I tried the built-in "LAN-LAN Kopplung" from both native FritzOs 7.29. Connection was good (green boxes on both FritzBoxes), but no traffic was possible. I guess there's a routing problem. AVM Support said, a FritzBox behind a router only can use site2site VPN if the router is FritzOS...
So, is there a way I could use openWRT on the 4040 to built a site2site VPN with all traffic going through that tunnel? I don't want to expose the traffic in a more or less open network. Thanks.
Yes - the 6660 will support WireGuard on official 7.5 release. I tried some 7.34-beta for it, but it messed with my Mesh. So I'm back at 7.29 ATM. but I will try again, as there's a 7.39-beta out last days or so...
So, you say, best would be to use WireGuard and let the 4040 (with OpenWRT) connect with the 6660 via WireGuard? Do I need to do configure some special Routing? As I tried the "LAN-LAN Kopplung" from the 4040 with the 6660 already, but it failed: AVM support said this is, because the 4040 is behind an Non-Fritzbox-Router?
I cannot comment on the FritzOS implementation (never used it).
But for the OpenWrt side, it is fairly simple -- it will be able to route all traffic simply by setting the allowed IPs on the OpenWrt peer to 0.0.0.0/0, or you can customize which IP ranges are included in the tunnel by using the allowed IPs more selectively and/or policy based routing (PBR) to make specific rules. Any devices connected to the OpenWrt router will then be able to connect to the home network via the tunnel.
Just to ensure that it is clear, the OpenWrt router should be operating in standard router mode where the WAN is the upstream dorm network, and the LAN is a private network specifically for your devices.
yes, that's how I'd like it to run. The 4040 could connect to the 6660 (green dots on both sides), but I could not ping either side and there was no traffic possible - AVM support said, a FritzBox behind a router can only get a site2site VPN through, if that router was also a FritzBox. I did not quite understand, and the support person could (or would) not elaborate on that. But yeah - this was the plan all along! So I'll try it next time I'll take a visit to my oldest.
Also keep in mind that your remote download will now be limited by your local upload, which on cable links tends to be much slower than the downlink capacity. And once your cable uplink is satured it will also delay downloads on your 6660 as at least TCP requires reasonably timely delivery of ACKs reverse to the load direction.
Ok. Once it is flashed and setup, if you have problems, we can help on the OpenWrt side.
In the meantime, you can actually setup Wireguard on your 6600... maybe use your phone as a test peer and see if you can connect back as expected. You'll want to have some method of remotely connecting to your 6600 to test/administer the connection while you're visiting your oldest and trying to configure that device as a WG peer.