How to make WireGuard work on Fritzbox
Bitahoy makes internet connections smarter by giving our customers full control and insights on their network, without any technical knowledge required. For easy deployment on broadband routers, we utilize VPN connections to reroute network traffic to our cloud-based platform. We are therefore glad about the news that AVM is integrating WireGuard into their routers, which enhances our compatibility with these devices. We gave the current beta versions a try and ran into some problems. In this blog post, we summarize our experience and share some tips to get your WireGuard config running on a fritzbox. At the end of the post, we also provide a tool to check your WireGuard config in the browser.
What is WireGuard and why did we choose it?
Our technology is developed with high reliability and easy deployment in mind. Therefore, it is crucial for us to utilize only the latest and best-maintained software available. The heart of this technology is our cloudjet platform that allows controlling traffic in a highly efficient way using eBPF. On top of this platform, we develop addons that are tied to specific use-cases, for example, ML-based intrusion detection or content blocking.
One of the biggest challenges of our platform is to tunnel network traffic through in the fastest and most stable way possible. In our opinion, the least best-suited way is using a VPN for that purpose. The minimalistic approach of WireGuard looked the most convincing to us. As a startup in cybersecurity, we need to focus on security. And generally speaking, less code means less attack surface. Another reason was the performance of WireGuard and its integration into the Linux kernel. WireGuard is open-source, and works on layer 3 traffic (IP traffic) and tunnels over UDP.
High-level overview of our VPN server architecture
However, WireGuard does not come without drawbacks. One main downside of WireGuard is the static configuration file, so we cannot change a key or a port afterward without distributing new configuration files. But we can work around that by using a wrapper script on the CPE that updates the WireGuard config.
What is a WireGuard config?
Starting a WireGuard client or server is super uncomplicated. You just need to have the configuration file and pass it to
wg-quick on linux or to the respective tools of each platform (Linux, Windows, macOS, Android, iOS, …). For more detailed information on installation and quick start on typical endpoints, check out the official WireGuard website. In this blog post, we will focus on AVM’s Fritzbox.
Similar to all other WireGuard clients, you can provide a normal WireGuard config to the Fritzbox.
Such a WireGuard config contains all required information in a human-readable format and looks like this:
[Interface] Address = 192.168.178.1/24 PrivateKey = UF7CZMQsEow53V8YkiY0uAEaXBrLax2WFDuNbSQf60E= [Peer] PublicKey = rsLariGkyRWNlDuweznRiDt9fdR6QWR/1gkSr5RWGkw= AllowedIPs = 10.10.10.0/24 Endpoint = 22.214.171.124:51825
There are 2 types of sections, Interface and Peer, they are written in brackets. Below the section header, the parameters for that section will be set line-by-line. It is also possible to add comments using a
Contains all required and optional parameters to spin up the WireGuard interface, which is the virtual network interface that belongs to this WireGuard tunnel. A typical name of the network interface is wg0. There should only be one interface section per config file.
- Address: The address is the address of the wireguard interface. This means, the device who will apply this config, will use this local IP address in the VPN. The address also needs the netmask in CIDR-notation (e.g. /24) to set up the routing.
- PrivateKey: The private key of this node. Can be generated on the commandline with
- ListenPort (optional): The port WireGuard will listen on for new connections. As there are no servers and clients in WireGuard , each peer will start a UDP port to listen for new connections.
- DNS (optional): defines DNS servers to use. Does not work on all clients. For example, wg-quick only supports resolvd, which is not always installed. And the Fritzbox ignores this option completely.
Contains all the information about a specific peer. The config can contain arbitrarily many peers. The main purpose of the peer section, is creating a mapping of public keys and IPs. In that way, the WireGuardnode can use the other node’s public key to know which IP range is allowed to be used by this peer.
- PublicKey: public key of the peer. Can be derived from the private key by using
wg pubkeyon the linux commandline. In contrast to the PrivateKey, the PublicKey can (and has to be) shared with nodes we want to connect to.
