FRITZ!Box modem routers are able to run IPSec VPN endpoints, and even come with a clever VPN configuration utility .. that’s only available for Windows. If you don’t run Windows, you’re mostly out of luck (at least, as far as the official documentation goes), because the assumption is that everyone is running Windows (!)
If you’re not running Windows, you’ll need to create the VPN configuration file and upload it to the FRITZ!Box router by hand. It’s actually not that tricky, but the instructions are near impossible to find on the Internets – so here’s my own version. I’ve borrowed liberally from Marius van Witzenburg’s blog post on the same topic.
Copy the following in to a plain text file and save it as vpn.cfg:
vpncfg {
connections {
enabled = yes;
conn_type = conntype_user;
name = "NAME";
always_renew = no;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = 0.0.0.0;
remote_virtualip = VPN_CLIENT_IP;
remoteid {
key_id = "NAME";
}
mode = phase1_mode_aggressive;
phase1ss = "all/all/all";
keytype = connkeytype_pre_shared;
key = "SHARED_SECRET";
cert_do_server_auth = no;
use_nat_t = yes;
use_xauth = yes;
use_cfgmode = no;
xauth {
valid = yes;
username = "USERNAME";
passwd = "PASSWORD";
}
phase2localid {
ipnet {
ipaddr = 0.0.0.0;
mask = 0.0.0.0;
}
}
phase2remoteid {
ipaddr = VPN_CLIENT_IP;
}
phase2ss = "esp-all-all/ah-none/comp-all/no-pfs";
accesslist = "permit ip any VPN_CLIENT_IP 255.255.255.255";
}
ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500", "udp 0.0.0.0:4500 0.0.0.0:4500";
}A few changes are needed — highlighted above and explained below:
- NAME – replace these (x2) with an alphanumeric name – if you’re using an Android device, it’s important that you do NOT use special characters, symbols or any punctuation (if you do, the connection will likely fail without any sort of useful error message)
- VPN_CLIENT_IP – replace these (x3) with an IP address from the internal network range being used by the FRITZ!Box, but outside the DHCP pool range. If you haven’t changed any of the default settings in the Home Network > Network > Network Settings section, then use 192.168.178.201 (if you have made changes, you’ll need to work out what IP address to use for yourself :))
- SHARED_SECRET – replace this with a long, alphanumeric password – I use a random string about 30 characters long – just bear in mind that you’ll need to enter this string on anything you set the VPN up on 😉
- USERNAME – replace with a username (only use lowercase letters)
- PASSWORD – replace with a password (avoid special characters, especially quote marks)
Leave everything else as is and re-save the file. Log in to the FRITZ!Box and go to the VPN configuration section (Internet > Permit Access > VPN), upload the file and you should now see a configured VPN waiting to be used. 🙂
To configure an iDevice, check this Apple Support KB article and use the following settings:
| Configuration option | Setting to use |
|---|---|
| VPN Type | IPSec |
| Description | FritzVPN |
| Server | The (static) IP address, hostname or DDNS hostname for the Internet service that your FRITZ!Box is connected to |
| Account | USERNAME from above |
| Password | Leave set to ‘Ask Every Time’ (or use PASSWORD from above, however consider the security implications of doing so..) |
| Use Certificate | Leave set to ‘Off’ |
| Group Name | NAME from above |
| Secret | SHARED_SECRET from above |
To configure an Android device, go to Settings, select ‘More…’ under Wireless & Networks, select VPN and then tap the ‘+’ symbol. In the Edit VPN profile pop-up, use the following settings:
| Configuration option | Setting to use |
|---|---|
| Name | FritzVPN |
| Type | IPSec Xauth PSK |
| Server address | The (static) IP address, hostname or DDNS hostname for the Internet service that your FRITZ!Box is connected to |
| IPSec identifier | NAME from above |
| IPSec preshared key | SHARED_SECRET from above |
The Android instructions were written based on the AOSP release of Android 4.2 Jelly Bean – your mileage may vary with different/customised versions of Android. The earliest version of Android with built-in support for the IPSec VPN that the FRITZ!Box uses is 4.0.4 Ice Cream Sandwich – if you have an earlier version and can’t upgrade, you’ll need to buy VpnCilla from the Google Play store instead.
Setting up VPN access from a computer or other device may be slightly tricker but should follow the outline above – the actual instructions will depend on operating system version etc (Google will be your best friend here).
If multiple concurrent VPN connections are required, simply edit all of the fields per the above instructions to something else (except maybe leave SHARED_SECRET the same), save and upload as a second VPN connection.