure your local router to send all traffic through the MX Security Appliance.

Recent Posts