Many smaller companies use a Fritzbox as a DSL modem, and it often takes on other roles such as a LAN router, WLAN AP, firewall or DECT telephony. These instructions show how to configure a Fritzbox as a VPN gateway so that employees can connect to a company network from home using a PC.
Such a setup is called client-to-site VPN, whereby the client usually also operates behind a DSL router, which in many cases should also be a Fritzbox. The VPN functionality of the Fritzbox is based on the IPsec framework.
IPsec cleverly veiled
Even if the IPsec framework is very complex, it is in its essence that parameters for connection, key exchange and encryption are negotiated more or less automatically.
Therefore, Fritzbox admins do not have to deal with protocols such as ESP / IKE, hash methods such as SHA1 / SHA245, deffie hellman groups such as modp1024 / ecp246 or encryption with AES256 / Blowfisch when setting up a VPN remote access.
Nevertheless, a basic understanding of IPsec is essential for troubleshooting, for example when packets disappear in the tunnel that should not go there. The crux of IPsec compared to SSL VPNs, for example, is that there is no VPN device that can be treated accordingly in the routing table.
Install FRITZ! Remote access
These instructions work for PCs with Windows 10 (64Bit) or Windows 7 / 8.x (64 or 32Bit) and a Fritzbox in router mode, which has received a public IPv4 address from the Internet provider.
For the client access you have to use the tool FRITZ! Remote access install it, you can Download from AVM.
The ZIP archive must be unpacked locally, it contains an EXE file that initiates the setup.
A restart is required after installation.
Generate configuration files
Then you download the program from the same website Setting up FRITZ! Box remote access and install it on a Windows PC.
This tool allows convenient VPN configuration by automatically creating all security settings and writing them to two configuration files (* .cfg) (one for the Fritzbox and one for the client).
The admin only has to put it in the Fritzbox and via the program FRITZ! Remote access import on the client.
Avoid address conflicts
Both sides of the IPsec VPN connection must use IP addresses from different private IP networks. It is therefore not possible to test the following setup from a Windows server that is connected to the same Fritzbox.
This does not work even if the client is connected to another Fritzbox, but both sides use the same IP address range (192.168.178.0/24) due to the factory settings being retained.
So if there is a Fritzbox with factory defaults at both locations, you have to enter their IP range in the menu below Home network => network in the tab Network settings to adjust.
Changes in the client environment can usually be avoided by not leaving the network settings of the Office Fritzbox at the manufacturer’s specifications.
If you want to test the setup locally, the simplest way is to connect the VPN client computer to an LTE smartphone via USB or Bluetooth tethering to establish an Internet connection via the mobile network. This gives you an Ethernet device with an IP configuration that is independent of the internal network.
Generate VPN settings
Once all the preparations have been made, you can generate the required VPN settings. To do this, start the previously installed program Setting up FRITZ! Box remote access and click the button Newto create a new configuration.
Here we use the first entry Set up remote access for a user. In the next dialog we choose the option PC with FRITZ! Remote access for the desired client type.
Then you enter the email address of the user who establishes the VPN connection. The MyFRITZ! Domain name of the Fritzbox follows. This is necessary because a Fritzbox usually receives a public IP assigned dynamically by the provider. Fritzbox’s own DynDNS service resolves the name of the domain based on the current IP address.
If you do not want to use this in connection with a MyFRITZ! Account, you can of course choose another DynDNS provider. It is only important that the Fritzbox can always be found using a unique, publicly resolvable DNS name.
A MyFRITZ! Domain name can be set up directly via this dialog if none already exists. The tool redirects the user to the Fritzbox interface. After clicking Continue the Fritzbox IP network must be specified.
Those who have not changed the factory settings (IP address 192.168.178.1, subnet mask 255.255.255.0) can simply opt for the option here Accept the factory settings of the FRITZ! Box for the IP network decide.
Otherwise you choose the option Use a different IP network and provides the data for the target network. If you want, you can route all Internet requests from the client PC via the remote Fritzbox if you have the option Send all data over the VPN tunnel activated.
In this way, employees could, for example, securely access their emails while on the go, even though they are connected to an insecure WLAN, such as a public hotspot. However, it is more effective to use the VPN tunnel only to connect to a company computer (Windows / Linux) via RDP or SSH.
After clicking Continue you can still choose whether you want to export the configuration files directly or just display the directory that contains the configuration files.
In this case you have to click on the export again Export Initiate in the main screen.
Then you decide whether the configuration should be sent directly as an e-mail attachment or saved locally in the specified directory. The program can also encrypt the VPN settings. In this case, a password must be entered.
Import VPN settings
Now the VPN settings only have to be on the Fritzbox and in the tool FRITZ! Remote access of the client are imported.
To do this, first log into the web interface of the Office Fritzbox and click in the menu Internet on Clearances, changes to the tab VPN and then click Add VPN connection, and then on Import a VPN configuration from an existing VPN settings file.
Here you can specify the file that has just been exported or sent via email. By default, it is vpnadmin.cfg in the directory% APPDATA% / AVM / FRITZ! Fernzugang.
With a final click on to save the settings are applied.
Now we have to do the configuration in the program on the client FRITZ! Remote access about File => import import. This is a file with a name based on the pattern
% APPDATA% / AVM / FRITZ! Remote access /
Now you can establish a VPN connection with the program. To do this, click on the name of the connection in the main window of the tool and then on the symbol construction.
Finally, it should be mentioned that you do not necessarily have to use FRITZ! Remote access to establish a connection. However, its advantage is that it is very easy to create a suitable configuration as described.