Site-to-site connection of a UTM to a Fritz!Box with WireGuard
Last adaptation to the version: 12.6.0
New:
- Corrections in the Configuration file for the IP address of the Fritz!Box and the AllowedIPs
- Note added for NetBIOS in the Fritz!Box
Last updated:
01.2024
notempty
This article refers to a Resellerpreview
This article includes descriptions of third-party software and is based on the status at the time this page was created.
Changes to the user interface on the part of the manufacturer are possible at any time and must be taken into account accordingly in the implementation.
All information without warranty.
Introduction
Introduction
This HowTo describes the configuration of a WireGuard site-to-site VPN connection of a Securepoint UTM with a Fritz!Box.
Add key
Add key
The following keys are necessary to enable communication between the UTM and the Fritz!Box:
- Type x25519 key for the UTM
- x25519 key for the Fritz!Box
From both keys the public and the private part is needed.
| Add key | |||
| Open key management under Button | |||
| Caption | Value | Description | UTMuser@firewall.name.fqdnAuhthenticationKeys 
|
|---|---|---|---|
| Name: | x25519_a.vpn | Assign a unique name Here the key name for the UTM | |
| Type: | Select X25519 as type | ||
| Close dialog with Save and close button. | |||
| Fritz!Box-Key | |||
| Repeat the above procedure for a key named x25519_fritzbox-1. | |||
|
UTMuser@firewall.name.fqdnAuhthentication  The finished state of both keys
| ||
| Click the button and import the public part of the Fritz!Box key. | |||
Add WireGuard Connection
Add WireGuard Connection
WireGuard configuration on the UTM
WireGuard configuration on the UTMUnder click on the button
Step 1 -Step 1 - | |||
| notempty Es wird empfohlen die WireGuard-Verbindung über die UTM zu erstellen. Daher sollte der Schritt 1 - Konfiguration importieren übersprungen werden.
| |||
| Caption | Value | Description | UTMuser@firewall.name.fqdnVPNWireGuard  WireGuard Assistent - Schritt 1
|
|---|---|---|---|
| Datei: | Falls die WireGuard-Verbindung über die Fritz!Box erstellt wurde, kann hier die entsprechende Konfigurationsdatei hochgeladen werden. Allgemein trägt die Konfigurationsdatei die Bezeichnung wg_config.conf. Entsprechend wird unter Konfiguration: das Konfigurationsfeld ausgefüllt. | ||
| Konfiguration: | Falls eine WireGuard-Verbindung über die Fritz!Box erstellt wurde, kann die Konfiguration in dieses Konfigurationsfeld kopiert werden. [Interface]
PrivateKey = #privater Schlüsselwert
ListenPort = #Der genutzte Port
Address = #Das entfernte Netzwerk der UTM
DNS = #DNS IP-Adresse
DNS = #DNS FQDN
| ||
Step 2 - InterfaceStep 2 - Interface | |||
| Caption | Value | Description |  |
| Interface: | wg1 | Name of the interface that will be created for the connection (automatic default, cannot be changed) | |
| Name: | wg_s2s_fritzbox | Unique name for the connection | |
| IPv4 address: | 10.0.0.1/24 | IPv4 address for the network interface of the UTM's transfer network | |
| IPv6 address: | fd00:0:0:0::1/64 | IPv6 address for the network interface of the UTM's transfer network (optional) | |
| Listening Port: | 51820 |
Default-Port for WireGuard connections | |
| Private key: | |||
| Private key of the UTM in x25519 format. Only those keys that also have a private key part can be selected. | |||
| Share server networks globally: | Additional networks for the (local) server side, which can be accessed by the WireGuard tunnel of the peers | ||
Step 3 - Peer Step 3 - Peer | |||
| Use AD users as peers: | Off | The use of An AD users as peers is recommended if they are connected to an AD/LDAP server and have the correct attribute settings. Furthermore, a user group on the UTM must be linked to a user group in AD/LDAP and this user group must have WireGuard authorization. Further information can be found in the wiki article AD/LDAP Authentication. |
 |
| Name: | wg_peer_fritzbox-1 | Description of remote terminal for the Fritz!Box | |
| Share peer networks: | » ✕192.168.178.1/24 | The internal network of the Fritz!Box to be accessed | |
| Endpoint: | d-vpn.spdns.org | Public DNS resolvable FQDN of the Fritz!Box | |
| Endpoint port: | 51820 |
The Listening Port of the Fritz!Box | |
| Public key: | |||
| Select the public key part of the Fritz!Box Only keys for which there is not yet a connection on this interface can be selected. The PublicKey must be unique within a connection, as the routing of incoming packets is carried out via it. If the same PublicKey is to be used for a peer, e.g. for a fallback, another WireGuard connection must be created for this. | |||
| Pre-Shared Key (optional): | …8DmBioPyPNqZ7Rk= | Pre-shared key for further securing the connection | |
| Show Hide |
Show / Hide the pre-shared key | ||
| Generate | Generates a very strong pre-shared key | ||
| Copy to clipboard | Copies the PSK to the clipboard | ||
| Keepalive: | Off | Regularly sends a signal. This keeps connections open on NAT routers. On Activation is recommended. | |
| 25 Seconds |
Interval in seconds at which a signal is sent | ||
Step 4 -Step 4 - | |||
| Create routes to the peer's networks: | No | Activation On is recommended. Routes are created to the networks / hosts that were entered in step 3 under Allowed IPs with the interface as gateway that was displayed in step 2. |
 |
| Generate zones: | Yes | Generates a new zone for the WireGuard port | |
| Zone Name: | wireguard-wg0-1 | Enter a name for the zone | |
| Generate network objects for peer: | Yes » ✕wg_peer_fritzbox-1-0 |
Creates Yes button when enabled for network objects (IPv4 and if necessary IPv6) of the remote terminal. Automatic suggestion can also be changed. | |
| Generate rules between peer and internal-networks: | No | Generates autogenerated rules that facilitate implementation. notempty It is essential to replace these rules with your own rules that allow only necessary services with necessary network objects.
