VPN to Fritz Box

dschwert · 5 October 2024 15:48

Hi!

This question is more than ten years old and there still seems to be no solution:
Is there any way to build a VPN connection to a Fritz Box?

The reported ways are not working and have been a pain to use anyway:

replace the binaries of vpnc (the available binaries are probably too old for the current Sailfish version)
use Wireguard from Openrepos (connects, but does not receive any data)

Can it really be that in 2024 there is still no VPN on Sailfish for the most common routers here in Germany?

I used to use OpenVPN on a Raspberry Pi, but running the VPN client on the target system itself is not really useful. It should run on the router.

Regards,
Dietmar

RosSigudottir · 5 October 2024 16:04

Hi, found a solution 2 years ago, I’ve never tried again and I have not idea if it still works, I think it’s worth checking this thread: VPN Connection to a Fritz Box - #10 by geobra

I hope it helps!

paulvt · 5 October 2024 18:06

I just set up the FRITZ!Box VPN connection on my relative fresh flashed SFOS 4.6.0.15 on my Xperia 10 V and it worked immediately. What is the issue your having?

dschwert · 5 October 2024 18:31

Is this with Wireguard?

The problem is that it connects, but does not receive any data.

My config file looks like this:

[Interface]
PrivateKey = ****************************
Address = 192.168.0.201/24
DNS = 192.168.0.1

[Peer]
PublicKey = ****************************
PresharedKey = ****************************
AllowedIPs = 192.168.0.0/24,0.0.0.0/0
Endpoint =  ********.selfhost.eu:58113
PersistentKeepalive = 25

ifconfig shows that bytes are transmitted over vpn1, but none are received.
Pings to e.g. 192.168.0.1 (the router) fail.

When looking at “Connection details”, I see e.g.

Connection state:
...
Nameservers 192.168.0.1
Address 192.168.0.201/24
Netmask 255.255.255.0
Gateway ***.***.***.*** (actually here is the public IP address of the cable modem, which I find a bit strange)
Server route 192.168.0.0/255.255.255.00.0.0.0
Server route 0.0.0/0.0.0.00.0.0.0

Provider state:
WireGuard.Interface.Address 192.168.0.201/24
WireGuard.Interface.DNS 192.168.0.1
....
WireGuard.Peer.AllowedIPs 192.168.0.0/24,0.0.0.0/0
...

paulvt · 5 October 2024 18:36

I thought I had written VPNC in my post, but apparently corrected that to VPN.
So I’m using VPNC.

I can ping my server via <server>.fritz.box and visit some web service I’ve got hosted on there.

dschwert · 5 October 2024 18:50

Thanks, well, that just alternates between “Idle” and “Problem with connection”.

I tried adapting all the settings from http://web.archive.org/web/20230524021759/https://sailfishmods.de/2019/05/tippstricks-fritzbox-vpn-unter-sailfishos-einrichten/ but that did not make a difference.

Did you edit anything in “Advanced”?

paulvt · 5 October 2024 18:53

No, I just entered the data from what the FRITZ!Box “VPN Settings” dialog gave me.

dschwert · 5 October 2024 19:52

Thanks for your support, but that just does not work here.
“Connecting… → Problem with connection → Idle → Connecting…”

paulvt · 5 October 2024 20:38

Allright, well, I just wanted to confirm it can work. Maybe it depends on the FRITZ!Box model or something.

snowwie · 6 October 2024 21:59

Confirmed. It should be as easy as configuring the VPN (IPSec) in the fritz.box and adding a VPNC connection in sailfish settings → VPN → VPNC. No openvpn, wireguard, replacing binaries or (if I recall) advanced options required.

I do remember the German site helping me with what to put where, it took me a few tries.

explit · 7 October 2024 00:55

There was an modified VPNC Package, which could work with FritzBox. I forgot, who was the Autor,
maybe @Nokius ?

dschwert · 7 October 2024 06:07

I know the modified package and have tried it. The binary is now quite old, which could be the reason why it does not work.

