Do bazy wiedzy

Setting up a WireGuard VPN between two FRITZ!Box networks

Our step-by-step guide on how to easily and securely connect two FRITZ!Box networks over VPN (WireGuard). ✓

WireGuard allows you to connect two FRITZ!Box networks at different locations over the internet via a secure, encrypted VPN connection (LAN-LAN linkup). This allows you to access all of the devices in the remote network and use all of the IP-based services such as email servers, data banks, and file servers at both locations.

You can find an overview of additional VPN connection options in our guide VPN with FRITZ!.

Example values used in this guide

In this guide we show you how to connect "FRITZ!Box A" in a branch with "FRITZ!Box B" in the headquarters. When setting up the connection, replace the values used in this guide with your actual values.

Requirements / Restrictions

  • FRITZ!Box B (headquarters) must obtain either an IPv6 address or a public IPv4 address from the internet service provider. FRITZ!Box A (branch) must obtain an IP address with the same protocol version (IPv4 or IPv6) from the internet service provider.
  • FRITZ!OS 7.50 or later is installed on both of the FRITZ!Boxes.

1 Preparations

Configuring MyFRITZ!

Register the FRITZ!Boxes with MyFRITZ!Net so that they can always be reached on the internet at fixed MyFRITZ! addresses:

Setting up MyFRITZ!
  1. Click "Internet" in the FRITZ!Box user interface.
  2. Click "MyFRITZ! Account" in the "Internet" menu.
  3. Enter your email address in the "Your email address" field.
  4. Click "Apply". Now MyFRITZ!Net sends you an email with the confirmation link to your FRITZ!Box.

    Important:If you do not receive an email, the email was classified as unsolicited advertising (spam). In this case, check the spam folder of your email inbox.

  5. Open the email you received from MyFRITZ!Net.
  6. Click the "Register Your FRITZ!Box" button in the email.

Adapting the IP networks

VPN communication is not possible if both FRITZ!Boxes use the same IP network. Since all FRITZ!Boxes use the IP network 192.168.178.0 in the factory settings, configure IP addresses from different IP networks in the FRITZ!Boxes:

Example:
In this guide, FRITZ!Box A (branch) has the IP address 192.168.20.1 (subnet mask 255.255.255.0) and FRITZ!Box B (headquarters) the IP address 192.168.10.1 (subnet mask 255.255.255.0).

Changing the FRITZ!Box's IP network
  1. Click "Home Network" in the FRITZ!Box user interface.
  2. Click "Network" in the "Home Network" menu.
  3. Click on the "Network Settings" tab.
  4. Click "Additional Settings" in the section "LAN Settings" to display all of the settings.
  5. Click the "IPv4 Settings" button.
  6. Enter the desired IP address and subnet mask.

    Important:Do not enter an IP address from the network 192.168.100.x. In compliance with DOCSIS, this network is reserved for the cable provider and may not be used in the FRITZ!Box.

  7. Click "Apply" to save the settings and on the FRITZ!Box, confirm that the procedure may be executed, if you are asked to do so.

2 Downloading WireGuard settings from FRITZ!Box A (branch)

The following steps are only necessary if WireGuard connections are already configured in FRITZ!Box A (branch) (for example for a mobile device):

  1. Click "Internet" in the user interface of FRITZ!Box A (branch).
  2. Click "Permit Access" in the "Internet" menu.
  3. Click on the "VPN (WireGuard)" tab.
  4. Click the "Display WireGuard Settings" button.
  5. If you are asked to do so, on the FRITZ!Box confirm that the procedure may be executed and click "OK" to complete the procedure.
  6. Click "Download Configuration File" and download the file with the extension ".conf" to the computer.

3 Configuring FRITZ!Box B (headquarters)

  1. Click "Internet" in the user interface of FRITZ!Box B (headquarters).
  2. Click "Permit Access" in the "Internet" menu.
  3. Click on the "VPN (WireGuard)" tab.
  4. Click the "Add Connection" button.
  5. Click "Connect networks or establish special connections" and then "Next".
  6. By "Has this WireGuard connection already been set up at the remote connection?", click "No".
  7. If no WireGuard connections have been set up in FRITZ!Box A (branch) yet:
    1. By "Should the new WireGuard connection be used used concurrently with an existing connection on the remote site?", click "No".
    2. By "Is the connection to be made with a single device (laptop, smartphone, tablet), or a router that supports WireGuard (such as a FRITZ!Box)?", click "Router with WireGuard support".
    3. Click "Next".
    4. Enter a unique name for the connection (FRITZ!Box branch) in the field "Name of the WireGuard connection".
    5. Enter the IP network of FRITZ!Box A (192.168.20.0) in the "Remote IPv4 network:" field.
    6. In the "Subnet mask" field, enter the subnet mask that corresponds to FRITZ!Box A's IPv4 network (255.255.255.0).
    7. In the "IPv6 address (/64)" field, enter the IPv6 address (Unique Local Address) of FRITZ!Box A (fdfb:a446:9719::b2f2:8ff:fe6a:e378).

      Note:The IPv6 address (Unique Local Address) is displayed in FRITZ!Box A under "Home Network > Network > Network Settings > IPv6 Settings > Unique local address of your FRITZ!Box".

  8. If WireGuard connections have already been set up in FRITZ!Box A (branch):
    1. By "Should the new WireGuard connection be used used concurrently with an existing connection on the remote site?", click "Yes".
    2. Click "Yes" by "Should the settings file of the remote site be imported and the new connection be appended automatically?".
    3. Click "Next".
    4. Enter a unique name for the connection (FRITZ!Box branch) in the field "Name of the WireGuard connection".
    5. Click the "Choose File" or "Browse..." button.
    6. Select the settings file for the WireGuard connection that you downloaded from FRITZ!Box A (Conf file) and click "Open".
    Configuring a WireGuard connection in FRITZ!Box B (headquarters)
  9. If available, enable the option "Allow NetBIOS over this connection".
  10. If only certain devices in the home network of FRITZ!Box B (headquarters) should be reachable via VPN, enable the option "Only certain devices in the home network are to be accessible over this WireGuard connection" and select the corresponding devices.
  11. Click the "Finish" button.
  12. If you are asked to do so, on the FRITZ!Box confirm that the procedure may be executed and click "OK" to complete the procedure.
  13. Click "Download Settings" and download the file with the extension ".conf" to the computer.

4 Configuring FRITZ!Box A (branch)

  1. Click "Internet" in the user interface of FRITZ!Box A (branch).
  2. Click "Permit Access" in the "Internet" menu.
  3. Click on the "VPN (WireGuard)" tab.
  4. Click the "Add Connection" button.
  5. Click "Connect networks or establish special connections" and then "Next".
  6. By "Has this WireGuard connection already been set up at the remote connection?", click "Yes".
  7. Click "Next".
  8. Enter a unique name for the connection (FRITZ!Box headquarters) in the field "Name of the WireGuard connection".
  9. Click the "Choose File" or "Browse..." button.
  10. Select the settings file for the WireGuard connection that you downloaded from FRITZ!Box B (Conf file) and click "Open".
  11. If you do not only want to use the VPN connection to access the remote network, but also want all web requests to be sent over the VPN connection to FRITZ!Box B (headquarters), enable the option "Send all IPv4 network traffic via the VPN connection".
  12. Enable the option "Allow NetBIOS over this connection" if access to Windows file and printer sharings (SMB shares) in the remote network should be allowed.
  13. If only certain devices in the home network of FRITZ!Box A (branch) should be reachable via VPN, enable the option "Only certain devices in the home network are to be accessible over this WireGuard connection" and select the corresponding devices.
  14. Click the "Finish" button.
  15. If you are asked to do so, on the FRITZ!Box confirm that the procedure may be executed and click "OK" to complete the procedure.

Now the VPN connection between both FRITZ!Boxes is configured and FRITZ!Box A (branch) is permanently connected to FRITZ!Box B (headquarters).