Hi all,
I am trying to connect my local network (location A, AR-300M) to a FritzBox router (FritzBox 7390 at location B) via VPN.
I want that all internet traffic of my local network (A) is routed through the tunnel (as if it were to originate at B) - so devices in network A have the public IP address of network B.
It would also be nice if devices in network A could reach devices in network B.
(similar to what is described in the following, but FritzBox doesn’t support OpenVPN: Setup Site-to-site VPN With Access Server | OpenVPN)
All I need for this is:
URL of FritzBox, username, password, preshared-key.
It uses IPsec/ IKEv1.
Instead of using this ShrewSoft client I’d like to set up my AR-300M to establish this connection, so that all devices connected to the AR-300M automatically route all internet traffic through B.
I found several useful webpages but I wasn’t successful in setting this up…
This suggests to use l2tp - but that is not supported by FritzBox:
The follwing one says it were crucial to change the FritzBox configuration in order to make this work - I have not tried this yet because I cannot risk messing up the FritzBox because I don’t have physical access to it:
So maybe my first questions are:
do I need to change anything on the FritzBox side, or does the fact that I can connect a laptop via the ShrewSoft client prove that the FritzBox side is fine for what I want to achieve?
What is the simplest method to achieve that devices in network A have a the public IP adress of network B? Strongswan? vpnc? Something else?
If you want to build a site to site network, I recommend you buy two GL routers. Putting one in location A, and putting another in location B. You should upgrade to v3.x firmware, then set up WireGuard service, it is very simple to do.
Network-interfaces: Add new interface…
name (4 charachters only! e.g. ‘TUN0’)
protocol: VPNC
VPN Server: enter url of server
Output Interafce: wan
MTU: 1380
Username: name as entered in FritzBox
Password: password for user on FritzBox
Auth Group: same as Username
Group Password: Preshared key as in FritzBox
IKE DH Group: dh2 (should be default)
Perfect Forward Secrecy: nopfs
DPD Idle Timeout: 0
Go to tab Advanced… Make sure ‘Bring up on boot’ is checked
Go to tab Firewall Settings… Assign to ‘LAN’ zone
Click ‘Save and Apply’
Network-interfaces:
Make sure TUN0 has an IP address and is up.
Network-Firewall: Add…
Name ‘tun0zone’
Input: reject
check Masquerading
check MSS clamping
Covered networks: check ‘tun0’
Click ‘Save and Apply’
In zones ‘lan => wan’ click edit
In Inter-Zone Forwarding, in Allow forward to destination zones, leave ‘wan’ checked, and also check ‘tun0zone’
Click ‘Save and Apply’
Check if you can connect to equipment in other network and traffic gets routed through there.
I also added a script so the VPN can be enabled/disabled via the switch.
paste the following as executable file with name “BTN_1” in folder /etc/rc.buttons/
#!/bin/sh
set -eu
logger "$BUTTON ${ACTION}"
# Drop in /etc/rc.buttons once you have your VPN configured through the
# built-in interface. Switch toward the front for VPN enabled.
# Notes:
#
# GL-AR300M:
# Current FW: 2.25
# $BUTTON:
# BTN_0 - internal
# BTN_1 - physical switch on side
# $ACTION:
# pressed - left/back of device
# released - right/front of device
#
# https://www.gl-inet.com/forums/topic/vpn-switch/
if [ "$ACTION" == "pressed" ]; then
ubus call network.interface.tun0 down
ubus call network.interface.wan down
ubus call network.interface.wan up
logger "== VPN switch down =="
else
ubus call network.interface.tun0 down
ubus call network.interface.wan down
ubus call network.interface.wan up
ubus call network.interface.tun0 up
logger "== VPN switch up =="
fi
Thanks. I got the Interface running and did the rest of the configuration. But I can’t access systems in the remote network and my internet traffic is still running over the normal route.
I use an wifi connection instead of a wan connection. Can you give any advice?
My GL Route has IP 192.168.10.1
My Wifi Hotspot has IP 192.168.8.1
My remote network has IP 192.168.178.1
The TUN0 get 192.168.178.201 from my FRITZ!BOX, when I try to connect to the fritz Box 192.168.178.1 from GL device I didn’t get a route.
I’ve got the same problem as spacerreg. If I uncheck “wan” in the In Inter-Zone Forwarding of lan , there is no chance to connect to the internet or the FritzBox! There must be a little mistake in the configuration.
Is anybody able to help?
I’m running the 3.024 version of the default gl.inet release. Is there a difference between the two releases? Is it necessary to use the “OpenWrt Only” release? I like the simple admin page of the official software an would like to use it.
Download the firmware for your router from the /testing folder. It should be 3.026 or higher and see if your problem is fixed. Don’t use the Clean OpenWRT if you want the usual simple UI too.
Sorry, but it is also not working with version 3.026. Same problem I get a connection to the FritzBox but no traffic over TUN0. The only difference is that I want to connect to a wireless network. so I use wwan instead of wan as "Output Interface. But I think this should not be the problem.
I have the same configuration and problem as grossmeistetBM.
Is there something like a routing rule missing? A device in the WLAN (LAN interface) uses the gateway address 192.168.8.1.
From this address / IP segment there must be an rule to route the package to the gateway of the 192.168.x.x (interface TUN0, Fritzbox) using the TUN0 interface and indirectly the WWAN interface as physical interface of the VPN connection.
Is the simple firewall rule between LAN and TUN0 zone enough to route packages between these IP ranges? Do we need special routing entries to route the complete network traffic from LAN through the TUN0 interface?
What about different VPN protocols. Do they use only firewall rules or additional routing table entries?
I’m new to openwrt but for sure here are some experts for router configuration. Hopefully with a solution for our Fritzbox VPN problem using VPNC
sorry but I can’t tell you if it works for longer periods. My plan was to use it on holidays
I only test it with my mobile phone as second network.
An interesting point is, when I switch off the TUN0 interface www.wieistmeineip.de shows me the mobile phone IP. When TUN0 is switched on I see the the FritzBox IP.
I thought, for switching between the two options it is necessary to change the inter zone forwarding in firewall options.
Or is “traffic over TUN0” forced by changing the vpn policies to “Use VPN for all processes on the router.”?
It would be great if somebody could help with a litle script to use the hardware switch of the router to activate/deactivate the vpn
