Site-to-Site VPN Configuration

Dashboard Location: Security and SD-WAN > Configure > Site-to-site VPN

VPN Connectivity Management

Site-to-site VPN configuration in Meraki appliances enables secure connectivity between multiple network locations through encrypted tunnels over the internet. This functionality supports hub-and-spoke, mesh, and custom VPN topologies for connecting branch offices, data centers, and remote sites with centralized management and automatic failover capabilities. Site-to-site VPN is essential for organizations requiring secure inter-site connectivity, centralized resource access, and scalable network expansion while maintaining security and performance across distributed locations.

Diagram

Classes

appliance (meraki.domains.organizations.networks)

Name	Type	Constraint	Mandatory	Default Value
vpn_site_to_site_vpn	Class	`[vpn_site_to_site_vpn]`	No

vpn_site_to_site_vpn (meraki.domains.organizations.networks.appliance)

Name	Type	Constraint	Mandatory
mode	Choice	`hub`, `none`, `spoke`	Yes
hubs	List	`[hubs]`	No
subnets	List	`[subnets]`	No
subnet_nat	Boolean	`true`, `false`	No

hubs (meraki.domains.organizations.networks.appliance.vpn_site_to_site_vpn)

Name	Type	Constraint	Mandatory	Default Value
use_default_route	Boolean	`true`, `false`	No
hub_network_name	String	min: `1`, max: `127`	Yes

subnets (meraki.domains.organizations.networks.appliance.vpn_site_to_site_vpn)

Name	Type	Constraint	Mandatory
local_subnet	String	Regex: `^(?i:any\|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?)(,(any\|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?))*$`	Yes
use_vpn	Boolean	`true`, `false`	No
nat	Class	`[nat]`	No

nat (meraki.domains.organizations.networks.appliance.vpn_site_to_site_vpn.subnets)

Name	Type	Constraint	Mandatory	Default Value
enabled	Boolean	`true`, `false`	No
remote_subnet	String		No

Examples

Example-1: The example below demonstrates site-to-site VPN configuration.

This configuration establishes secure connectivity between distributed network locations through encrypted VPN tunnels. The example includes VPN modes (hub/spoke/mesh), subnet definitions, and connectivity settings for inter-site communication.

This configuration establishes a site-to-site VPN with “mode: hub” designating this appliance as a central hub for spoke sites to connect to, while “subnets” defines which local networks participate in VPN connectivity using “local_subnet” addresses and “use_vpn: true” to enable VPN access. The configuration includes both a static subnet (192.168.20.0/24) and an environmental variable subnet (hub_server_subnet) for flexible deployment, with commented “subnet_nat” option requiring Meraki Support enablement for NAT translation capabilities. This hub configuration enables centralized connectivity where spoke sites can access hub resources and communicate through the hub appliance.

meraki:
  domains:
    - name: !env domain
      administrator:
        name: !env org_admin
      organizations:
        - name: !env org
          networks:
            - name: !env network_name
              product_types:
                - appliance
                - switch
                - wireless
                - camera
                - sensor
                - cellularGateway
              appliance:
                vpn_site_to_site_vpn:
                  mode: hub
                  # Site-to-Site VPN Translation has to be enabled by Meraki Support
                  # for this setting to work.
                  # Otherwise, "VPN subnet translation is not supported for this network" is returned.
                  # subnet_nat: True
                  subnets:
                    - local_subnet: "192.168.20.0/24"
                      use_vpn: true