How to set up site-to-site VPN with NAT and firewall constraints


Hello, I am an existing VyattaOS user–expecting to upgrade to VyOS soon–and am in the medical business. One of my cloud application servers needs to share TCP data with a client’s application server. I also have a self-configured Vyatta (mendocino) device in the same cloud as my application server. The client has a Cisco router. I am trying to do my initial Vyatta set-up. I am my own Information Technology department and am not formally trained in IT, but I have worked some with Vyatta commands and can usually pick up concepts reasonably quickly, with guidance :slight_smile:

Conditions (values are sanitized):

  1. Data is Protected Health Information (PHI), so we need to encrypt, etc; so we plan to use site-to-site VPN.
  2. The client’s server application and my server application (both DICOM [Digital Communication in Medicine] nodes) both require the peer/remote application’s IP address and port to be entered into the local application’s configuration file. Only messages from known/configured IP addresses/ports are allowed into the application.
  3. My router’s public IP is
  4. My application server’s public IP is
  5. Gateway of these public IP’s is
  6. My router has a few private IP’s
  7. My application server’s private IP is Port is 11112.
  8. Gateway of the private IP’s #6 and #7 is
  9. My client has told me that his public IP is
  10. The client has told me that his private IP is
  11. Our pre-shared secret is password.
  12. My client has indicated an added restriction, which I do not understand: “Also you will need to setup ACL’s on your device to disallow traffic to our Office LAN at our suburban location.”
  13. Via the VPN, I need to access only the client’s application server; I don’t need to reach any other locations on his private LAN.
  14. Likewise, I want the client to be able to reach only my application server IP and no other locations on my private LAN.
  15. I need to be able to give the client the correct IP and port for him to configure his application server properly. I think (?) that the correct IP for me to give him, if I am using NAT, may be one of the available private IP’s on my router? . . . instead of the private IP of my application server?
  16. And he will eventually need to give me the correct IP and port for me to insert into my application server’s config.

I would appreciate the community’s advice on proper/ideal configuration. In particular, I suspect that, in addition to site-to-site VPN, I will need NAT and firewall functionality. But I’m not sure of this necessity and am (especially) unfamiliar with configuring these items. I am also unfamiliar with the proper configuration of local-subnet and remote-subnet in the VPN tunnel. Hence the question marks scattered through my attached config.

I hope I have included enough information for you all to suggest a configuration. I have attached a sanitized config.boot that demonstrates my work up to this point.