Last active
April 12, 2024 08:23
-
-
Save smilzo/d66ddc6f64896bf6de0f8e6257f00e15 to your computer and use it in GitHub Desktop.
Fritzbox VPN configuration with OPNSense
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // This configuration is not mine but found on a german forum, and modified for my needs. I'm sharing because all info are in german | |
| // Comment about a more secure VPN cfg are welcome, this is mere cut and past because testing is slow | |
| // | |
| // On the OPNSense side, configure the IPSEC tunnel in this way | |
| // Tunnel Setting: | |
| // | |
| // - Connection method: I've put "Respond only" because the OPNSense is installed on stable server | |
| // - Key Exchange version: V1 | |
| // - Internet Protocol: IPv4 | |
| // - Interface: WAN | |
| // - Remote gateway: XXXXX.myfritz.net - The MyFritz! hostname of the router | |
| // - Dynamic gateway: Yes - I've the Fritzbox on a dynamic IP Address | |
| // - Authentication method: "Mutual PSK" | |
| // - Negotiation mode: Main - I don't like VPN in aggressive mode, and it works with this cfg without | |
| // - My identifier: Distinguished Name : FQDN of OPNSense | |
| // - Peer identifier: Distinguished Name : XXXXX.myfritz.net - The MyFritz! hostname of the router | |
| // | |
| // Phase 1 proposal (Algorithms) | |
| // - Encryption algorithm: AES256 | |
| // - Hash algorithm: SHA1 | |
| // - DH key group: 1, 2, 5, 14, 15, 16, 17, 18 | |
| // | |
| // Phase 2: | |
| // - Mode: Tunnel IPv4 | |
| // Local Network | |
| // - Type: LAN subnet | |
| // Remote Network | |
| // - Type: Network | |
| // - Address a.a.a.0 / 24 - The CIDR Address of the FritzBox LAN | |
| // | |
| // Phase 2 proposal (SA/Key Exchange) | |
| // - Protocol: ESP | |
| // - Encryption algorithms: AES (Auto) | |
| // - Hash algorithms: SHA1 | |
| // - PFS key group: 2 | |
| // | |
| // Then you can save the text below on a computer and import on FritBox as VPN Configuration | |
| // | |
| // DELETE ABOVE - DELETE ABOVE - DELETE ABOVE - DELETE ABOVE - DELETE ABOVE - DELETE ABOVE - DELETE ABOVE - DELETE ABOVE | |
| vpncfg { | |
| connections { | |
| enabled = yes; | |
| conn_type = conntype_lan; | |
| name = "Description of the VPN"; // Name of the VPN | |
| always_renew = yes; // Restate the connection | |
| reject_not_encrypted = no; | |
| dont_filter_netbios = yes; | |
| localip = 0.0.0.0; | |
| local_virtualip = 0.0.0.0; | |
| remoteip = 0.0.0.0; // Insert the static public IP of the OPNSense or 0.0.0.0 or | |
| remotehostname = "hostname.domain.org"; // else insert the FQDN | |
| remote_virtualip = 0.0.0.0; | |
| localid { | |
| fqdn = "XXXX.myfritz.net"; // myfritz of the fritzbox | |
| } | |
| remoteid { | |
| fqdn = "hostname.domain.org"; // FQDN of the OPNSense | |
| } | |
| mode = phase1_mode_idp; | |
| phase1ss = "all/all/all"; | |
| keytype = connkeytype_pre_shared; | |
| key = "sharedKey"; // VPN Shared key | |
| cert_do_server_auth = no; | |
| use_nat_t = no; | |
| use_xauth = no; | |
| use_cfgmode = no; | |
| phase2localid { | |
| ipnet { | |
| ipaddr = a.a.a.0; // LAN IP Class of Fritzbox | |
| mask = 255.255.255.0; // Netmask of Fritzbox LAN | |
| } | |
| } | |
| phase2remoteid { | |
| ipnet { | |
| ipaddr = b.b.b.0; // LAN IP of the OPNSense | |
| mask = 255.255.255.0; // Netmask of OPNSense LAN | |
| } | |
| } | |
| phase2ss = "esp-aes256-3des-sha/ah-no/comp-lzs-no/pfs"; // Enable all Phase 2 algorithm | |
| accesslist = "permit ip any b.b.b.0 255.255.255.0"; // Permit all from the subnet on the OPNSense net | |
| } | |
| ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500", | |
| "udp 0.0.0.0:4500 0.0.0.0:4500"; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment