Setting up site-to-site on Linux server

Note: If you are unsure whether site-to-site is the best solution for you, please take a look at our Remote Access article first. What is more, if your device/service supports SHA256 and DH group 14, it is recommended to use these settings instead.



  • <SECRET_KEY> - replace with your generated secret preshared key
  • <NordLayerIP> - replace with the IP of your NordLayer dedicated server
  • <YourIP> - replace with your public static IP
  • <LocalSubnet> - replace with the IP of your local subnet

Setting up Site-to-site client on Linux server


<YourIP> <NordLayerIP> : PSK "<SECRET_KEY>"


config setup


conn Nordlayer


Add some iptable rules

/sbin/iptables -A INPUT -p esp -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 500 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -s -o eth0 -m policy --dir out --pol ipsec -j ACCEPT


Ending note:

In order to finalize the site-to-site setup on our end, we will need these values:

  • Pre-shared key - you can generate it or we can provide it
  • Encryption  details (AES, SHA and DH group) - AES256, SHA256 and DH group 14 are recommended (also must support IKEv2)
  • Remote gateway/router public IP (must be reachable while connected to the dedicated server)
  • Remote subnet and mask (the subnet is used in your local network)

Lastly, it is important to know what device or cloud network is being used (Ubiquiti, Fortigate, AWS, Google Cloud, etc.)

You can provide all of these values to us securely via

In case you are experiencing different results, make sure that you have you carefully gone through all the steps. Having said that, in case the issue persists please feel free to contact our 24/7 customer support team.

Return to top