Hello community,
I have the configuration shown in the image. Is it possible to access the Blue Network from outside via a VPN connection to the Fritzbox?
I can access the Fritzbox via a VPN connection, and it works.
If you want to connect to a host on the blue network, you should establish a VPN connection directly to the IPfire.
This can be OpenVPN, Wireguard, or IPsec.
It’s not a good idea to open communication on the IPfire Red interface.
Of course, you can do as you described; for this to work, you’ll need to configure the Fritzbox with a static route to the blue network via the IPfire Red interface.
Additionally, you need to create a rule on Ipfire that will accept such communication.
Which connection do you need - Net to Net or Roadwarrior ?
Which VPN do you want to use - Wireguard, OpenVPN, IPsec ?
Is IPFire in the DMZ of Fritzbox?
I don’t really care which VPN I use. I want to access the blue network from an external Windows computer.
But how do I do that? I think the Fritzbox is also connected in between, or do I need to change something there as well?
You need a port forward on your Fritzbox.
Okay, thanks for the info.
Which port do I need to open on the Fritzbox? Should I forward the port to the red or blue network on the IPFire box?
Do you have any good instructions for setting up the VPN connection? Perhaps in German?
Regards
the Fritzbox needs a port forward from WAN to the red IP of IPfire.
Port for OpenVPN is default 1194. as found in the WUI.
this rule is to be set ip the Fritzbox
no rule sould be needed in IPFire.
Some routers have a DMZ that will forward all port to one PC.
this can ce used to send traffic to IPFire.
IPfire’s DMZ is not like that.
1 Like
Thanks for helping me this far. I’ve now created the following configuration.
WireGuard:
Opened port 51820 in the Fritzbox for the Red interface
In the IPFire box:
Wireguard:
Endpoint (I have a DynDNS address here)
Client Pool 10.0.0.0/24
DNS 192.168.2.1
Host-to-Network Peer Connection
Name: client2blue
Remarks - empty
Allowed subnets: 192.168.2.0/24
I installed this configuration on my iPhone, and the VPN connection is established.
BUT in the WireGuard on the IPFire box, the status of the established connection is “disconnected.”
On the iPhone, the address is 10.0.0.1, and the server address is 127.0.0.1.
What did I do wrong?
Thanks for writing
I dont think the status is working on the WUI. So that is not a good indicator.
I would check the logs.
It has always worked for me in all my tests and evaluations.
Your DynDNS address will resolve to the public IP that goes to your fritzbox. Your endpoint address in your situation is the private IP address that the fritzbox gives to your IPFire red interface. Just insert the IP address that your IPFire red interface gets from the fritzbox.
Bear in mind that as the WireGuard protocol in the kernel has been made a very secure but simple one, there are no logs related to WireGuard.
I have not used wiregaurd.
I have seen nuances with it from other forum posts.
Does the disconnect status show because the connection is in active.
And active only when being used in active transfer of data?
Thanks for writing.
I only found this in the log:
Addresses Declined:
192.168.3.74 → 9c:20:7b:f3:a1:39 [abandoned] (blue0): 2339 Time(s)
192.168.3.75 → 76:bb:e6:6e:dc:00 [abandoned] (blue0): 1 Time(s)
The Fritzbox doesn’t assign any addresses; they’re all fixed. Should I add the Fritzbox’s external public IP address there?
It shows when the connection has been made, whether data is being transferred or not.
WireGuard gives no information on whether data is being transferred or not. It just indicates that a connection has been made.
The way I have tested it (also with OpenVPN) is to use ping (doesn’t always work as expected with mobile phones like Android) or by testing to access the IPFire WUI page via the browser on the WireGuard roadwarrior client. That has worked for me with Android when the ping did not.
If the IP for your IPFire is fixed from the Fritzbox then use that fixed private IP address.
You can confirm it by looking at your IPFire WUI main page. The box labelled INTERNET on a red background will have an IP address specified at the next column. That is the endpoint address that you should use.
With the Fritzbox between your IPFire and the internet then I believe that IP address will be a private range IP address most likely starting with 192.168.xxx.yyy and not a public IP.
You should not use the Fritzbox’s public I address as that is not the endpoint of the WireGuard tunnel. Your IPFire system is the endpoint.
I’ve tried everything, but it won’t connect.
What’s puzzling me is the server address 127.0.0.1.
I don’t know what else I can do to get a VPN connection.
That IP is localhost so your client on the iphone would be trying to make the openvpn connection only on the phone.
You need to change that IP to your IP that your Fritzbox has as its public IP.
But where should I change the IP address? I have no idea where this 127.0.0.1 comes from. I also know it’s a local one, but that doesn’t seem to help me.
That I can’t help you with as I don’t use any iphones at all. I just have an old Android phone.
The only iphone stuff I know is what is written in the wiki documentation
https://www.ipfire.org/docs/configuration/services/openvpn/ios
but I have never ever used it.