VPN tunnel to FritzBox via IPSec IKEv1 with mutual PSK and Xauth

Hi all,
I am trying to connect my local network (location A, AR-300M) to a FritzBox router (FritzBox 7390 at location B) via VPN.
I want that all internet traffic of my local network (A) is routed through the tunnel (as if it were to originate at B) - so devices in network A have the public IP address of network B.
It would also be nice if devices in network A could reach devices in network B.
(similar to what is described in the following, but FritzBox doesn’t support OpenVPN: Site To Site VPN Routing Explained In Detail | OpenVPN)

The FritzBox VPN configuration is up and running.
I can for example install the ShrewSoft VPN client on a laptop at A and then connect to B as described here (3 Setting up a VPN connection in the Shrew Soft VPN Client): Using the Shrew Soft VPN Client to set up a VPN connection to the FRITZ!Box | FRITZ!Box 4040 | AVM International.

All I need for this is:
URL of FritzBox, username, password, preshared-key.
It uses IPsec/ IKEv1.

Instead of using this ShrewSoft client I’d like to set up my AR-300M to establish this connection, so that all devices connected to the AR-300M automatically route all internet traffic through B.

I found several useful webpages but I wasn’t successful in setting this up…

This suggests to use l2tp - but that is not supported by FritzBox:

This one suggests to use the package vpnc (based on Lede):
I was able to install vpnc and vpnc-scripts packages - but luci-proto-vpnc does not exist on my Chaos Calmer, r47065 OpenWRT system.

Other webpages suggest to use strongswan:

(the above mentions that the FritzBox only supports IPsec/ IKEv1)


The follwing one says it were crucial to change the FritzBox configuration in order to make this work - I have not tried this yet because I cannot risk messing up the FritzBox because I don’t have physical access to it:

So maybe my first questions are:

  1. do I need to change anything on the FritzBox side, or does the fact that I can connect a laptop via the ShrewSoft client prove that the FritzBox side is fine for what I want to achieve?

  2. What is the simplest method to achieve that devices in network A have a the public IP adress of network B? Strongswan? vpnc? Something else?

Thanks for your help!

If you want to build a site to site network, I recommend you buy two GL routers. Putting one in location A, and putting another in location B. You should upgrade to v3.x firmware, then set up WireGuard service, it is very simple to do.

I was able to get this to work. This is what I did:

  • Download GL-AR300M16 OpenWrt only 3.0 from https://docs.gl-inet.com/en/3/release_notes/
  • Update firmware
  • reset to factory default
  • connect to
  • set password
  • change IP
  • enable wireless
  • connect internet (modem) to WAN

Go to System-Software

  • update packages
  • search for vpnc


  • vpnc
  • vpnc-scripts
  • luci-proto-vpnc


Network-interfaces: Add new interface…
name (4 charachters only! e.g. ‘TUN0’)
protocol: VPNC

VPN Server: enter url of server
Output Interafce: wan
MTU: 1380
Username: name as entered in FritzBox
Password: password for user on FritzBox
Auth Group: same as Username
Group Password: Preshared key as in FritzBox
IKE DH Group: dh2 (should be default)
Perfect Forward Secrecy: nopfs
DPD Idle Timeout: 0

Go to tab Advanced… Make sure ‘Bring up on boot’ is checked
Go to tab Firewall Settings… Assign to ‘LAN’ zone
Click ‘Save and Apply’

Make sure TUN0 has an IP address and is up.

Now (from: https://www.azirevpn.com/support/guides/router/openwrt/wireguard):

Network-Firewall: Add…
Name ‘tun0zone’
Input: reject
check Masquerading
check MSS clamping
Covered networks: check ‘tun0’
Click ‘Save and Apply’

In zones ‘lan => wan’ click edit
In Inter-Zone Forwarding, in Allow forward to destination zones, leave ‘wan’ checked, and also check ‘tun0zone’
Click ‘Save and Apply’

Check if you can connect to equipment in other network and traffic gets routed through there.


That’s great! Thanks for sharing it.

I also added a script so the VPN can be enabled/disabled via the switch.

paste the following as executable file with name “BTN_1” in folder /etc/rc.buttons/

set -eu
logger "$BUTTON ${ACTION}"

# Drop in /etc/rc.buttons once you have your VPN configured through the
# built-in interface.  Switch toward the front for VPN enabled.

