VPN tunnel to FritzBox via IPSec IKEv1 with mutual PSK and Xauth

Hi all,
I am trying to connect my local network (location A, AR-300M) to a FritzBox router (FritzBox 7390 at location B) via VPN.
I want that all internet traffic of my local network (A) is routed through the tunnel (as if it were to originate at B) - so devices in network A have the public IP address of network B.
It would also be nice if devices in network A could reach devices in network B.
(similar to what is described in the following, but FritzBox doesn’t support OpenVPN: https://openvpn.net/vpn-server-resources/site-to-site-routing-explained-in-detail/)

The FritzBox VPN configuration is up and running.
I can for example install the ShrewSoft VPN client on a laptop at A and then connect to B as described here (3 Setting up a VPN connection in the Shrew Soft VPN Client): https://en.avm.de/service/fritzbox/fritzbox-4040/knowledge-base/publication/show/2275_Using-the-Shrew-Soft-VPN-Client-to-set-up-a-VPN-connection-to-the-FRITZ-Box/.

All I need for this is:
URL of FritzBox, username, password, preshared-key.
It uses IPsec/ IKEv1.

Instead of using this ShrewSoft client I’d like to set up my AR-300M to establish this connection, so that all devices connected to the AR-300M automatically route all internet traffic through B.

I found several useful webpages but I wasn’t successful in setting this up…

This suggests to use l2tp - but that is not supported by FritzBox:

This one suggests to use the package vpnc (based on Lede):
I was able to install vpnc and vpnc-scripts packages - but luci-proto-vpnc does not exist on my Chaos Calmer, r47065 OpenWRT system.

Other webpages suggest to use strongswan:

(the above mentions that the FritzBox only supports IPsec/ IKEv1)


The follwing one says it were crucial to change the FritzBox configuration in order to make this work - I have not tried this yet because I cannot risk messing up the FritzBox because I don’t have physical access to it:

So maybe my first questions are:

  1. do I need to change anything on the FritzBox side, or does the fact that I can connect a laptop via the ShrewSoft client prove that the FritzBox side is fine for what I want to achieve?

  2. What is the simplest method to achieve that devices in network A have a the public IP adress of network B? Strongswan? vpnc? Something else?

Thanks for your help!

If you want to build a site to site network, I recommend you buy two GL routers. Putting one in location A, and putting another in location B. You should upgrade to v3.x firmware, then set up WireGuard service, it is very simple to do.

I was able to get this to work. This is what I did:

  • Download GL-AR300M16 OpenWrt only 3.0 from https://docs.gl-inet.com/en/3/release_notes/
  • Update firmware
  • reset to factory default
  • connect to
  • set password
  • change IP
  • enable wireless
  • connect internet (modem) to WAN

Go to System-Software

  • update packages
  • search for vpnc


  • vpnc
  • vpnc-scripts
  • luci-proto-vpnc


Network-interfaces: Add new interface…
name (4 charachters only! e.g. ‘TUN0’)
protocol: VPNC

VPN Server: enter url of server
Output Interafce: wan
MTU: 1380
Username: name as entered in FritzBox
Password: password for user on FritzBox
Auth Group: same as Username
Group Password: Preshared key as in FritzBox
IKE DH Group: dh2 (should be default)
Perfect Forward Secrecy: nopfs
DPD Idle Timeout: 0

Go to tab Advanced… Make sure ‘Bring up on boot’ is checked
Go to tab Firewall Settings… Assign to ‘LAN’ zone
Click ‘Save and Apply’

Make sure TUN0 has an IP address and is up.

Now (from: https://www.azirevpn.com/support/guides/router/openwrt/wireguard):

Network-Firewall: Add…
Name ‘tun0zone’
Input: reject
check Masquerading
check MSS clamping
Covered networks: check ‘tun0’
Click ‘Save and Apply’

In zones ‘lan => wan’ click edit
In Inter-Zone Forwarding, in Allow forward to destination zones, leave ‘wan’ checked, and also check ‘tun0zone’
Click ‘Save and Apply’

Check if you can connect to equipment in other network and traffic gets routed through there.

1 Like

That’s great! Thanks for sharing it.

I also added a script so the VPN can be enabled/disabled via the switch.

paste the following as executable file with name “BTN_1” in folder /etc/rc.buttons/

set -eu
logger "$BUTTON ${ACTION}"

# Drop in /etc/rc.buttons once you have your VPN configured through the
# built-in interface.  Switch toward the front for VPN enabled.

# Notes:
# GL-AR300M:
#   Current FW: 2.25
#   $BUTTON:
#     BTN_0 - internal
#     BTN_1 - physical switch on side
#   $ACTION:
#     pressed  - left/back of device
#     released - right/front of device
# https://www.gl-inet.com/forums/topic/vpn-switch/

if [ "$ACTION" == "pressed" ]; then
  ubus call network.interface.tun0 down
  ubus call network.interface.wan down
  ubus call network.interface.wan up

  logger "== VPN switch down =="
  ubus call network.interface.tun0 down
  ubus call network.interface.wan down
  ubus call network.interface.wan up
  ubus call network.interface.tun0 up

  logger "== VPN switch up =="

Thanks. I got the Interface running and did the rest of the configuration. But I can’t access systems in the remote network and my internet traffic is still running over the normal route.
I use an wifi connection instead of a wan connection. Can you give any advice?

My GL Route has IP
My Wifi Hotspot has IP
My remote network has IP

The TUN0 get from my FRITZ!BOX, when I try to connect to the fritz Box from GL device I didn’t get a route.

Thanks in advance


I’ve got the same problem as spacerreg. If I uncheck “wan” in the In Inter-Zone Forwarding of lan , there is no chance to connect to the internet or the FritzBox! There must be a little mistake in the configuration.
Is anybody able to help?

Hi grossmeiserBM,

don’t forget to load the firmware first (as described above). Then it works for me.

Best regards

Hi spacerreg,

I’m running the 3.024 version of the default gl.inet release. Is there a difference between the two releases? Is it necessary to use the “OpenWrt Only” release? I like the simple admin page of the official software an would like to use it.

Go to this page:

Download the firmware for your router from the /testing folder. It should be 3.026 or higher and see if your problem is fixed. Don’t use the Clean OpenWRT if you want the usual simple UI too.

Sorry, but it is also not working with version 3.026. Same problem I get a connection to the FritzBox but no traffic over TUN0. The only difference is that I want to connect to a wireless network. so I use wwan instead of wan as "Output Interface. But I think this should not be the problem.

Here are some screens of my configuration

Any ideas what I can try to fix the Problem?

I have the same configuration and problem as grossmeistetBM.

Is there something like a routing rule missing? A device in the WLAN (LAN interface) uses the gateway address

From this address / IP segment there must be an rule to route the package to the gateway of the 192.168.x.x (interface TUN0, Fritzbox) using the TUN0 interface and indirectly the WWAN interface as physical interface of the VPN connection.

Is the simple firewall rule between LAN and TUN0 zone enough to route packages between these IP ranges? Do we need special routing entries to route the complete network traffic from LAN through the TUN0 interface?

What about different VPN protocols. Do they use only firewall rules or additional routing table entries?

I’m new to openwrt but for sure here are some experts for router configuration. Hopefully with a solution for our Fritzbox VPN problem using VPNC :slight_smile: