Configuring a VPN Connection between a FRITZ!Box as a VPN Client and a FRITZ!Box as VPN Server
You can configure a VPN connection between two FRITZ!Box home networks so that one of the FRITZ!Boxes is the VPN client and the other the VPN server. Devices in the home network of the FRITZ!Box configured as the VPN server can then be reached from within the home network of the FRITZ!Box configured as a VPN client. It is not possible for devices in the home network of the VPN server to access devices in the VPN client's home network.
Example Scenario in this Guide
You want to connect your FRITZ!Box home network at home with the FRITZ!Box home network at your company's premises via VPN. The FRITZ!Box at home is to be the VPN client. The FRITZ!Box at the company is to be the VPN server. In the instructions below, the FRITZ!Box devices are referred to as "client-box-home" and "server-box-work".
Example Values Used in this Guide
The following example values are used below in this guide.
For your own VPN configuration, replace the example values with the actual values in your scenario.
VPN Parameters | Example Value |
---|---|
MyFRITZ! domain name for server-box-work | pi80ewgfi72d2os42.myfritz.net |
IPv4 network of the server-box-work | 192.168.10.0 (subnet mask: 255.255.255.0) |
User name for the FRITZ!Box user in server-box-work | John Smith |
Password for the FRITZ!Box user in server-box-work | 37o43Har51a |
Shared secret of the FRITZ!Box user in server-box-work | Zj7hPCouK65IrPU4 |
Requirement: Public IPv4 Address
The FRITZ!Box being used as the VPN server must obtain a public IPv4 address from the Internet service provider. Check whether FRITZ!Box deployed as the VPN server obtains a public IPv4 address: Determine the Public IPv4 Address of the FRITZ!Box.
Making FRITZ!Box Accessible with Changing Public IPv4 Address
For VPN connections, it must be possible to reach the server-box-work from the internet at all times. If the server-box-work obtains its public IPv4 address from the internet provider, then the IPv4 address will generally change with each assignment.
With the MyFRITZ! service or another dynamic DNS service, the FRITZ!Box can always be reached from the internet, even when the public IPv4 address changes.
Using MyFRITZ!
server-box-work:
- Open the user interface of server-box-work.
- Click on "Internet" and then on "MyFRITZ! Account".
- Register the server-box-work with a MyFRITZ! account. Create a new MyFRITZ! account or use an existing MyFRITZ! account: Creating a New MyFRITZ! Account And Registering a FRITZ!Box.
- Determine the MyFRITZ! domain name for server-box-work: Determining the MyFRITZ! Domain Name.
Example Value for the MyFRITZ! Domain Name
This guide uses the following example value for the MyFRITZ! domain name. Replace this example value with the MyFRITZ! domain name you determined.
FRITZ!Box Device | Example Value for MyFRITZ! Domain Name |
---|---|
server-box-work | pi80ewgfi72d2os42.myfritz.net |
Using Another Dynamic DNS Service
Instead of MyFRITZ! you can use a different dynamic DNS service.
Adjusting the IPv4 Networks on the Ends of the VPN Connection
Both ends of a VPN connection must have IPv4 addresses in different IPv4 networks. Only then is VPN communication possible.
Note:Upon delivery, every FRITZ!Box uses the IPv4 network 192.168.178.0.
Change the IPv4 address in server-box-work and in client-box-home. The following example values are used below in this guide. You can use these example values or replace them with other values (private IPv4 addresses).
FRITZ!Box Device | Address of the IPv4 Network |
---|---|
server-box-work | 192.168.10.0 (subnet mask: 255.255.255.0) |
client-box-home | 192.168.20.0 (subnet mask: 255.255.255.0) |
server-box-work:
Change the IPv4 address in server-box-work. Enter the value 192.168.10.0. Enter the subnet mask 255.255.255.0. Changing the IPv4 Network in the FRITZ!Box
client-box-home:
Change the IPv4 address in client-box-home. Enter the value 192.168.20.0. Enter the subnet mask 255.255.255.0. Changing the IPv4 Network in the FRITZ!Box
Configuring server-box-work
If the client-box-home registers with the server-box-work as a VPN client, then from the perspective of the server-box-work, it is a FRITZ!Box user and must log in as a user with VPN rights. In the server-box-work, configure a user with VPN rights for the client-box-home:
- Click on "System" in the interface of the server-box-work.
