Jump to content
Not connected, Your IP: 3.129.216.15
OpenSourcerer

[Deprecated] Using AirVPN with Fritz!Box routers [new link inside]

Recommended Posts

Posted ... (edited)

DEPRECATED. USE V2:

https://airvpn.org/topic/14233-how-to-openvpn-on-fritzbox-routers/

 

--

 

In the following I will describe the steps necessary to connect to and route all traffic through AirVPN using modified firmwares for Fritz!Box routers by AVM. AVM is a manufacturer of quite popular (and expensive) routers in German-speaking countries. Unfortunately it has it's restrictions - especially on older models there is absolutely no VPN software preinstalled. So how do we solve this problem?
The solution is called Freetz. Basically it's just a firmware modification kit with which you apply mods and packages to the original firmware. One of those packages is openvpn and this guide shows how to configure it to use with AirVPN.


Be aware that VoIP won't work properly with AirVPN since you'd need to forward more than 32 ports to make it work without issues.

1. Read the FAQ
.
2. Read Freetz for beginners.
3. Read this how-to for an overview of what expects you.
All right? Let's go!

-- BUILDING THE FILESYSTEM --

1. Startup linux on VirtualBox. Checkout the recent freetz-trunk using

svn checkout http://svn.freetz.org/trunk freetz-devel

This is really important, because recent trunks contain OpenVPN v2.3 which fixes serious routing problems on the Fritz!Box. cd to freetz-devel after completion.
2. Build your minimal firmware and flash it.
3. If everything went fine make yourself familiar with the web interface. Then proceed.


I) In Packages/Packages select OpenVPN with version (2.3.3), SSL library (OpenSSL), Enable Management Console, Optimize for size.
II) In Packages/Unstable select Iptables 1.4.11.1 (binary only, unstable) and Iptables-CGI 1.1.
The general Iptables kernel modules and Iptables shared libraries are automatically selected. For full fun consider selecting everything in Select kernel modules (IPv4), Select shared libraries (IPv4) and Select shared libraries (both IPv4 and IPv6).
III) Now build your firmware and flash it.

If everything worked fine proceed to the AirVPN config.


-- OPENVPN CONFIGURATION --

Go to the config generator to generate your configuration files. Choose Router or other, then your preferred server. Check Advanced, your preferred connection mode and then Separate keys/certs from .ovpn file (not necessary, but this one will make it easier to setup the keys/certificates).
Open every generated file with an editor like Notepad++. The config is only necessary to grab information you need, you are not going to upload it.
Look into the .ovpn file and set up everything like this:



Now you have to add the certificates. You can find the menu items I mention in the sidebar.
Copy the whole content from
1) user.crt into the box at Box Cert.
2) ca.crt
into the box at CA Cert.
3) user.key
into the box at Private Key.
4) ta.key into the box at Static Key.

Now start OpenVPN over the web interface. Your internet connection will drop but you will be able to connect to the Fritz!Box.

 

-- 301: INTERNET MOVED PERMANENTLY --

 

Don't worry. iptables will help you to get the internet connection back.

You just need to create one simple rule to nat all traffic to tun0. Now the Iptables-CGI comes into play.
1. Click on Iptables in the sidebar, check Automatic at "start type" and then press the start button.

2. Go to Editor in the sidebar. Check Add and pick from the drop-down menus:
Chain: POSTROUTING
Input-Interface: tun0
NAT: Normal

Click on Submit.

Go back to Iptables and press the restart button. Now check at Rules whether iptables-save has saved your rule. It should have been done so. This might look different for you:

# Generated by iptables-save v1.4.11.1 on Tue Apr 15 23:43:28 2014
*nat
:PREROUTING ACCEPT [75:4106]
:POSTROUTING ACCEPT [27:4097]
-t nat -o tun0 -j MASQUERADE
:OUTPUT ACCEPT [10:3229]
COMMIT
# Completed on Tue Apr 15 23:43:28 2014
# Generated by iptables-save v1.4.11.1 on Tue Apr 15 23:43:28 2014
*filter
:INPUT ACCEPT [461:31565]
:FORWARD ACCEPT [45:2332]
:OUTPUT ACCEPT [457:137328]
COMMIT
# Completed on Tue Apr 15 23:43:28 2014

You're done. The internet connection of ​all the devices in your network is routed through the tunnel.

