VPN between two fritzboxes

Ok, this one is not really purely openHAB related. But over christmas I installed a remote openHAB on my mountain Cottage. Unfortunately, the mobile internet connection doesn’t allow for a public IP-adress, but a private (carrier) IP-adress. So I couldn’t establish the VPN as planned from my home to the remote FritzBox! - which I learned only later after being home again.
So - this weekend I’m again at the cottage and just to be sure: I have a public IP-address at my home FritzBox, so if I establish a (permanently then) VPN between the Cottage Fritzbox an my home Fritzbox - this should work, right?
https://en.avm.de/service/fritzbox/fritzbox-7390/knowledge-base/publication/show/5_Setting-up-a-VPN-connection-between-two-FRITZ-Box-networks/ says this:

Requirements / Restrictions
At least one of the two FRITZ!Boxes must obtain a public IPv4 address from the internet service provider.

So, the Fritzbox on a private IP-address can indeed establish the VPN to my Fritzbox at home. I have to test, if this one is stable - as the LTE is not really fast up there… But basically this one should work? or do I have to configure something beforehand?

You need a dynamic dns service either through dyndns or you could use myfritz, a service run by avm.

1 Like

yeah, I regularly connect myself to my home Fritzbox through MyFritz - that works. So I assume, it should work with the cottage Fritzbox with an private IP-address also… But I’m no expert, that’s why I’m careful - My intended solution obviously didn’t work out…

I have connected 4 Fritz!Boxes at different locations via VPN.
Every box gets a dyndns entry xxxx.homedns.org which is configured in the box and used in the VPN config.

has one of the Boxes a private IP-adress (I learned it’s called Carrier grade NAT)

All boxes get new IPs every night, our provider does a disconnect every 24 hours.
Configuring dyndns service in the box gives you the correct mapping for VPN usage.
Furthermore, all boxes run different internal network ranges (192.168.0.0, 192.168.1.0, 192.168.2.0 …)

oh. Sorry for not being specific enough…

I also had to learn the hard way:

  • my boxes have internal network range addresses for the internal network (192.168.xxx.xxx, two different ones to not interfere)
  • they both function as routers to the internet, but (and here’s the difference):
    ** my home box gets an public IP-address from the external Network range offered by my ISP
    ** my cottage box gets an private IP-address from the Carrier grade NAT range

That means, you can’t access the cottage box at all via the Internet, because it basically NATs via the ISP - and the box won’t get an public IP-address unless I pay a monthly fee for it. I guess, that’s partly because IPv4 addresses are rare and for “normal mobile phones” it suffices to just have a NATted internet access.

what’s on a totally different page, is that those assigned IP-addresses are dynamic (changing at reconnects) or static (staying even after reconnects). That one is covered by MyFritz… (at home, I don’t have a static public, but a dynamic public IP-address, my cottage box can connect to.)

So, I guess all your boxes get dynamic public IP-addresses… :wink:

Indeed they have

I guess, I simply try on the weekend - I’ll report back, if it works. What I thought, what I tried is to insert the MyFritz-configuration including the secret and all to the cottage box, and the VPN just won’t connect. Perhaps I have to try to connect from the Pi then directly… I hope, that I then can access my cottage Pi via the VPN “in reverse” :wink: (ok, it’s getting complicated now)…

Found this tip for you
https://www.computerbase.de/forum/showthread.php?t=1679109

1 Like

yeah, that’s basically my information: requesting an public IP-address from the ISP (which costs a monthly fee).

But what’s new for me is the “portmapper”-provider - at least it’s way cheaper! :wink: I’ll give it a try - thanks for the help!

I think you can connect from CGN to the Public IPv4…

This is the Paper for you… The Public IP Fritzbox must be the VPN Server!

German:
https://avm.de/service/vpn/praxis-tipps/fritzbox-als-vpn-client-mit-anderer-fritzbox-verbinden/
English:
https://en.avm.de/service/vpn/how-to-tips/connecting-a-fritzbox-set-up-as-a-vpn-client-to-another-fritzbox/

Have booth a IPv6?

This can be your Solution :slight_smile:

https://www.strongswan.org/testing/testresults/ipv6/net2net-ikev2/

1 Like

I’ll have to take a look for the cottage box, at home I do have one. Thanks!

I ended up getting a dynamic public IP address from the provider (which was free against previous statements…) - now I have a “normal” VPN between two Fritz!Boxes and it’s stable since two weeks now.

just in case someone has similar specs. There should be a Workaround for one box having a public IP and one having a CGN NAT one - but I didn’t test it, as I was fed up and just ordered the public IP! :wink: