Add a VPN to a FRITZ!Box router

zac

FRITZ!Box modem routers are able to run IPSec VPN endpoints, and even come with a clever VPN configuration utility .. that’s only available for Windows. If you don’t run Windows, you’re mostly out of luck (at least, as far as the official documentation goes), because the assumption is that everyone is running Windows (!)

If you’re not running Windows, you’ll need to create the VPN configuration file and upload it to the FRITZ!Box router by hand. It’s actually not that tricky, but the instructions are near impossible to find on the Internets – so here’s my own version. I’ve borrowed liberally from Marius van Witzenburg’s blog post on the same topic.

Copy the following in to a plain text file and save it as vpn.cfg:

vpncfg {
        connections {
                enabled = yes;
                conn_type = conntype_user;
                name = "NAME";
                always_renew = no;
                reject_not_encrypted = no;
                dont_filter_netbios = yes;
                localip = 0.0.0.0;
                local_virtualip = 0.0.0.0;
                remoteip = 0.0.0.0;
                remote_virtualip = VPN_CLIENT_IP;
                remoteid {
                        key_id = "NAME";
                }
                mode = phase1_mode_aggressive;
                phase1ss = "all/all/all";
                keytype = connkeytype_pre_shared;
                key = "SHARED_SECRET";
                cert_do_server_auth = no;
                use_nat_t = yes;
                use_xauth = yes;
                use_cfgmode = no;
                xauth {
                        valid = yes;
                        username = "USERNAME";
                        passwd = "PASSWORD";
                }
                phase2localid {
                        ipnet {
                                ipaddr = 0.0.0.0;
                                mask = 0.0.0.0;
                        }
                }
                phase2remoteid {
                        ipaddr = VPN_CLIENT_IP;
                }
                phase2ss = "esp-all-all/ah-none/comp-all/no-pfs";
                accesslist = "permit ip any VPN_CLIENT_IP 255.255.255.255";
        }
        ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500", "udp 0.0.0.0:4500 0.0.0.0:4500";
}

A few changes are needed — highlighted above and explained below:

  • NAME – replace these (x2) with an alphanumeric name – if you’re using an Android device, it’s important that you do NOT use special characters, symbols or any punctuation (if you do, the connection will likely fail without any sort of useful error message)
  • VPN_CLIENT_IP – replace these (x3) with an IP address from the internal network range being used by the FRITZ!Box, but outside the DHCP pool range. If you haven’t changed any of the default settings in the Home Network > Network > Network Settings section, then use 192.168.178.201 (if you have made changes, you’ll need to work out what IP address to use for yourself :))
  • SHARED_SECRET – replace this with a long, alphanumeric password – I use a random string about 30 characters long – just bear in mind that you’ll need to enter this string on anything you set the VPN up on 😉
  • USERNAME – replace with a username (only use lowercase letters)
  • PASSWORD – replace with a password (avoid special characters, especially quote marks)

Leave everything else as is and re-save the file. Log in to the FRITZ!Box and go to the VPN configuration section (Internet > Permit Access > VPN), upload the file and you should now see a configured VPN waiting to be used. 🙂

To configure an iDevice, check this Apple Support KB article and use the following settings:

Configuration optionSetting to use
VPN TypeIPSec
DescriptionFritzVPN
ServerThe (static) IP address, hostname or DDNS hostname for the Internet service that your FRITZ!Box is connected to
AccountUSERNAME from above
PasswordLeave set to ‘Ask Every Time’ (or use PASSWORD from above, however consider the security implications of doing so..)
Use CertificateLeave set to ‘Off’
Group NameNAME from above
SecretSHARED_SECRET from above

To configure an Android device, go to Settings, select ‘More…’ under Wireless & Networks, select VPN and then tap the ‘+’ symbol. In the Edit VPN profile pop-up, use the following settings:

Configuration optionSetting to use
NameFritzVPN
TypeIPSec Xauth PSK
Server addressThe (static) IP address, hostname or DDNS hostname for the Internet service that your FRITZ!Box is connected to
IPSec identifierNAME from above
IPSec preshared keySHARED_SECRET from above

The Android instructions were written based on the AOSP release of Android 4.2 Jelly Bean – your mileage may vary with different/customised versions of Android. The earliest version of Android with built-in support for the IPSec VPN that the FRITZ!Box uses is 4.0.4 Ice Cream Sandwich – if you have an earlier version and can’t upgrade, you’ll need to buy VpnCilla from the Google Play store instead.