 

Tested on AVM Fritz!Box Fon WLAN 7141 with firmware 41.04.77, Freetz version: freetz-devel-11941

Edited ... by giganerd

NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

Hello!

 

Thank you gigan3rd!

 

We will probably put the guide in the How-To forums section or in the "Enter" instructions page after some testing, however at the moment the Air staff does not own any Fritz!Box router. Any feedback from Fritz!Box users will be very much appreciated.

 

Kind regards

Share this post


Link to post

​Hi and thank you, sheivoko. Yes, this router is old, but despite of the very honorable age of eight years (latest firmware: Aug 2008) my Fritz!Box is perfectly functioning; never had any problems with it.

To answer your question regarding performance: There were naturally occuring decreases of download speed. In direct comparison the performance results couldn't be compared because they were equal. But if you want, I can give you some absolute numbers.


NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

Even on the top and latest Asus Routers with openVPN via tomato they are still hitting 8-12meg per sec

 

I was thinking while I am ok with it,  in the future what if I upgrade to a faster connection.

 

I think the best idea is to build your own super router with 3ghz+ and 4gig with something like Pfsense live or one of the other free firewall software,  this way once you add OpenVPN support and if your cpu supports AES instructions your cpu wont get much overhead with handling vpn either.  This way I think in theory with your own super router one can get max speeds on your connection,  no need to ever upgrade your router !

 

This also allows no limitiations on bandwith or slow downs with multiple users or when streaming HD even,   your Super Router is king really.

 

This is all in theory mind.... but yeah will be interesting to hear actual numbers

Share this post


Link to post

I confirm: VoIP won't work.

The telephone is connected to a plug called Fon 1. But I wasn't able to find an interface - or at least something with this name. Maybe I have overseen something but it's not working for me right now. Anyway, a good idea if you don't use VoIP like I'm intended to do in the future.

 

Speedport: Didn't get the permission to test...


NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

Usually I run port scans using SYN, it's less "noisy". I recently ran a port scan using the connect method instead. I found a port I've really overseen: 5060. I didn't forward this port, and that's why SIP wasn't working for me. I'm such a genius, it's the standardized SIP port and I didn't think of forwarding it...
Now the theory is: If I open up the port 5060 (which is unfortunately reserved by another user) VoIP would work perfectly.


NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

Updates on VoIP.

 

To make VoIP aviable you have to remotely forward at least two more ports: TCP&UDP/5060 (SIP) and UDP/7078 (RTP). In connection with AirVPN this is problematic.

  1. Every port can only be forwarded once. You'd need to wait for other users to release those ports.
  2. Fritz!Box too forwards ports UDP/7079-7110 (32 following ports after 7078) internally. Since AirVPN users are allowed to forward 20 ports max, you'll probably never get VoIP running properly with AirVPN. :/

NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

Guide rewritten to suit recent changes (major system update).


NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

-- Update 11.05.2014--

Since I will be able to use a newer Fritz!Box in the near future this guide will be tested with another model and updated accordingly.

The reason for this is because my ISP (Deutsche Telekom AG - Telecom Germany) is changing it's ADSL2+ standards, trying to make Annex J as default instead of Annex B. Since Annex J is using frequencies of both Annex A and B I'd get faster DSL speeds - especially my upload speed will boost up (5-6 times more).


NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

2. Read Freetz for beginners.

 

This link forwards back to this topic again. Is there any guide for beginners?

Share this post


Link to post

 

2. Read Freetz for beginners.

 

This link forwards back to this topic again. Is there any guide for beginners?

 

Apparently, all links link to this topic. They perfectly show in what condition this guide is. Fixed it, by the way

This is supposed to be for beginners but I see that it's definitely not the case. I announced some time ago I will work on a new guide once I find some time where nobody needs the router. I thought this would be the case around New Year's Eve but it was not, unfortunately.


NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...