# Notes:
# GL-AR300M:
#   Current FW: 2.25
#   $BUTTON:
#     BTN_0 - internal
#     BTN_1 - physical switch on side
#   $ACTION:
#     pressed  - left/back of device
#     released - right/front of device
# https://www.gl-inet.com/forums/topic/vpn-switch/

if [ "$ACTION" == "pressed" ]; then
  ubus call network.interface.tun0 down
  ubus call network.interface.wan down
  ubus call network.interface.wan up

  logger "== VPN switch down =="
  ubus call network.interface.tun0 down
  ubus call network.interface.wan down
  ubus call network.interface.wan up
  ubus call network.interface.tun0 up

  logger "== VPN switch up =="

Thanks. I got the Interface running and did the rest of the configuration. But I can’t access systems in the remote network and my internet traffic is still running over the normal route.
I use an wifi connection instead of a wan connection. Can you give any advice?

My GL Route has IP
My Wifi Hotspot has IP
My remote network has IP

The TUN0 get from my FRITZ!BOX, when I try to connect to the fritz Box from GL device I didn’t get a route.

Thanks in advance


I’ve got the same problem as spacerreg. If I uncheck “wan” in the In Inter-Zone Forwarding of lan , there is no chance to connect to the internet or the FritzBox! There must be a little mistake in the configuration.
Is anybody able to help?

Hi grossmeiserBM,

don’t forget to load the firmware first (as described above). Then it works for me.

Best regards

Hi spacerreg,

I’m running the 3.024 version of the default gl.inet release. Is there a difference between the two releases? Is it necessary to use the “OpenWrt Only” release? I like the simple admin page of the official software an would like to use it.

Go to this page:

Download the firmware for your router from the /testing folder. It should be 3.026 or higher and see if your problem is fixed. Don’t use the Clean OpenWRT if you want the usual simple UI too.

Sorry, but it is also not working with version 3.026. Same problem I get a connection to the FritzBox but no traffic over TUN0. The only difference is that I want to connect to a wireless network. so I use wwan instead of wan as "Output Interface. But I think this should not be the problem.

Here are some screens of my configuration

Any ideas what I can try to fix the Problem?

I have the same configuration and problem as grossmeistetBM.

Is there something like a routing rule missing? A device in the WLAN (LAN interface) uses the gateway address

From this address / IP segment there must be an rule to route the package to the gateway of the 192.168.x.x (interface TUN0, Fritzbox) using the TUN0 interface and indirectly the WWAN interface as physical interface of the VPN connection.

Is the simple firewall rule between LAN and TUN0 zone enough to route packages between these IP ranges? Do we need special routing entries to route the complete network traffic from LAN through the TUN0 interface?

What about different VPN protocols. Do they use only firewall rules or additional routing table entries?

I’m new to openwrt but for sure here are some experts for router configuration. Hopefully with a solution for our Fritzbox VPN problem using VPNC :slight_smile:


are there no new ideas for this problem?
Would be great if anybody could help.

maybe this can help you. I haven’t tested it yet:

Hello all,

have got the same issue as grossmeisterBM and Co.

For me the solution was to turn on the VPN policies. There you can switch between all traffic should be through VPN con. or not.


It is such a great project
Only I don’t get it implemented!

The instructions are very good.

Could you please explain the steps for VPN in more detail.

Hi @funktion,

I have just followed strictly the instructions by eagle76. See postings above.

Best regards,

Thank you Tomo,

switching on the VPN policies works for me too.


1 Like

Hi Grossmeister,

glad to hear that. :blush:

Can u tell me if your connection stays established? Mine disconnects after a while :confused:
Idk why…

Anyway I don’t use it anymore, just needed this solution on holiday. Nevertheless it would be nice to know for future approach.

Viele Grüße und bleib gesund / Best regards,

Hi Tomo,

sorry but I can’t tell you if it works for longer periods. My plan was to use it on holidays :wink:
I only test it with my mobile phone as second network.

An interesting point is, when I switch off the TUN0 interface www.wieistmeineip.de shows me the mobile phone IP. When TUN0 is switched on I see the the FritzBox IP.

I thought, for switching between the two options it is necessary to change the inter zone forwarding in firewall options.
Or is “traffic over TUN0” forced by changing the vpn policies to “Use VPN for all processes on the router.”?

It would be great if somebody could help with a litle script to use the hardware switch of the router to activate/deactivate the vpn

Viele Grüße auch von mir