Fritz!Box VPN - Basic Questions

Johnboy1951 · 10-10-2019 3:25pm #1

I have used OpenVPN from my PC to connect to servers, but this is not what I want to get some details about.

I want to set up a VPN locally so that I can view TV from a local Tvheadend server whenever I travel.

I have never used a VPN running like this, although I have succesfully forwarded a port for this use case. A VPN should be much more secure I believe.

I have just acquired a Fritx!Box which has the capability of using a Fritz! app which does the VPN thing in the router. I have briefly looked at this but being unsure of things I decided to ask here for clarification.

Having read a little from the Fritz! help files I am unsure how I can limit that VPN access to say a single port on the Tvheadend server and prevent access to any other local server that might, from time to time, be running on the LAN, or indeed limit any other unwanted ingress.

Are there any Frit!Box users here using the Fritz! app for similar purpose that could explain a little to me how it all is supposed to work?

Thanks.

z0oT · 12-10-2019 8:11am

If you want to host a VPN server locally, the best way to do it is have your router itself host the VPN server. That way you don't need any port forwarding.

I'm not familiar with the Fritz box, so I can't offer anything specific about it, but in it's VPN settings, what kind of VPN servers can it host?

Most mid to upper range routers nowadays have the ability to host different types of VPN servers. An OpenVPN server is the best for the heavy security you get thanks to all the encryption it uses.

For me, I have an OpenVPN server hosted on my router. I can connect to the VPN server from anywhere in the world via the Windows 10 or Android OpenVPN clients such that I can access my home server. It also allows me do it without any port forwarding.

Johnboy1951 · 12-10-2019 10:49am

Thanks.

Using port forwarding, and DynDNS, I can reach the local TV server from the internet side.
I can limit access to and by the TV server, based not only on username and password, but also on originating IP address.

So I can easily set this up for a, more or less, permanent access from a holiday home with fixed IP address.

The limitations are that this is not an encrypted connection and does not cover the situation of me staying in other locations such as with friends, hotels etc.

Hence my thoughts of using a VPN running locally, and giving access only to that TV server, to one username/password, from the internet, but having the connection encrypted.

I have not yet understood what the Fritz! app does exactly, or in what manner.
I am uncertain if a different VPN, such as OpenVPN can be installed on it ..... or if it is easy to do.

I have to do more specific searching and reading.

ED E · 13-10-2019 6:08pm

Did you get the 7590 in the end Johnboy? Either way its an IPSec endpoint.

I am uncertain if a different VPN, such as OpenVPN can be installed on it ..... or if it is easy to do.

Looks like its just IPSec. But thats fine as its not Pptp.

Hence my thoughts of using a VPN running locally, and giving access only to that TV server, to one username/password, from the internet, but having the connection encrypted.

You're thinking about it in as strange way. Normally with a VPN to home like this scenario you treat the remote device as trusted. Be that your phone, laptop, whatever. Thus giving them access to the entire lan isnt an issue. If somebody other than you can access the VPN you've already lost the war.

Layer 3 bridging is a thing but becomes complicated. So to avoid this IMO you should set your LAN subnet to something strange.

eg: 192.168.90.0/24 etc

Otherwise if the relatives CPE is on .1.0/24 and so is your LAN at the far end of the tunnel you'll have a conflict on your hands when trying to connect to TVH.

Johnboy1951 · 13-10-2019 8:31pm

ED E, yes I got the 7590 ...... wanted the extra analogue tel port. I have had a fine time readjusting my thinking to the Fritz! method from my old Draytek.

I seem to have that sufficiently well done at this time with a lot of help.

My thinking was to make any share out from one device (TVH server) to be as secure as possible.
Sure I can port forward to the server, and limit the connection there per username and password and in addition by foreign IP address, for a fixed share.
I thought maybe some form of VPN running on the router would be more secure ....... but would it? I have no experience of such.

So really what I wanted was to give myself (and maybe anyone I trusted) access to ONLY the tv server - single port - from any IP address, in the most secure way possible given the hardware limitations at present.

ED E · 14-10-2019 7:01pm

Setup the VPN, don't worry about locking it down. About 100x more secure than your port forward config.

Johnboy1951 · 15-10-2019 7:41pm

It seems that it might be possible, but not simple, to set up a VPN on the Fritz!.

I found this, which is old, but I need to read it carefully to see how comfortable I might be with it ...

https://www.64k-tec.de/2010/02/fritzbox-tuning-part-2-access-your-home-network-with-openvpn/

Let me know what you think ..... allowing for age of article.

tsue921i8wljb3 · 15-10-2019 7:48pm

Johnboy1951 wrote: »

It seems that it might be possible, but not simple, to set up a VPN on the Fritz!.

I found this, which is old, but I need to read it carefully to see how comfortable I might be with it ...

https://www.64k-tec.de/2010/02/fritzbox-tuning-part-2-access-your-home-network-with-openvpn/

Let me know what you think ..... allowing for age of article.

I would not be attempting that unless you are comfortable with the risk of bricking the router and replacing it.

There are lots of guides here for various operating systems to use the built in VPN functionality. Seems less riskier IMO.

https://en.avm.de/service/vpn/overview/

Johnboy1951 · 15-10-2019 8:44pm

Johnny Dirty Socialism wrote: »

I would not be attempting that unless you are comfortable with the risk of bricking the router and replacing it.

There are lots of guides here for various operating systems to use the built in VPN functionality. Seems less riskier IMO.

https://en.avm.de/service/vpn/overview/

Anything I previously came across was for setting up a VPN client, not a server, on the router.

The only exception I found was that Fritz! VPN app which after reading about it I would much prefer to avoid it.

I continue to live in the hope that I can find something more recent than what I previously linked to.

tsue921i8wljb3 · 15-10-2019 8:51pm

Johnboy1951 wrote: »

Anything I previously came across was for setting up a VPN client, not a server, on the router.

The only exception I found was that Fritz! VPN app which after reading about it I would much prefer to avoid it.

I continue to live in the hope that I can find something more recent than what I previously linked to.

You're reading it wrong. This is a guide for what you want to do using Android as a client

https://en.avm.de/service/vpn/tips-tricks/setting-up-a-vpn-connection-to-fritzbox-in-android/

This is using iOS as the client

https://en.avm.de/service/vpn/tips-tricks/setting-up-vpn-connection-to-fritzbox-in-apple-os-ios-eg-iphone/

This is using Windows as the client

https://en.avm.de/service/vpn/how-to-tips/setting-up-a-vpn-connection-to-fritzbox-in-windows-fritzvpn/

The Fritz router is the VPN server in all of the above.

tsue921i8wljb3 · 15-10-2019 8:53pm

For Linux your options seem to be Shrew Soft

https://en.avm.de/service/vpn/tips-tricks/setting-up-a-vpn-connection-to-fritzbox-in-android-kopie-1/

or

VPNC plugin

https://en.avm.de/service/vpn/tips-tricks/setting-up-a-vpn-connection-to-fritzbox-in-linux/

Johnboy1951 · 15-10-2019 9:34pm

Johnny Dirty Socialism wrote: »

For Linux your options seem to be Shrew Soft

https://en.avm.de/service/vpn/tips-tricks/setting-up-a-vpn-connection-to-fritzbox-in-android-kopie-1/

or

VPNC plugin

https://en.avm.de/service/vpn/tips-tricks/setting-up-a-vpn-connection-to-fritzbox-in-linux/

ShrewSoft seems to be very old from what I found - latest version 2013?

As I posted earlier I was hoping to avoid using the Fritz! app.

tsue921i8wljb3 · 15-10-2019 9:38pm

Johnboy1951 wrote: »

ShrewSoft seems to be very old from what I found - latest version 2013? I would have concerns about security.

As I posted earlier I was hoping to avoid using the Fritz! app.

Fair enough. I can't offer any more advice. Best of luck with it.

Johnboy1951 · 15-10-2019 9:41pm

Johnny Dirty Socialism wrote: »

Fair enough. I can't offer any more advice. Best of luck with it.

I had already looked at those two ..... the only ones I found other than that link from 2010 which itself is scary to contemplate

Maybe there is somewhere an updated version of that 2010 article, which is a bit less scary

The high horse brigade · 15-10-2019 9:46pm

Would you be interested in a Mikrotik? I have an RB951 in the van that was used for 2 years as a hotel WiFi hotspot. Don't want anything for it, just say you'll play with it and I'll post it to you

https://mikrotik.com/product/RB951Ui-2HnD

I'm running IPsec VPN on a Mikrotik here myself, can assist

Johnboy1951 · 16-10-2019 4:11pm

The high horse brigade wrote: »

Would you be interested in a Mikrotik? I have an RB951 in the van that was used for 2 years as a hotel WiFi hotspot. Don't want anything for it, just say you'll play with it and I'll post it to you

https://mikrotik.com/product/RB951Ui-2HnD

I'm running IPsec VPN on a Mikrotik here myself, can assist

Thank you! A kind and generous offer!

I do so like to play with new (to me) hardware

I am trying to get my head around how best I could use this for my need .....

This VPN stuff is all new to me so am not sure I understand it sufficiently well.

I would need to set up an OpenVPN gateway on the Microtik with its own DNS resolver, and point my Tvheadend server to that, and just connect it to the LAN with ethernet cable?

If I do this then all WAN side queries for the Tvheadend server should go through the Microtik? (port forward in Fritz! to Microtik?) Also all outgoing queries to the WAN from the server would also go through the Microtik?

Am I on the right track? or close I hope?

The high horse brigade · 16-10-2019 4:39pm

Johnboy1951 wrote: »

Thank you! A kind and generous offer!

I do so like to play with new (to me) hardware

I am trying to get my head around how best I could use this for my need .....

This VPN stuff is all new to me so am not sure I understand it sufficiently well.