- AllowedIPs: Defines which IP range is allowed to be used by the node with this PublicKey. As a typical VPN client that should tunnel all traffic through the VPN server, we want to have 0.0.0.0/32 as AllowedIPs for the VPN server. In a site-to-site VPN setting, each peer would typically have its own local subnet as AllowedIPs.
- Endpoint (optional): This field is optional and defines the public IP address of the peer we want to connect to. However, at least one of the peers has to set the endpoint parameter, because otherwise both peers would wait for each other to connect. In a typical client-server VPN setup, the client would use the VPN server’s IP for this parameter, while the server would leave it empty and just wait for a connection of the client.
- PresharedKey (optional): This field is optional and can be used to define a pre-shared key between 2 peers which should improve post-quantum resistance. This is used on top of the public key cryptography, so it does not replace PublicKey and PrivateKey. Details can be found here.
Connect to WireGuard using your fritzbox
Fritzbox offers to use their own dynamic DNS service to create configs in a more user friendly way, but also with limited capabilities. Here, we will focus on the most pure and powerful way to connect to WireGuard, which is importing a WireGuard configuration file.
Just login to your fritzbox web interface (typically https://fritz.box/ or https://192.168.178.1) and then click through the web interface till you reach “Import a WireGuard connection” (Internet → Permit Access → VPN → Add VPN Connection → Import a WireGuard connection). There you have a text field where you can paste your config into.
If everything went right, it should look like this in the VPN list and on the web interface dashboard respectively:
This sounds easy, right? Well, in reality, chances are high that this will not work. This is because fritzbox has its own constraints and limitations that differ a bit from the official WireGuard tools. The next section might help you debug.
Why does my fritzbox fail to connect to WireGuard?
Right now, WireGuard on FritzBox is quite new and still in beta. And as in all beta-state software, you should expect bugs and a bad user experience in general. The main drawback in the user experience of the fritzbox in regard of WireGuard is the missing error messages. There is only a few information you can get from the fritzbox in case your WireGuard connection is not working. Maybe they will improve that before the release. But, till then, you can use our list of known limitations to debug your WireGuardconfiguration.
Multiple connections or multiple peers
As of right now, the fritzbox does neither support multiple connections, nor multiple peers. This means, you can only have one WireGuard configuration activated at the same time, even if the user interface shows ticks on both connections. And furthermore, this WireGuard configuration must not have more than one peer section.
Full tunneling or clashing IP ranges
For some reason, fritzbox does not support full tunneling yet. This means, if you set AllowedIPs to 0.0.0.0/0, your connection will fail. Same seems to apply to IP ranges that conflict with your LAN or WAN network.
Interface Address does not match fritzbox IP and range
The address parameter of the interface section has to match the IP of the fritzbox and its subnet. For a default fritzbox, this would be
Have you tried turning it on and off again?
Nobody likes to hear this line, but its often the most simple solution for many problems. Same here. While playing around with different WireGuard configs in our lab, the fritzbox sometimes got into a weird state that makes further connections impossible or in which the routing is broken. Performing a power cycle and rebooting the fritzbox helps in that case.
Does the remote peer expect the correct IPs?
The WireGuard implementation on fritzbox is built as site-to-site VPN, so NAT is not used for the tunneled traffic. This means, all packets will use the local source IP of the sender (e.g. 192.168.178.100) instead of the router IP. Take this into account when setting up the other WireGuard peer.
Tool: check your WireGuard configuration for fritzbox compatibility
To help you with your WireGuard configs and to give you the feedback the fritzbox won’t give you, we developed a little tool that checks your WireGuard config in your browser. We check for most of the constraints explained above and warn you in case there is a problem in your configuration. The tool runs completely in your browser and no data is sent back to us, so your private key stays safe 😉
Check your wireguard config for fritzbox compatibility
“WireGuard” and the “WireGuard” logo are registered trademarks of Jason A. Donenfeld.