Anyway, so far I could only try with IPv6. I think I need to get a public IPv4 address to try that.
I will come back with the result. Thanks.

Nokius · 7 October 2024 17:52

added latest target to the build setup in obs
sources of the build setup and the repo for later look ups by other ppl

in obs → Show home:Nokius:sfos-playground / vpnc - SailfishOS Open Build Service
in repos → Index of /obs/home:/Nokius:/sfos-playground

@dschwert share logs everything else will not work to see why it fails.

dschwert · 9 October 2024 18:51

Seems that there are actually several causes to the problem: IPv4 change at the provider and lack of IPv6 capability of Sailfish’s VPN.

The provider has recently changed from public IPv4 addresses to CGNAT, so the IPv4 address is not reachable from publich internet any more.
It turned out that Selfhost’s DynDNS always returns the IPv4 address, even in IPv6 only mode.

Then, why does Sailfish’s Wireguard VPN display ‘connected’? Really great. Probably it displays “Connected” as soon as it gets an address from the DNS.

It’s also possible to create a MyFritz account, which includes DynDNS under the myfritz.net domain. No idea why AVM is not advertising this on the DynDNS config tab. You need to activate the checkbox that the FritzBox should be reachable from internet.
I have checked Wireguard from an Android device to verify that the connection using this name is working.
Also, from Sailfish I can ping the FritzBox using the myfritz.net subdomain name.

With IPv6 Sailfish Wireguard connects to the Fritz Box, but reports “Problem with connection”. Really great…
(I can see from the FritzBox admin page that the connection was made.)

So, continue with IPSEC and IPv6:
With the standard settings, there is still “Idle → Connecting → Problem with connection”.
With Gateway vendor “Cisco”, Mode for IKE “PSK”, NAT traversal mode “Enforce NAT-T” as noted on the mentioned page: still the same failure.

With the vpnc rpm from Nokius and after a re-boot still the same.
After creating a .conf file and running vpnc from the command line, I get ‘vpnc: unknown host …myfritz.net’
I get the same result if I enter the IPv6 address instead of the myfritz subdomain name.
Double check: I can still ping the FritBox from the internet.

snowwie · 15 October 2024 21:17

While IPSEC/VPNC and IPv4 “just work”, I found it impossible to connect using the FritzBox IPv6 address, on both Sailfish and android.
Copying the IPv6 address to firefox between http://[], both devices show the FritzBox login.
Brackets [] in the VPN config make no difference.
Changing the IPv6 address to IPv4, both devices set up a vpn connection.

I only found “Setting up an IPSec VPN to the FRITZ!Box in Windows” hinting this behaviour: for IPv6 you should use wireguard.

But… I am not sure the Wireguard client is compatible with IPv6 yet.

My only advice right now is: focus on Wireguard. Since you got it to connect and get some logging in the FritzBox that means someting. (I never saw my IPv6 connection attempts logged.) You might end up having “just a routing issue”.

I might experiment with it once I get the C2 but I don’t feel like messing with my “production device”.

rtr2001 · 17 October 2024 09:29

I only have basic networking knowledge - but I remembered of this post which sounds related .
My understanding of it is that vpn is mostly not working with ipv6: Mobile VPN usage, ipv6 not routed and DNS leaks - #17 by jlaakkonen

hschmitt · 17 October 2024 11:11

I would wait for the next sailfish release. It seems it will get wireguard support. See
Sailfish OS Forum Sailfish Community News, 10th October 2024 - Factory Visit

dschwert · 17 October 2024 16:31

Thanks. I have commented/asked on OpenRepos. Hopefully one of the Wireguard implementations will finally work with IPv6. I would have expected that IPv6 is state of the art by now…

dschwert · 31 October 2024 16:54

As of now, Sailfis OS 5 does not yet support Wireguard. The C2 does not have an option when adding a VPN.

maier · 2 November 2024 11:14

I can confirm that VPN IPsec is working with FritzBox 7590ax and SF 4.6.0.15
No other packages are needed.