I would need to set up an OpenVPN gateway on the Microtik with its own DNS resolver, and point my Tvheadend server to that, and just connect it to the LAN with ethernet cable?

If I do this then all WAN side queries for the Tvheadend server should go through the Microtik? (port forward in Fritz! to Microtik?) Also all outgoing queries to the WAN from the server would also go through the Microtik?

Am I on the right track? or close I hope?

I love to see someone willing to get their hands dirty ^_^

I don't think Mikrotik will do openVPN (not sure on that), I'm using L2TP/IPsec which is very secure. You would be better to use the Mikrotik as your gateway router. Connecting your remote device to the VPN would have your remote device as a local device on your LAN, getting a local IP and DNS from your router DHCP server. In effect it would be an encrypted layer 2 tunnel from your remote device to the LAN bridge on the router. You do not need to forward anything. Of course you can lock it down in the firewall once you have it working.
https://torguard.net/article/243/mikrotik-l2tpipsec.html

PM me parcel motel details and I'll send it on to you. Be ready for a huge learning curve with Mikrotik. It's Linux based so is right up your street

Johnboy1951 · 16-10-2019 5:35pm

The high horse brigade wrote: »

I love to see someone willing to get their hands dirty ^_^

I don't think Mikrotik will do openVPN (not sure on that), I'm using L2TP/IPsec which is very secure. You would be better to use the Mikrotik as your gateway router. Connecting your remote device to the VPN would have your remote device as a local device on your LAN, getting a local IP and DNS from your router DHCP server. In effect it would be an encrypted layer 2 tunnel from your remote device to the LAN bridge on the router. You do not need to forward anything. Of course you can lock it down in the firewall once you have it working.
https://torguard.net/article/243/mikrotik-l2tpipsec.html

PM me parcel motel details and I'll send it on to you. Be ready for a huge learning curve with Mikrotik. It's Linux based so is right up your street

Apologies THHB, but I do not think I follow that properly.
Physically how would the Microtick fit in ..... replace the Fritz!?
At present the Fritz! 7590 is the main router, which also handles VOIP and DECT phones and issues LAN IPs (most fixed) to LAN devices.
It is also 1Gb/s capable whereas I think the Microtik is 100Mb/s, which is fine for the Tvheadend server but a bit limiting for the rest of the network.

It seems every article I find that mentions VOIP gateway or server is concerned only with connecting to one on the WAN, and not creating one locally for connections inwards.
Because of this I have not really got 'a handle' on things as I would like.
If you have any suggested reading, that is not MS or is Linux centric, I would love to receive the links, thanks.

The high horse brigade · 16-10-2019 5:41pm

Johnboy1951 wrote: »

Apologies THHB, but I do not think I follow that properly.
Physically how would the Microtick fit in ..... replace the Fritz!?
At present the Fritz! 7590 is the main router, which also handles VOIP and DECT phones and issues LAN IPs (most fixed) to LAN devices.
It is also 1Gb/s capable whereas I think the Microtik is 100Mb/s, which is fine for the Tvheadend server but a bit limiting for the rest of the network.

It seems every article I find that mentions VOIP gateway or server is concerned only with connecting to one on the WAN, and not creating one locally for connections inwards.
Because of this I have not really got 'a handle' on things as I would like.
If you have any suggested reading, that is not MS or is Linux centric, I would love to receive the links.

Ah, apologies, I didn't realise you were using DECT and VoIP, my plan was to use the Mikrotik as your gateway router.

You can still use the Mikrotik, it just makes it a little more tricky to port forward to for the VPN server. The best place for your VPN server is on the router itself so you may be better to stick with the Fritz and try get it working.

Johnboy1951 · 16-10-2019 5:55pm

The high horse brigade wrote: »

Ah, apologies, I didn't realise you were using DECT and VoIP, my plan was to use the Mikrotik as your gateway router.

You can still use the Mikrotik, it just makes it a little more tricky to port forward to for the VPN server. The best place for your VPN server is on the router itself so you may be better to stick with the Fritz and try get it working.

Hehehehe ...... and that wee word explains it all

I am having great difficulty in finding a recent article on how to do it.

I have not given up though, and I guess I can always go the way I considered for the Microtik ..... maybe a R-Pi running OpenVPN and DNS resolver, and point the Tvheadend server at it for its gateway.
In that way all the rest of the LAN would be separated going through the Fritz! (I think

)
Musings from me at present ...... until I find a good solution.

Thank you again for the offer of the Microtik ...... but yes it is best I stick with the Fritz! as the main router.

Johnboy1951 · 17-10-2019 6:28pm

I will drop a link here for suture reference, as I think this seems to be the most likely means of generally securing the LAN as well as providing a VPN server for my needs.

https://marcstan.net/blog/2017/06/25/PiVPN-and-Pi-hole/

I might look into putting this set up on something with a little more grunt than my old R-Pi.2
I doubt I would buy a R-Pi.3 just for this.

Fritz!Box VPN - Basic Questions

Comments