VPN between different devices

Hi all, i don't have many experience on Vlan, but now i would like to realize a VPN between my home router (a TP-LINK TD-W8970 with openwrt 21.02.3), my office router (a Fritz Box 7530 with stock firmware) and my wife office (with a raspberryPI acting as a router).
Someone can help me in finding the best sw solution to realize that network (as far as i understood the stock firmware of fritz boxes doesn't support all "kind" on VPN) and how to route traffic between different networks?

Thanks a lot
Skumpic

You could connect the fritzbox to the openwrt device via a tagged port. See below link for more information

Sorry my mystake :blush:
I was meaning VPN. I updated my first post.
All the routers are on different site and i would like to "connect" the different lan via VPN

wireguard likely candidate.

Wireguard is pretty good as per anomeome.

You'd likely need another box at your office to create the VPN.

Googling your Fritzbox router, it looks as though it has a VPN server built in.

Perhaps you could connect the other 2 devices to the fritzbox vpn?

There is some information in this thread

Thanks!
I investigated a bit and it seems that the last release of fritzbox firmware (v. 7.50) support Wireguard natively. This simplify things, but i'm not sure wireguard is supported by my Android phone.

@d687r02j8g
Using vpnc client seems to be also a good solution. Thanks!
At the beginning my thought was to setup a VPN server on my openwrt router. This way the best choice seems to be IPSEC ike v.1 with pre-shared key, that seems to be natively supported by Android Phone, FritzBoxes and Raspbian.
But another choice could be to "simplify my life" and just use the VPN server of the fritzbox with VPNC client on the others sites. I will try to investigate a bit more both ways.

Wireguard is definitely supported on Android.

So after one or two days of testing i ended up that the stock firmware of friz!box released in my region is not compatible yet with wireguard (fritz firmware release 7.29).
So i had to have a look at IPSEC connection with old IKE v.1, which is the only "kind" of VPN actually managed by my fritz!box.
I installed strongswan on openwrt router and modified the configuration as follow (many thanks to all the openwrt guys posting on this forum!!!)

#/etc/ipsec.conf
conn IPsec
        keyexchange=ikev1
        aggressive=yes
        ike=aes256-sha-modp1024
        esp=aes256-sha1-modp1024
        leftid=@openwrt.house.router
        leftauth=psk
        leftsubnet=192.168.10.0/24
        right=%fritz.office.router
        rightid=@fritz.office.router
        rightauth=psk
        rightsubnet=192.168.2.0/24
        dpdaction=hold
        auto=route
#/etc/ipsec.secrets
@openwrt.house.router @fritz.office.router : PSK "my_very_strong_preshared_key"
#/etc/strongswan.d/local.conf
charon {
	# Allow IKEv1 Aggressive Mode with pre-shared keys as responder.
	i_dont_care_about_security_and_use_aggressive_mode_psk = yes
}
#/etc/config/firewall
config zone
        option name         IPsec
        option input        REJECT
        option output       ACCEPT
        option forward      REJECT
        option subnet       192.168.2.0/24
        option extra_src    '-m policy --dir in --pol ipsec --proto esp'
        option extra_dest   '-m policy --dir out --pol ipsec --proto esp'
        option mtu_fix      1

config forwarding
        option src          lan
        option dest         IPsec

config forwarding
        option src          IPsec
        option dest         lan

and added to non VPN zones (lan, wan and LTE in my case) the following code

option extra_src    '-m policy --dir in --pol none' 
option extra_dest   '-m policy --dir out --pol none'

This is my fritz!box configuration file (should be loaded throught the gui when creating a new VPN)

fritzbox.vpn.cfg
vpncfg {
        connections {
                enabled = yes;
                conn_type = conntype_lan;
                name = "openwrt.house.router";
                always_renew = no;
                reject_not_encrypted = no;
                dont_filter_netbios = yes;
                localip = 0.0.0.0;
                local_virtualip = 0.0.0.0;
                remoteip = 0.0.0.0;
                remote_virtualip = 0.0.0.0;
                remotehostname = "openwrt.house.router";
                localid {
                        fqdn = "fritz.office.router";
                }
                remoteid {
                        fqdn = "openwrt.house.router";
                }
                mode = phase1_mode_aggressive;
                phase1ss = "all/all/all";
                keytype = connkeytype_pre_shared;
                key = "my_very_strong_preshared_key";
                cert_do_server_auth = no;
                use_nat_t = yes;
                use_xauth = no;
                use_cfgmode = no;
                phase2localid {
                        ipnet {
                                ipaddr = 192.168.2.0;
                                mask = 255.255.255.0;
                        }
                }
                phase2remoteid {
                        ipnet {
                                ipaddr = 192.168.10.0;
                                mask = 255.255.255.0;
                        }
                }
                phase2ss = "esp-all-all/ah-none/comp-all/pfs";
                accesslist = "permit ip any 192.168.10.0 255.255.255.0";
        }
        ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500", 
                            "udp 0.0.0.0:4500 0.0.0.0:4500";
}


// EOF

Now everytime i try to access an ip on office lan (let's say 192.168.2.10) from my home, then the VPN tunnel is automagically turned on by strongswan.
Pretty good and (seems) stable.

But i still have some question for the forum VPN specialists :stuck_out_tongue:

  • I would like to be able to connect also to my wife office (on that site i have a raspberry running raspbian under a natted ip). How could i achieve that task? I have to add a second connection to /etc/ipsec.conf or i can modify the existing one?
  • I would like to add a VPN profile also to my android phones. My idea is that in this case all the traffic originating from the phones should be tunneled, not only intralan (lan to lan) traffic. How can i do that?

Thanks for all your suggestion and help!