Setting up VPN access from a computer or other device may be slightly tricker but should follow the outline above – the actual instructions will depend on operating system version etc (Google will be your best friend here).

If multiple concurrent VPN connections are required, simply edit all of the fields per the above instructions to something else (except maybe leave SHARED_SECRET the same), save and upload as a second VPN connection.

Download Brightcove videos

zac

2016 update: Turns out this is the most popular article on this site – with nearly 4 years of changes to Google Chrome since it was posted, the instructions needed a little tweaking..!

Brightcove typically delivers videos via a flash stream – making it almost impossible to download (as it is a stream, there is no file to save). A video capture of the stream might be possible, but there’s an easier way if the video has a .mp4 “fallback option” for iDevices.

Ingredients

  • Video that you want, delivered using a Brightcove stream
  • Google Chrome (tested with version 50.0.2661.102)

Recipe

First, you need to disable the Flash plugin in Google Chrome: open Google Chrome, go to chrome://plugins/ and one of the first plugins you should see listed is Flash. Click the Disable link and it ought to go grey.

Open a new tab and go to the web address for the video – you should see this:

If the video starts playing instead of seeing the image above, you haven’t disabled Flash properly – try the above steps again.

Open the View menu, select Developer and then select Developer Tools. Ensure the user agent dropdown at the top of the page shows “iPad”:

chrome-developer-tools

Reload the web page and a video ought to display, with a play icon overlay – that’s the video in .mp4 format. In the Developer Tools section below the website, select the Network tab, then type “mp4” in to the Filter search box. There should be a single item listed in the section at the bottom of the page – this is the video file. Right-click the filename and copy the link address.

Finally, load the copied link address in to the address bar of Google Chrome and load it – et voilà, the video should start playing. Right-click the video and save it to a file.

Exchange Server 2007 – troubleshooting SSL

zac

Some points to troubleshoot an Exchange Server 2007 SSL configuration. For god knows what reason, Microsoft decided that everything needed to be command line, so it’s pretty easy to get stuck.

Starting point – find what certificates are installed

Run the following cmdlet from the Exchange Shell:

Get-ExchangeCertificate

You should see output similar to:

Thumbprint                Services Subject
----------                -------- -------
1B5667CCB803BC4AD13E7E51A .IP.W    CN=mail.example.com....
103F3F32814A48D2416ECC5DB S....    CN=exch-07
43C6A1548782A25ABA425B471 ....W    CN=exch-07.example....

The Thumbprint is the identifier used in other cmdlets when referring to a specific certificate. The Services are what the certificate is enabled for; each letter indicates what service(s) are configured:

LetterService
SSMTP – outbound e-mail secured with TLS
IIMAP – inbound e-mail
PPOP3 – inbound e-mail
UUnified Messaging – I believe this is for Outlook Anywhere
WOutlook Web Access / IIS – webmail

You can also get more detailed information about a specific certificate with the following command:

Get-ExchangeCertificate [thumbprint] | fl

Are the certificates enabled for the right things? Are multiple certificates enabled for the same service (as per the example above)? Is the right certificate installed at all? Has the certificate expired? Does the certificate have incorrect or misspelt details in the DN? Etc..

Handy commands:

Turn a specific service on (Outlook Web Access in this example):

Enable-ExchangeCertificate -Thumbprint [thumbprint] -Services IIS

Disable a certificate:

Enable-ExchangeCertificate -Thumbprint [thumbprint] -Services None

Remove a certificate:
This command does what it says on the tin – there is no undo!

Remove-ExchangeCertificate -Thumbprint [thumbprint]

Aside from using the above to fix obvious problems, the Event Viewer contains very useful error codes and explanatory messages in well-formed English (which is just about a first for any Microsoft product, I think). Combination that + Google will provide fixes for most problems.

One thing I’ve seen once or twice is a certificate that the customer swears black-and-blue has been installed and it’s just not showing up in the Get-ExchangeCertificate output. If you look in (the Certificates snap-in in) MMC, it’s there. What’s happened? The customer requested the certificate in Exchange, but imported the certificate response in to MMC directly. Ergo, public and private keys not matched up and certificate not available to Exchange. Delete certificate from MMC, import in to Exchange instead.