Problem to setup WG config: GL-AR300M -> Wireguard -> FritzBox

roob · July 15, 2023, 5:48pm

I have trouble to setup a wireguard vpn config.

What I want to do ?
I want to use the GL Router as VPN Gateway to a FritzBox in other location. The GL-AR300M should provide a Wifi which routes all traffic to the remote Fritzbox.

Location A: GL-AR300M (192.168.8.1) > FritzBox 7590 (192.168.178.1) > (WAN = DSL)
Location B: FritzBox 7530 (192.168.177.1) (WAN = Cable)

I configured the FB 7530 in Location B as Wireguard Server. Made profiles for all my devices (iPhone, iPad, Mac, Windows Device and also for GL-AR300M. All other devices a working as expected, but the GL-AR300M not.

The GL-AR300M is connected to the FB7590 via WAN Port. Internet is reachable from GL-AR300M Wifi.

Any Ideas ?

Again… all other devices are working. Is there any route was I have to add manually ?

bring.fringe18 · July 16, 2023, 7:32am

It sounds like you’d done the only thing that should be needed: setting the Shadow (AR300M) to act as a WG client to connect out to Loc B’s WG server.

Can you post a profile/conf for a ‘known good’ WG client device & the conf used for the Shadow? I’d like to compare them. Be sure to redact where appropriate.

Can you ssh into your Shadow? I speculate but I’m wondering if this isn’t some sort of MTU issue. My Certa is near identical to a Shadow; it seems to prefer a MTU of 1320 for WG.

roob · July 17, 2023, 8:14am

So after a lot of strange behavior in Webinterface I upgraded to Beta Firmware 4.3.6.

After enabling ipv6. is the tunnel is now up and the Wireguard Server is pingable. But a don’t have Internet. Google dns is not pingable.

Here my setup again:

Location A:
FB7590: 192.168.178.1
FB7590 routes ipv4: net 192.168.8.0 subnet 255.255.255.0 gw 192.168.8.1
FB7590 routes ipv6: not configured

Shadow: 192.168.8.1
ipv6: enabled

Client A: 192.168.8.180 wants to use Internet from Location B

Location B:
FB7530 192.168.177.1
Routes ipv4: not configured
Routes ipv6: not configured

VPN Tunnel is up and Client A can ping 192.168.177.1 but not 192.168.178.1 (should it ?)

Here is a config from a working laptop:

[Interface]
PrivateKey = PrivateKeyString
Address = 192.168.177.206/24
DNS = 192.168.177.1,192.168.8.1
DNS = fritz.box

[Peer]
PublicKey = PublicKeyString
PresharedKey = PresharedKeyString
AllowedIPs = 192.168.177.0/24,192.168.8.0/24,0.0.0.0/0
Endpoint = blablablabla.myfritz.net:51133
PersistentKeepalive = 25

Here from Shadow:

[Interface]
PrivateKey = PrivateKeyString
Address = 192.168.8.1/24
DNS = 192.168.177.1
DNS = fritz.box

[Peer]
PublicKey = PublicKeyString
PresharedKey = PresharedKeyString
AllowedIPs = 192.168.177.0/24
Endpoint = blablablabla.myfritz.net:51133
PersistentKeepalive = 25

Should I add any additional routes ?

Umibozu · July 17, 2023, 8:21am

Fritzbox implements a non standard wireguard configuration.
Google about It and you’ll see.
I’ve never been able to make my mother’s fritz connect with my openwrt or Asus routers.

bring.fringe18 · July 17, 2023, 3:01pm

Hi DocUmibozu on SmallNetBuilder! That’s a nice tip re: third party Fritzbox firmware for proper WG implementation.

roob · July 17, 2023, 3:49pm

I set the DNS and AllowedIP values same as working Laptop config and it’s working now.

Can anyone explain why the FritzBox creates different configs ?

bring.fringe18 · July 17, 2023, 3:52pm

I’m glad you got it sorted. I’d think that’s a question better directed to

Umibozu · July 17, 2023, 4:47pm

Yes, the Freez firmware…
which is no longer mantained and deprecated

GitHub - Freetz/freetz: Freetz firmware extension/modification for the AVM FRITZ!Box series and devices with identical hardware

You can use Freez-NG, which seems to be supported… but is a pain in the ass, an entire recompilation of the kernel…
Why when you can buy an Opal for less than 50 euro and live happy with a standard wireguard?

bring.fringe18 · July 17, 2023, 4:49pm

There’s no luck w/ Freetz-NG? The last push I see was 2 days go.

bring.fringe18 · July 17, 2023, 4:54pm

IDK. Why do people install Windows 11 if they claim they value privacy? Maybe because they don’t know what they don’t know. < / philosophical musings >

Umibozu · July 17, 2023, 5:22pm

Seems an easy task…

Requirements:
You need an up to date Linux System with some prerequisites.
Or download a ready-to-use VM like Gismotro’s Freetz-Linux (user & pass: freetz).
There are also Docker images available like pfichtner-freetz (README).
Your linux user needs to have set umask 0022 before checkout and during make.

an entire toolchain to rebuild the firmware from scratch…

bring.fringe18 · July 17, 2023, 5:26pm

Well, I guess it’s a matter of taste then; when I was rolling my own kernels I didn’t have the convenience of a VM to pull down, ready to go. Reading a HOW-TO or three is hardly a show stopper. YMMV.

hansome · August 13, 2023, 9:36am

Does this solution work?