Fritz!Box VPN

The Fritz!Box Fon series from the manufacturer AVM contains VPN capabilities. VPN is build in since firmware version 58.04.67.

VPN

By using VPN, it is possible to connect to your home or office network in a safe and secure way. With this VPN connection it is possible to access your file server, network printer(s) etc. You can access all network devices and servers, like you can do when you are at home or in the office.

FRITZ!VPN client

The Fritz!Box routers are robust products and are based on stable firmware. But the Fritz!VPN client is far from that. The first version with the VPN service was in the beginning of 2009. I waited a few months for a stable Fritz!VPN client, but a year later this was still not the case. That is strange, because the firmware is such a good quality!

Problems

The English version of FRITZ!VPN (v01.01.03) works under Windows XP, but gives problems when going to standby or hybernate state. The German version (v01.02.02) seems to work better, but gives a lot of VPN connection problems under Windows 7.

The solution

The Fritz!Box VPN connection is using IPsec and there are also other VPN clients which are using IPsec. For example the Shrew Soft VPN client. This client works on Windows 2000/XP/Vista/7 and on Linux!

The next posts are guiding you through the configuration of your own VPN connection.

  1. FRITZ!BOX VPN
  2. Configuring the Fritz!Box router
  3. VPN via FritzBox on Windows
  4. VPN via FritzBox on Linux

13 thoughts on “Fritz!Box VPN”

  1. Dear Reader,
    Nice description to setup ShrewSoft’s VPN Client to built a VPN-connection with a Fritz!Box.
    However, in the meantime AVM has published its own VPN Client for Windows 7 (Fritz_FernZugang), which can be found at ftp://ftp.avm.de/fritz.box/tools/vpn/fritz_fernzugang/.
    I found a program to convert the configuration of AVM’s Fritz_Fernzugang to the configuration of ShrewSoft’s VPN Client. This program “FritzToShrew” can be fount at http://fritztoshrew.codeplex.com/
    .
    Using a internet-connection at a public HotSpot is unsafe. Therefore I wanted to use a VPN-connection to my Fritz!Box at home and access the internet from there. You can check this, by looking at your public IP-address e.g. at http://www.whatismyip.com.
    At http://www.ip-phone-forum.de/showthread.php?t=189391&highlight=VPN%2C+Client%2C+Heimnetz I found a “Mini-Howto: Kompletten Internetverkehr über AVM VPN routen”.
    You have to change the line “access list” in the configuration file for the Fritz!Box as well for “AVM’s Fritz_Fernzugang”:
    standard access list:
    accesslist = “permit ip 192.168.178.0 255.255.255.0 192 168 178 201 255 255 255 255″;
    has to be changed to:
    accesslist = “permit ip any 192 168 178 201 255 255 255 255″;
    Explanation: 192 168 178 201 is the VPN-IP, the FRITZ! Remote PC from the FRITZ Box gets assigned!
    FB_FernZugang configuration file:
    standard access list:
    accesslist = “permit ip any 192.168.178.0 255.255.255.0″;
    has to be changed to:
    accesslist = “reject udp any any eq 53″, “reject udp any any eq 500″, “reject udp any any eq 4500″, “permit ip any any”;
    I don’t understand, but the description tells that if the client ia part of LAN this line should changed to:
    accesslist = “deny ip any 192.168.0.0 255.255.255.0″, “reject udp any any eq 53″, “reject udp any any eq 500″, “reject udp any any eq 4500″, “permit ip any any”;
    Explanation: 192.168.0.0 255.255.255.0 is the subnet of the LAN to which the PC is connected

    When I use these adapted configuration files, I can access the internet “at home from abroad”.
    After connecting to the internet elsewhere and having built the VPN-connection to my FB at home, I access the internet with the public address of my home connection! Check it at http://www.whatismyip.com.
    It is a pity that “FritzToShrew” cannot convert the AVM configuration for ShrewSoft’s VPN client in this case.
    Is there anyone who can tell, how to implement these access list settings in the ShrewSoft setup?
    Greetings.

