my oldest just moved into a dorm at University. I'd like to have a site2site VPN in place to our home FritzBox. All traffic should go through the VPN to the home FritzBox.
So I have here:
Dorm: unknown network configuration, DHCP via LAN box in their room. FritzBox 4040 in place.
Home: public IPv4 with a FritzBox Cable 6660.
I tried the built-in "LAN-LAN Kopplung" from both native FritzOs 7.29. Connection was good (green boxes on both FritzBoxes), but no traffic was possible. I guess there's a routing problem. AVM Support said, a FritzBox behind a router only can use site2site VPN if the router is FritzOS...
So, is there a way I could use openWRT on the 4040 to built a site2site VPN with all traffic going through that tunnel? I don't want to expose the traffic in a more or less open network. Thanks.
Does your FritzOS installation (on the 6600) include support for OpenWrt? Or better yet, Wireguard (which is faster, easier to configure, and more performant overall).
If not, you'll need to consider flashing the device with OpenWrt. Alternatively, you can always put an OpenWrt device behind the 6600 and configure it as a VPN appliance.
Yes - the 6660 will support WireGuard on official 7.5 release. I tried some 7.34-beta for it, but it messed with my Mesh. So I'm back at 7.29 ATM. but I will try again, as there's a 7.39-beta out last days or so...
So, you say, best would be to use WireGuard and let the 4040 (with OpenWRT) connect with the 6660 via WireGuard? Do I need to do configure some special Routing? As I tried the "LAN-LAN Kopplung" from the 4040 with the 6660 already, but it failed: AVM support said this is, because the 4040 is behind an Non-Fritzbox-Router?
I cannot comment on the FritzOS implementation (never used it).
But for the OpenWrt side, it is fairly simple -- it will be able to route all traffic simply by setting the allowed IPs on the OpenWrt peer to 0.0.0.0/0, or you can customize which IP ranges are included in the tunnel by using the allowed IPs more selectively and/or policy based routing (PBR) to make specific rules. Any devices connected to the OpenWrt router will then be able to connect to the home network via the tunnel.
Just to ensure that it is clear, the OpenWrt router should be operating in standard router mode where the WAN is the upstream dorm network, and the LAN is a private network specifically for your devices.
yes, that's how I'd like it to run. The 4040 could connect to the 6660 (green dots on both sides), but I could not ping either side and there was no traffic possible - AVM support said, a FritzBox behind a router can only get a site2site VPN through, if that router was also a FritzBox. I did not quite understand, and the support person could (or would) not elaborate on that. But yeah - this was the plan all along! So I'll try it next time I'll take a visit to my oldest.
Thanks!
let's take a look at your OpenWrt configuration with Wireguard setup.
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
Also keep in mind that your remote download will now be limited by your local upload, which on cable links tends to be much slower than the downlink capacity. And once your cable uplink is satured it will also delay downloads on your 6660 as at least TCP requires reasonably timely delivery of ACKs reverse to the load direction.
I did not yet flash the 4040, just research up until now! I'll try it next time I visit my oldest - possibly next weekend. Thanks for the offer, anyways!
Yes, I know. Upload is quite high (got Vodafone 1000Mbit/s, with a median upload of ~40Mbit/s)
Ok. Once it is flashed and setup, if you have problems, we can help on the OpenWrt side.
In the meantime, you can actually setup Wireguard on your 6600... maybe use your phone as a test peer and see if you can connect back as expected. You'll want to have some method of remotely connecting to your 6600 to test/administer the connection while you're visiting your oldest and trying to configure that device as a WG peer.
So I'll try it next time I'll take a visit to my oldest.