| |
| The settings are applied with the button. | |||
| Then the Restart button restarts the WireGuard service. The UTM will not be restarted. | |||
WireGuard configuration on the Fritz!Box
WireGuard configuration on the Fritz!BoxStep 1 - Public key Step 1 - Public key
Export the public part of the key of the UTM x25519_a.vpn in .raw format.
Step 2 - Create configuration file Step 2 - Create configuration file
A configuration file with the following content is created. To do this, open a file in any editor.
[Interface] PrivateKey = $PRIVATE_KEY_FRITZBOX ListenPort = $LISTENPORT_WIREGUARD_FRITZBOX Address = $LOCAL_IP_FRITZBOX/$NETMASK
[Peer] PublicKey = $PUBLIC_KEY_UTM PresharedKey = $PRESHAREDKEY AllowedIPs = $NETWORK_SECUREPOINT/$NETMASK Endpoint = $HOSTNAME_UTM:$LISTENPORT_WIREGUARD_UTM PersistentKeepalive = 1
| Caption | Value | Description |  |
|---|---|---|---|
| PrivateKey = | $PRIVATE_KEY_FRITZBOX | Enter the private key from the downloaded key | |
| ListenPort = | $LISTENPORT_WIREGUARD_FRITZBOX | Enter the ListenPort of the Fritz!Box In the example 51378 | |
Address = |
$LOCAL_IP_FRITZBOX/$NETMASK | Enter the static IP address of the Fritz!Box in the internal network with the netmask In the example 192.168.178.1/24 | |
| PublicKey = | $PUBLIC_KEY_UTM | Enter the downloaded public key of the UTM | |
| PresharedKey = | $PRESHAREDKEY | Enter the preshared key of the UTM | |
AllowedIPs = |
$NETWORK_SECUREPOINT/$NETMASK | Enter internal network / internal networks / transfer network of the Securepoint In the example 10.0.0.1/24 (from step 2 - IPv4 address) Multiple IP addresses must be separated by a comma. Example: IPv4 address: 10.0.0.1/24,10.0.1.1/24 | |
| Endpoint = | $HOSTNAME_UTM:$LISTENPORT_WIREGUARD_UTM | Enter the host name of the UTM and the endpoint of the UTM (from step 2 - interface). Separate both with a colon. | |
| PersistentKeepalive = | 1 | Interval in seconds at which a signal is sent (from step 3 - Peer) In the example 25 | |
Step 3 - Upload configuration fileStep 3 - Upload configuration file
Log into the Fritz!Box interface and go to Internet → Share→ Tab VPN (WireGuard).
Click there.
Fig.1
In the new window, click on Custom Setup and then on Next >.
Fig.2
Click on Yes for the question under Set custom settings and then on Next >.
Fig.3
Enter a name in Name of the WireGuard connection and select the created configuration file via . Then click on Finish.notempty
Enabling the option Allow NetBIOS over this connection may solve problems, e.g. with SMB orTP. .
After the automatic switch to the VPN (WireGuard) dialogue, click Refresh and the WireGuard connection is active.
If, among other things, an error occurs when uploading the configuration file, the corresponding error message is displayed under System → Event Log.
Troubleshooting the port after importing the configuration file
Troubleshooting the port after importing the configuration fileWhen importing the configuration file, it can happen that the Fritz!Box ignores the port entered and assigns its own port independently.
- In Internet → Share→ Tab VPN (WireGuard) the button Edit opens the configuration dialog of the corresponding WireGuard connection
- In the section Used Internet address of the remote terminal and your Fritz!Box you can read which end port (after the colon) is used
- If this port was changed, enter it as listening port in the WireGuard connection of the UTM