Jump to content
Not connected, Your IP: 3.81.28.94
giganerd

[How-To] OpenVPN on Fritz!Box routers

Recommended Posts

[[introduction || Preparations]]

 

After several months of waiting I finally present you

 

How to connect to AirVPN with your Fritz!Box router (v2)

 

 

Back in the time when AirVPN offered just one connection at a time many people were forced to use their routers to connect to AirVPN if they wanted all of their devices to use the benefits of a VPN connection. I wanted to use it as a central point for AirVPN access - all devices should use it. The only drawback: It doesn't have OpenVPN installed. There is a way to enable it with Freetz, a replacement firmware for nearly every Fritz!Box router available which enables you to install additional software (or remove AVM's official ones). As a result, I wrote a guide.

 

Contrary to the first, this one won't make you read things you don't (want to) understand. Each step will be described in detail and you will be hinted at potential issues or other things worth to be mentioned. It will be more newbie-friendly - less giga-nerdy.

 

This guide is for Fritz!Box routers with Fritz!OS 4 and older!

Newer versions of Fritz!OS have got a feature called Packet Accelerator which collides with the conntrack iptables module. Forcing it to be included in newer kernels will cause your router to lose network connectivity or even reboot all the time (boot loop). A guide will be written shortly, but don't point the finger at me for messing up your device. You are choosing to make these changes!

 

[software and tools you will need - preparations]

 

  1. VirtualBox. Freetz can be built with any Linux OS (I will think about whether to include a guide for this here) but if you want to avoid installing hundreds of more packages and configure them to work in the right way, use VirtualBox with the preconfigured...
  2. Freetz-Linux image.
  3. Do you know what router model you have? If not, login to your Fritz!Box configuration interface (for your convenience ) and look it up. Things like Fon and WLAN in the name are important here! There are models having the same number but are different versions.
    As soon as you know it navigate to AVM's FTP site and download a recovery image for your Fritz!Box model. If you don't want to do that or if you can't reach it, download ruKernelTool (click on the second link first for the credentials, then click on the first and enter the credentials), a toolbox for Fritz!Box routers with a large feature set. It's much more complicated so I recommend you to download the image instead.
  4. I also recommend you to use a SSH client for much easier access to the console. On Windows, use PuTTY for example.

You've got everything? Good, let's begin! By the way, I strongly recommend you to use a LAN connection to do these steps. WiFi is just too unpredictable. Also, AVM's recovery tool won't allow any other interfaces to use for recovery.

 

[[introduction || Preparations]]


Four simple things:
There's a guide to AirVPN. Before you ask questions, take 30 minutes of your time to go through it.

Amazon IPs are not dangerous here. It's the fallback DNS.
Running TOR exits is discouraged. They're subject to restrictions on the internet and harm all AirVPN users.

Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, you'll be unique among the mass again.

 

XMPP: gigan3rd@xmpp.airvpn.org or join our lounge@conference.xmpp.airvpn.org

Share this post


Link to post

[[steps in Freetz-Linux || Flashing your IMAGE]]

 

[steps in Freetz-Linux]

 

Doubleclick on the downloaded OVA file to import it into VirtualBox. You don't have to change any settings here - just start the VM. At boot it will show some "fatal errors" - don't panic, nothing's broken!

You will be welcomed with a login screen. Login with username freetz and password freetz. Look at the IP address for eth0 and write it down somewhere. I mean it - write it down. Now launch your SSH client and connect to this IP. Same login screen, same credentials. You can now minimize all VirtualBox windows, you don't need them anymore.

 

The first thing you should do is to update the software packages with APT. -y omits asking you for superfluous confirmations.

apt-get -y update && apt-get -y upgrade

Now you will download the most recent development version of Freetz. This is important since the latest stable does not support the newest firmware images. Further, it doesn't include the most recent versions of OpenVPN and OpenSSL. The command to do so is

svn checkout http://svn.freetz.org/trunk

After this you will find it in the trunk directory, just type cd trunk to go there.

Basically, you can now start configuring your firmware. First you will create a minimal firmware image to see whether your Box is still running smoothly with Freetz. Type make menuconfig to begin.

You will be presented with a more graphical interface where basic controls with Space, Enter and the arrow keys are possible.

Space to select packages

Enter to actually enter menus marked with an arrow -->.

To go back one step hit the right arrow key and press Enter.

  • Navigate to Hardware type and select your model here. Be careful, you are in the Fon WLAN section by default! If you look for a Fon only version of a model for example, scroll up.
  • In Firmware language, choose the language of your firmware. This will not change your interface language!

Exit menuconfig by going back to the main menu and go back once again. Comfirm with Yes and type make. (Now type make tea into your inner console to make yourself a cup of tea, building will take some time ) Your finished image will be located in the images directory.

 

 

[Flashing your IMAGE]

 

The easiest way on Windows to copy the IMAGE is to use a mapped network drive - Freetz-Linux comes with a preconfigured Samba instance. How-to:

With Windows Explorer, map a new drive to \\1.2.3.4\freetz (replace 1.2.3.4 with the IP address you wrote down; these are backslashes, by the way). Login credentials are as always freetz/freetz.
The other option is FTP/SFTP.

After that go to your Fritz!Box web interface, login and navigate to the firmware update option. It depends on your model where to find it exactly, but it's always somewhere in the System tab. Additionally, you may need to switch to Expert mode to enable the option to upload an image from your computer. In all cases, you will be asked to backup your current settings (newer routers will force you to do so). I recommend doing so.

Choose the image file and start the upload. You will be notified of the fact the uploaded image is not an official one and that your warranty is void if you continue... I think you perfectly know that. Note that you will lose your internet connection for a short time.

 

After the update, navigate to http://fritz.box:81 to access Freetz and login with username admin and password freetz. If nothing is red except the default password warning, Freetz is up and running and you can continue. <3

 

[[steps in Freetz-Linux || Flashing your IMAGE]]


Four simple things:
There's a guide to AirVPN. Before you ask questions, take 30 minutes of your time to go through it.

Amazon IPs are not dangerous here. It's the fallback DNS.
Running TOR exits is discouraged. They're subject to restrictions on the internet and harm all AirVPN users.

Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, you'll be unique among the mass again.

 

XMPP: gigan3rd@xmpp.airvpn.org or join our lounge@conference.xmpp.airvpn.org

Share this post


Link to post

[[Meet'n'Greet your FreetzBox || IMAGE with OpenVPN]]

 

[Meet'n'Greet your Freetz!Box]

 

 

Let me guide you a bit around.

  • To the right: the navigation bar. Nearly every software you might install will have an own tab here for configuration.
  • Home of the Freetz interface is Status. Here you will find all technical information about your router including logfile viewing. Services lists all controllable AVM and Freetz services with the ability to start/stop/restart them.
  • System: Backup&Restore, firmware update, create support file. Information, logs and some low-level data will be in this file.
    Also interesting: a rudimentary shell. Not comparable to a real shell but useful to issue some quick commands. Note: B&R and FW update replace AVM's equivalent in the Fritz!Box interface. Use these ones in the future.
  • Freetz: Manage cronjobs, edit the hosts file, execute custom commands at boot and more.
  • AVM services: Same as Status > Services with all Freetz services filtered out.
  • Syslogd. Well, nomen est omen. A lightweight and powerful system event logging service; you should go there right now, click Automatic, save the settings and start the service.
  • (OpenVPN and NHIPT will appear here when installed.)

[iMAGE with OpenVPN]

 

The part you have waited for. You will now include OpenVPN and iptables into the image. This step is the most difficult step.

Go back to freetz-linux and type make kernel-menuconfig. This is an additional menuconfig aimed at customizing the replacement kernel. You are going to demodularize the necessary iptables modules and build them directly into the kernel instead. This way you avoid many errors related to "missing" modules when configuring NHIPT. To do so, navigate to Networking -> Networking options -> Network packet filtering -> IP: Netfilter configuration and change

  • connection tracking
  • IP tables support
  • Full NAT
  • MASQUERADE target support

from [M] to [*] (same as selecting things: press Space). Now exit kernel-menuconfig and type make menuconfig again.

  1. Change the Level of user competence from Beginner to Advanced. This will show some things hidden from Beginner level.
  2. Select Replace kernel. Important.
  3. Navigate to Packages -> Packages. Select OpenVPN with Version (2.3.6), SSL library (OpenSSL), Enable Management Console, Optimize for size, Statically linked binary.
  4. Navigate back to Packages and then to Unstable. Select Iptables, iptables-save / iptables-restore, NHIPT iptables CGI. In kernel modules and shared libraries (both IPv4 and shared libraries), select everything. This too avoids unexplainable errors.
  5. Go back to the main menu and navigate to Shared libraries -> Crypto & SSL. Change the OpenSSL version to 1.x.
  6. From the main menu again navigate to Web interface. Set Security level from 1 to 0. This will for example unlock the rudimentary shell. The other options here are just customizations and completely optional. I didn't change any of them.
  7. Exit menuconfig and type make. It won't be as long as the last time since Freetz is already compiled.

During compilation you could go to the AirVPN config generator. It doesn't really matter which OS you choose because you're not going to upload any of the generated files, you just copy and paste. I chose Linux, but Router for example generated completely identical files.

To simplify the configuration process later, you may check Advanced and then Separate keys/certs from ovpn file.

 

 

 

 

 

You may encounter a warning like this. Don't worry, nothing's broken. Your image is just so big, your built-in answering machine has got no space to save recordings. That's only relevant for those who use telephony and AVM's built-in answering machine (AVM-DECT or old phones).

If you see an error message teeling you the image is too big, you have to apply removal patches because your image has not been built.Type make menuconfig again, navigate to Removal patches and see what AVM features you don't need (a post describing what every entry would remove is planned). For now it's safe to remove VPN - you don't need it.

 

Continue by going to the Freetz interface again. Under System > Firmware Update, select the new image and click Upload. You will see some logfile outputs. Scroll down to the bottom and click Reboot to continue.

 

[[Meet'n'Greet your FreetzBox - IMAGE with OpenVPN]]


Four simple things:
There's a guide to AirVPN. Before you ask questions, take 30 minutes of your time to go through it.

Amazon IPs are not dangerous here. It's the fallback DNS.
Running TOR exits is discouraged. They're subject to restrictions on the internet and harm all AirVPN users.

Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, you'll be unique among the mass again.

 

XMPP: gigan3rd@xmpp.airvpn.org or join our lounge@conference.xmpp.airvpn.org

Share this post


Link to post

[[OpenVPN configuration || iptables configuration]]

 

[[OpenVPN configuration]]

 

Leading scientists are sure: Copy&Paste is a skill. The OpenVPN configuration will be a training session for you to practice it.

 

Go to the Freetz web interface. After the update you will see two more tabs in the sidebar: OpenVPN and NHIPT. Since you're going to configure OpenVPN first, go there.

If you want to set up more than one profile, check Client and Advanced settings first. A profile box will appear. Click New profile as many times as you need and configure them separately.

Open your Air-generated OVPN file with a text editor. Use it as a reference what to set up. Let me help you a bit with this screenshot.

 

 

Save it, then copy and paste the certificate data into the boxes:

  • user.crt -> Box Cert
  • ca.crt -> CA Cert
  • user.key -> Private Key
  • ta.key -> Static Key

If you don't need your internet connection now, start the OpenVPN service with the button at the top.

 

[[iptables configuration]]

 

The last step: Setting up NHIPT. Go there.

First, make sure the Admin IP address matches your machine's IP address, otherwise you cannot access NHIPT even if the credentials are right. Then check status to Running and save it. After clicking on EDIT FIREWALL RULES and logging in with your Freetz credentials (username admin, password freetz by default) you will see a site with many checkboxes and buttons.

First of all, enable NAT by checking it in the middle box INTERFACE SETTINGS. Click Set and you should see three new chains to edit. In table RULES FOR CHAIN POSTROUTING, set

  • Out IFC to tun0
  • Action to MASQUERADE
  • Click Insert

Now check if you can access the internet again. Go to ipleak.net, ip-api.com or some other side to check your IP address whether your traffic is routed through AirVPN. If yes..

 

!Congratulations!

 

If you want your Box to reconnect after reboot, in NHIPT click Persist rules. Then go back to OpenVPN config and change Start type to Automatic.

 

[[OpenVPN configuration || iptables configuration]]


Four simple things:
There's a guide to AirVPN. Before you ask questions, take 30 minutes of your time to go through it.

Amazon IPs are not dangerous here. It's the fallback DNS.
Running TOR exits is discouraged. They're subject to restrictions on the internet and harm all AirVPN users.

Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, you'll be unique among the mass again.

 

XMPP: gigan3rd@xmpp.airvpn.org or join our lounge@conference.xmpp.airvpn.org

Share this post


Link to post

[[FAQs|| Troubleshooting]]

 

This post will contain frequently asked questions and solutions for common problems. It will be filled with every arising complication and asked question. If you want to contribute, please do not hesitate to contact me! You can do this by privately messaging me or asking here in the forums. XMPP is an option, too.

 

[[FAQs|| Troubleshooting]]


Four simple things:
There's a guide to AirVPN. Before you ask questions, take 30 minutes of your time to go through it.

Amazon IPs are not dangerous here. It's the fallback DNS.
Running TOR exits is discouraged. They're subject to restrictions on the internet and harm all AirVPN users.

Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, you'll be unique among the mass again.

 

XMPP: gigan3rd@xmpp.airvpn.org or join our lounge@conference.xmpp.airvpn.org

Share this post


Link to post

[

  1. ]

 

[

  1. ]

 

Based on the Freetz patch list (german) this is a listing of all the things you can remove from the original firmware to free up some space for other packages. The removal patches can be found in the menuconfig's main menu. If your model doesn't support all of them, the missing ones will be hidden.

 

(The list is in the making...)


Four simple things:
There's a guide to AirVPN. Before you ask questions, take 30 minutes of your time to go through it.

Amazon IPs are not dangerous here. It's the fallback DNS.
Running TOR exits is discouraged. They're subject to restrictions on the internet and harm all AirVPN users.

Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, you'll be unique among the mass again.

 

XMPP: gigan3rd@xmpp.airvpn.org or join our lounge@conference.xmpp.airvpn.org

Share this post


Link to post

[Reserved for future additions]


Four simple things:
There's a guide to AirVPN. Before you ask questions, take 30 minutes of your time to go through it.

Amazon IPs are not dangerous here. It's the fallback DNS.
Running TOR exits is discouraged. They're subject to restrictions on the internet and harm all AirVPN users.

Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, you'll be unique among the mass again.

 

XMPP: gigan3rd@xmpp.airvpn.org or join our lounge@conference.xmpp.airvpn.org

Share this post


Link to post

[Reserved for future additions]


Four simple things:
There's a guide to AirVPN. Before you ask questions, take 30 minutes of your time to go through it.

Amazon IPs are not dangerous here. It's the fallback DNS.
Running TOR exits is discouraged. They're subject to restrictions on the internet and harm all AirVPN users.

Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, you'll be unique among the mass again.

 

XMPP: gigan3rd@xmpp.airvpn.org or join our lounge@conference.xmpp.airvpn.org

Share this post


Link to post

[Reserved for future additions]


Four simple things:
There's a guide to AirVPN. Before you ask questions, take 30 minutes of your time to go through it.

Amazon IPs are not dangerous here. It's the fallback DNS.
Running TOR exits is discouraged. They're subject to restrictions on the internet and harm all AirVPN users.

Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, you'll be unique among the mass again.

 

XMPP: gigan3rd@xmpp.airvpn.org or join our lounge@conference.xmpp.airvpn.org

Share this post


Link to post

[Reserved for future additions]


Four simple things:
There's a guide to AirVPN. Before you ask questions, take 30 minutes of your time to go through it.

Amazon IPs are not dangerous here. It's the fallback DNS.
Running TOR exits is discouraged. They're subject to restrictions on the internet and harm all AirVPN users.

Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, you'll be unique among the mass again.

 

XMPP: gigan3rd@xmpp.airvpn.org or join our lounge@conference.xmpp.airvpn.org

Share this post


Link to post

Hi giganerd!

 

Thanks for the extensive guide, I'm hoping to be following it shortly. As I'm having troubles getting my current setup (Asus DSL-AC68U + old Fritzbox for VoiP) to work reliably with Telekom VoiP, I'm thinking of buying a newer Fritzbox. Can you tell me which one you are working with and which one was the last to be released with FritzOS <5? There doesn't seem to be any such information on the AVM website. 

 

Thanks and regards!

Share this post


Link to post

Hi!

 

I currently don't use a freetz'd Fritz!Box.

You could look out for a 7170 or 7270, both for which support has been dropped. Last OS version is 04.88 and I've heard good experiences about them used with Freetz. Since there are more versions of them than only one, let me get home and give you links.

 

(Sent via Tapatalk - this generally means I'm not sitting in front of my PC)


Four simple things:
There's a guide to AirVPN. Before you ask questions, take 30 minutes of your time to go through it.

Amazon IPs are not dangerous here. It's the fallback DNS.
Running TOR exits is discouraged. They're subject to restrictions on the internet and harm all AirVPN users.

Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, you'll be unique among the mass again.

 

XMPP: gigan3rd@xmpp.airvpn.org or join our lounge@conference.xmpp.airvpn.org

Share this post


Link to post

Thanks for the speedy reply!

I was afraid you were going to say 7270.. That's the one I'm using for VoiP right now and alas it doesn't support VDSL. I'm afraid none of the pre-FritzOS-5 ones do..
I'm assuming your tutorial won't work with 7360 or 7390, will it? These are the ones I'm having an eye on right now as they go cheap on eBay I might just have to keep my Asus and hook that up to the new Fritzbox as it seems to handle OpenVPN quite nicely (unless you're trying to get a SIP client to work behind it).  

Share this post


Link to post

What's your ISP, if you don't mind being asked?

No, this setup does not use OpenVPN over SSL, but it is possible to do so with stunnel. Didn't test that, though.

 

(Sent via Tapatalk - this generally means I'm not sitting in front of my PC)


Four simple things:
There's a guide to AirVPN. Before you ask questions, take 30 minutes of your time to go through it.

Amazon IPs are not dangerous here. It's the fallback DNS.
Running TOR exits is discouraged. They're subject to restrictions on the internet and harm all AirVPN users.

Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, you'll be unique among the mass again.

 

XMPP: gigan3rd@xmpp.airvpn.org or join our lounge@conference.xmpp.airvpn.org

Share this post


Link to post

If you have a Fritz!Box with Fritz!OS 5 and newer, it's no use for you to continue for now. A required prerequisite cannot be included into the update image. If you force it to be included, at runtime it will likely cause your router to reboot itself the whole time (=boot loop).

For the nerds: It's the conntrack iptables module colliding with an AVM feature. This doesn't seem to apply to all v5+ models, so maybe I'll write a guide to force inclusion.. but you've been warned.

Hi, Just wondering if you could tell me how to force inclusion. I have a 7490 and would like to see whether it works running 06.30 firmware.

Thanks

Share this post


Link to post

Hi!

 

I'm currently extraordinary busy here but if I find some spare time, I'll test it and fill the gap.


Four simple things:
There's a guide to AirVPN. Before you ask questions, take 30 minutes of your time to go through it.

Amazon IPs are not dangerous here. It's the fallback DNS.
Running TOR exits is discouraged. They're subject to restrictions on the internet and harm all AirVPN users.

Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, you'll be unique among the mass again.

 

XMPP: gigan3rd@xmpp.airvpn.org or join our lounge@conference.xmpp.airvpn.org

Share this post


Link to post

Okay, looks like we really have a need for this guide...


Four simple things:
There's a guide to AirVPN. Before you ask questions, take 30 minutes of your time to go through it.

Amazon IPs are not dangerous here. It's the fallback DNS.
Running TOR exits is discouraged. They're subject to restrictions on the internet and harm all AirVPN users.

Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, you'll be unique among the mass again.

 

XMPP: gigan3rd@xmpp.airvpn.org or join our lounge@conference.xmpp.airvpn.org

Share this post


Link to post

hi, i have a router-modem-ap fritzbox 3490. I try PureVPN service but it isn't compatible with my router. On flashrouter they told me that with fritzbox vpnservice aren't possible and that the only thing to do is to manage vpn connection with a flashrouter under my fritzbox: internet - fritzbox - flashrouter - mydevices. Then some user advice me about this discussion and of the possibility to use openvpn with my fritzbox.

 

my firtzbox firmeware are 6.30 so i can't use openvpn. is it right?

Share this post


Link to post

hi, i have a router-modem-ap fritzbox 3490. I try PureVPN service but it isn't compatible with my router. On flashrouter they told me that with fritzbox vpnservice aren't possible and that the only thing to do is to manage vpn connection with a flashrouter under my fritzbox: internet - fritzbox - flashrouter - mydevices. Then some user advice me about this discussion and of the possibility to use openvpn with my fritzbox.

 

my firtzbox firmeware are 6.30 so i can't use openvpn. is it right?

 

I would assume you might run into trouble with your box seeing as it's a fairly new model and these are the ones that are causing trouble with the iptables module. Perhaps giganerd can elaborate on this.

 

Do consider, though, that given the weak processing power of your fritzbox you will be experiencing subpar speeds when using OpenVPN.

Share this post


Link to post

Do consider, though, that given the weak processing power of your fritzbox you will be experiencing subpar speeds when using OpenVPN.

 

Always know this. For example, if you've got a 16/1 MBit line (this combination is often in Germany), you might not be able to reach those speeds, simply because the CPU is running at 100%. This is due to AES encryption and decryption of your traffic which is a feature of OpenVPN.

 

I would assume you might run into trouble with your box seeing as it's a fairly new model and these are the ones that are causing trouble with the iptables module. Perhaps giganerd can elaborate on this.

 

Correct. Since Fritz!OS 5 nothing's changed. As I wrote a few days earlier, a tutorial is on its way to force menuconfig to include the conntrack module. Current working solution is, as PureVPN noted, an OpenVPN-enabled device behind your Fritz!Box to which your devices connect. Same problem as written above, though


Four simple things:
There's a guide to AirVPN. Before you ask questions, take 30 minutes of your time to go through it.

Amazon IPs are not dangerous here. It's the fallback DNS.
Running TOR exits is discouraged. They're subject to restrictions on the internet and harm all AirVPN users.

Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, you'll be unique among the mass again.

 

XMPP: gigan3rd@xmpp.airvpn.org or join our lounge@conference.xmpp.airvpn.org

Share this post


Link to post

"Do consider, though, that given the weak processing power of your fritzbox you will be experiencing subpar speeds when using OpenVPN."

 

so is't not advisable to use a router with vpn server due to its "weak processing power"? this is true with all protocol?

is it possible this connection:

1) local devices --- fritzbox --- flashrouter (dd-wrt compatiblility, as a client) -- internet -- server vpn serivce -->

 

and 

 

2) outside devices --- internet --- flashrouter (dd-wrt compatiblility, as a vpn server) -- fritzbox --- local devices (if is it possible this configuration, i have problem due weak processiong power of flashrouter?)

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...