- Click on "FRITZ!Box Users" in the "System" menu.
- Click on "Add User".
- Enter the username in the "Username" field. Example value: John Smith
- Enter a password for the user in the "Password" field. Example value: 37o43Har51a
- Enable the "VPN" setting in the "Rights" area.
- The other settings in the "Rights" area specify what the user is allowed to do in the FRITZ!Box user interface. These settings are not relevant for the VPN connection. The "Access from the internet allowed" setting specifies whether the user is allowed to access the user interface of the FRITZ!Box from the internet via a dynamic DNS server. This setting does not apply to the VPN connection.
- Click on "Apply".
- If you are prompted to confirm the application of this setting on the FRITZ!Box, then confirm it as described in the prompt. The internet connection will be cleared briefly and then re-established right away.
client-box-home: Configuring the VPN Connection
Set up the VPN connection to the server-box-work in the client-box-home.
Opening VPN Settings in server-box-work
- Click on "System" in the interface of the server-box-work.
- Click on "FRITZ!Box Users".
- Select the FRITZ!Box user and click on the button.
- Click on the "Display VPN Settings" link next to the "VPN" setting.
The VPN settings are displayed on a page in a separate browser window. You can print out this page.
Configuring the VPN Connection in client-box-home
- Click on "Internet" in the user interface of the client-box-home and then on "Permit Access".
- Click on the "VPN" tab.
- Click on the "Add VPN Connection" button.
- Select "Connect this FRITZ!Box with a company's VPN" and then click on "Next".
- In the "VPN User name (key ID) field, enter the username of the FRITZ!Box user. This value is displayed under "Username / Account" in the VPN settings. Example value: John Smith
- In the field "VPN password (pre-shared key)", enter the "shared secret" of the FRITZ!Box user. The "shared secret" is displayed under "IPSec key / Shared Secret" in the VPN settings. Example value: Zj7hPCouK65IrPU4
- Enable the option "Use XAUTH".
- In the "XAUTH username" field, enter the username of the FRITZ!Box user. This value is displayed under "Username / Account" in the VPN settings. Example value: John Smith
- In the "XAUTH password" field, enter the password for the FRITZ!Box user. This password is displayed under "Username / Account" in the VPN settings. Example value: 37o43Har51a
- Enter a unique name for the connection in the "Name of the VPN connection" field. Example value: client-box-home
- Enter the MyFRITZ! domain name of server-box-work in the "Web address of the remote site" field. The value is displayed under "Server Address / Server" in the VPN settings. Example value: pi80ewgfi72d2os42.myfritz.net
- Enter the IP network of server-box-work in the "Remote network" field. Example value: 191.168.10.0
- In the "Subnet mask" field, enter the subnet mask that corresponds to the IP network of server-box-work. Example value: 255.255.255.0
- If you want to maintain the VPN connection to the VPN server at all times, then enable the option "Hold VPN connection permanently".
- If file and printer sharing in the home network of client-box-home are to be accessible to the home network of server-box-work, then click on "Advanced Settings for Network Traffic" and enable the setting "Allow NetBIOS over this connection".
- Click on "OK".
- If you are prompted to confirm the application of this setting on the FRITZ!Box, then confirm it as described in the prompt. The internet connection will be cleared briefly and then re-established right away.
Establishing a VPN Connection
Establishing the VPN connection depends on the "Hold VPN connection permanently" setting in the FRITZ!Box configured as the VPN client:
"Hold VPN connection permanently" Is Enabled
Once configuration of the VPN connection in client-box-home has been concluded, then the VPN connection to server-box-work will be established immediately. The VPN connection will be maintained permanently.
"Hold VPN connection permanently" Is Not Enabled
The VPN connection will be established automatically whenever a query is sent from the home network of the client-box-home to a network device in the home network of the server-box-work. The VPN connection is automatically cleared when no activity has taken place over the connection between the FRITZ!Box home networks for one hour.