VPN tunnel to FritzBox via IPSec IKEv1 with mutual PSK and Xauth


#1

Hi all,
I am trying to connect my local network (location A, AR-300M) to a FritzBox router (FritzBox 7390 at location B) via VPN.
I want that all internet traffic of my local network (A) is routed through the tunnel (as if it were to originate at B) - so devices in network A have the public IP address of network B.
It would also be nice if devices in network A could reach devices in network B.
(similar to what is described in the following, but FritzBox doesn’t support OpenVPN: https://openvpn.net/vpn-server-resources/site-to-site-routing-explained-in-detail/)

The FritzBox VPN configuration is up and running.
I can for example install the ShrewSoft VPN client on a laptop at A and then connect to B as described here (3 Setting up a VPN connection in the Shrew Soft VPN Client): https://en.avm.de/service/fritzbox/fritzbox-4040/knowledge-base/publication/show/2275_Using-the-Shrew-Soft-VPN-Client-to-set-up-a-VPN-connection-to-the-FRITZ-Box/.

All I need for this is:
URL of FritzBox, username, password, preshared-key.
It uses IPsec/ IKEv1.

Instead of using this ShrewSoft client I’d like to set up my AR-300M to establish this connection, so that all devices connected to the AR-300M automatically route all internet traffic through B.

I found several useful webpages but I wasn’t successful in setting this up…

This suggests to use l2tp - but that is not supported by FritzBox:

This one suggests to use the package vpnc (based on Lede):
http://www.sebastianklein.de/blog/vpn-zwischen-lede-openwrt-und-fritzbox-via-luci/
I was able to install vpnc and vpnc-scripts packages - but luci-proto-vpnc does not exist on my Chaos Calmer, r47065 OpenWRT system.

Other webpages suggest to use strongswan:


(the above mentions that the FritzBox only supports IPsec/ IKEv1)

https://www.mundhenk.org/blog/fritzbox-openwrt-vpn

The follwing one says it were crucial to change the FritzBox configuration in order to make this work - I have not tried this yet because I cannot risk messing up the FritzBox because I don’t have physical access to it:
https://stephan.soapman.de/2015/12/31/ipsec-tunnel-between-openwrt-and-fritzbox/

So maybe my first questions are:

  1. do I need to change anything on the FritzBox side, or does the fact that I can connect a laptop via the ShrewSoft client prove that the FritzBox side is fine for what I want to achieve?

  2. What is the simplest method to achieve that devices in network A have a the public IP adress of network B? Strongswan? vpnc? Something else?

Thanks for your help!


how I build a VPN tunnel to Fritzbox 7490?
#2

If you want to build a site to site network, I recommend you buy two GL routers. Putting one in location A, and putting another in location B. You should upgrade to v3.x firmware, then set up WireGuard service, it is very simple to do.


#3

I was able to get this to work. This is what I did:

  • Download GL-AR300M16 OpenWrt only 3.0 from https://docs.gl-inet.com/en/3/release_notes/
  • Update firmware
  • reset to factory default
  • connect to 192.168.1.1
  • set password
  • change IP
  • enable wireless
  • connect internet (modem) to WAN

Go to System-Software

  • update packages
  • search for vpnc

install:

  • vpnc
  • vpnc-scripts
  • luci-proto-vpnc

System-reboot

Network-interfaces: Add new interface…
name (4 charachters only! e.g. ‘TUN0’)
protocol: VPNC

VPN Server: enter url of server
Output Interafce: wan
MTU: 1380
Username: name as entered in FritzBox
Password: password for user on FritzBox
Auth Group: same as Username
Group Password: Preshared key as in FritzBox
IKE DH Group: dh2 (should be default)
Perfect Forward Secrecy: nopfs
DPD Idle Timeout: 0

Go to tab Advanced… Make sure ‘Bring up on boot’ is checked
Go to tab Firewall Settings… Assign to ‘LAN’ zone
Click ‘Save and Apply’

Network-interfaces:
Make sure TUN0 has an IP address and is up.

Now (from: https://www.azirevpn.com/support/guides/router/openwrt/wireguard):

Network-Firewall: Add…
Name ‘tun0zone’
Input: reject
check Masquerading
check MSS clamping
Covered networks: check ‘tun0’
Click ‘Save and Apply’

In zones ‘lan => wan’ click edit
In Inter-Zone Forwarding, in Allow forward to destination zones, leave ‘wan’ checked, and also check ‘tun0zone’
Click ‘Save and Apply’

Check if you can connect to equipment in other network and traffic gets routed through there.


#4

That’s great! Thanks for sharing it.


#5

I also added a script so the VPN can be enabled/disabled via the switch.

paste the following as executable file with name “BTN_1” in folder /etc/rc.buttons/

#!/bin/sh
set -eu
logger "$BUTTON ${ACTION}"

# Drop in /etc/rc.buttons once you have your VPN configured through the
# built-in interface.  Switch toward the front for VPN enabled.

# Notes:
#
# GL-AR300M:
#   Current FW: 2.25
#   $BUTTON:
#     BTN_0 - internal
#     BTN_1 - physical switch on side
#   $ACTION:
#     pressed  - left/back of device
#     released - right/front of device
#
# https://www.gl-inet.com/forums/topic/vpn-switch/

if [ "$ACTION" == "pressed" ]; then
  ubus call network.interface.tun0 down
  ubus call network.interface.wan down
  ubus call network.interface.wan up

  logger "== VPN switch down =="
else
  ubus call network.interface.tun0 down
  ubus call network.interface.wan down
  ubus call network.interface.wan up
  ubus call network.interface.tun0 up

  logger "== VPN switch up =="
fi

#6

Thanks. I got the Interface running and did the rest of the configuration. But I can’t access systems in the remote network and my internet traffic is still running over the normal route.
I use an wifi connection instead of a wan connection. Can you give any advice?

My GL Route has IP 192.168.10.1
My Wifi Hotspot has IP 192.168.8.1
My remote network has IP 192.168.178.1

The TUN0 get 192.168.178.201 from my FRITZ!BOX, when I try to connect to the fritz Box 192.168.178.1 from GL device I didn’t get a route.

Thanks in advance