Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor III

One VPN setup for 3 offices


I need some help with how I should configure a VPN tunnel to reach 3 different offices.
We have 3 different offices in 3 remote locations. Each office has one Fortigate 60F. 
We want to have a VPN tunnel for our staff to reach the internal network for all 3 offices. Does this require 3 different VPN tunnels or can I just configure site-to-site tunnels between the offices and use one VPN to reach all of them?

As you can probably tell, I'm not that experienced in networking/fortinet and I appreciate all the info and help I can get.

Thank you!


There are different ways you can achieve this,


1) By creating 3 different tunnels 1 between each site. By referring the below link: 


2) you can do something like hub and spoke topology where 1 Fortigate will act as a HUB and other two FGT as a spoke , 





You can create a hub-and-spoke ADVPN tunnel. All the spokes will be connected to one hub. A dynamic tunnel will automatically be created when spoke A wants to send traffic to spoke B

Esteemed Contributor III

If you're not familiar with routing protocol like BGP or OSPF that ADVPN would deploy, I wouldn't go that direction unless the number of offices are expected to grow soon. Besides, if only three locations, even if you manually "meshed" them, only three site-to-site VPNs are necessary (those VPNs are counted by site pairs, not per site) so you can easily handle your needs with static routes, which you're likely familiar with.

It's your choice but a hub and spoke topology with static routes suggested above would be easier for you.






You can create IP Sec Site to Site tunnels between the three fortigates.

If you want all 3 sites to directly reach each other, then you would need 3 tunnels.


Other option is to have two tunnels like this:

Site A-- tunnel --Site B-- tunnel--Site C


If Site A wants to reach Site C, then it has to go through Site B and vice versa. 


If you only have 3 locations, then this would be simpler setup but if you are gonna add more locations later then you may need to go with ADVPN.

If you are looking to restrict phase 2 selector on tunnels then you can refer to this for what you need to add:

If you need more information, let me know.




Hello @Tweesiee ,


Thank you for contacting the Fortinet forum,


Based on your options I would recommend configuring Site A---SiteB Site B-----Site C this way it is simple and you can reach SiteA to Site C without any tunnel this is feasible if you only have 3 sites in the future if you have more sites to expand you can consider ADVPN concept or dial-up vpn with hub and spoke.


Please refer below links:

1. Site to site VPN concept :


2. ADVPN concept which includes dynamic routing BGP or OSPF


3. Dialup VPN with hub and spoke FortiGate


Best regards,