    1. Hi Bernard,
      Thanks for your tip for the FritzToShrew converter. I was not aware of this tool.
      Un the other hand I did not needed it! I do not know why you want to convert the configuration files from AVM.
      When I am using the following guide: http://info4admins.com/vpn-fritzbox-windows-7/, I am already able to use the ShrewSoft VPN client on Windows 7! :-)
      Maybe you missed it? I am curious on your answer, because you putted a lot of work in it. I fixed also a link in your comment.
      Greetings,
      Arjan

      1. Dear Arjan,
        I am/was aware of your guide. I even used it. With the ShrewSoft’s VPN Client I could built a VPN-connection to my FB 7270 at home and open the webinterface of it.
        However, for safety reasons I want to use my FB at home to surf the internet when I am connected through a public HotSpot. That did not work with the VP-connection I had made.
        With my Google search I found a solution. However, I could not implement the needed “access list” in the ShrewSoft’s VPN Client. With AVM’s “Fritz_FernZugang” for Windows7x64 I could surf the way I wanted to do; during surfing my public IP address is that of my home internet-connection although I am using a hospot with my laptop!
        Can you tell how to implement the access list change in ShrewSoft’s VPN Client? I can not find which “policy” statement I have to use and/or what other changes I have to make.
        Greetings,
        Ben

        1. Hi Ben,
          Yes you are right, now I know what you mean :-). In the standard configuration of ShrewSoft VPN client, the VPN traffic goes over the VPN connection and the rest is using the normal way to the internet.
          This way is what most people wanted would prefer I think, because the internet is much faster.
          In cases when I want to use my home IP address, I use my SSH to my Linux server at home. Via the SSH connect I make a tunnel and use this tunnel as a proxy server for my web browser. You can find a howto here: http://kimmo.suominen.com/docs/proxy-through-ssh/
          This is very handy when ports are blocked at work and also for public HotSpots, like you.
          For now I do not know how to do this in ShrewSoft. It would be nice to have a separate ShrewSoft VPN configuration, which you can select when you would like to route all IP traffic along your home internet connection, isn’t it?

        2. Hello Ben,

          This can be done! Very easy.

          Try version 2.1.7. Go to Policy in Site Configuration. Choose “require” as Policy Generation Level. This option was not there in 2.1.4. Then besides 192.168.178.0 / 255.255.255.0 net add also 0.0.0.0 / 0.0.0.0

          That is all.

          I can also explain the access lists. But it’s going to be a long story. Maybe some other time.

        3. Forgot to tell you. You have to trigger the tunnel up by sending something to 192.168.178.0 net, e.g. “PING 192.168.178.1” and first then you can get all traffic through your Fritx!Box. If you try to directly send something out of the “Fritz!Box’ net”, the tunnel will never come up. I guess that this is something Shrew should take a look at.

        4. Very important!

          1. You must have both 192.168.178.0 / 255.255.255.0 and 0.0.0.0 / 0.0.0.0, although the first is included in the last.

          2. You must have 192.168.178.0 first and 0.0.0.0 following. Otherwise it just won’t work.

          Trust me, or you can try it by yourself.

  2. Thanks MXW
    I have done all you set but still can only get to 192.168.178.0 / 255.255.255.0
    Is your one working?

  3. Sorry MXW
    You forgot to mention this must be done
    You have to change the line “access list” in the configuration file for the Fritz!Box as well for “AVM’s Fritz_Fernzugang”:
    standard access list:
    accesslist = “permit ip 192.168.178.0 255.255.255.0 192 168 178 201 255 255 255 255″;
    has to be changed to:
    accesslist = “permit ip any 192 168 178 201 255 255 255 255″;
    all working after all

  4. Please can someone help me with step-by-step how to.

    I have followed all instructions and from the fritz interface the vpn connection is established using Shrew Soft as a VPN sfotware client… and now i’m inside my home lan from office computer but i can’t surf internet through vpn…

    I’m using the last german versione of the vpn software:
    FRITZ!Fernzugang Version 01.02.06 vom 03.02.2012
    FRITZ!Box-Fernzugang einrichten Version 01.03.00

    Fritz VPN Client software dont’ work…

    Thank in advance

    1. You can reach the other side of the network by VPN, and it is true that normal surfing traffic goes via the normal way.
      If you want to surf via the VPN, you can configure your browser to use the VPN as a proxy.
      Success, Arjan

Comments are closed.