Internet

FRITZ!Box routers already support WireGuard VPN, you can try it now

The manufacturer AVM is one of the most updated WiFi routers of all ranges, the popular German manufacturer is not only responsible for improving what the firmware already has, but also incorporates really interesting new features. Since last week we have available in your FRITZ!Lab, the beta firmware laboratory of the manufacturer AVM, a new version of firmware for your FRITZ!Box 7590 AX, FRITZ!Box 7590 routers and also the FRITZ!Box 7530 that incorporates the popular VPN WireGuard, much faster than the current IPsec that it incorporates.

WireGuard on FRITZ!Box routers

If you have one of the aforementioned routers, you will have to manually install the latest FRITZ!OS 7.39 firmware, which is currently in the testing phase. By updating to this new version, we will be able to use this fast and secure VPN to remotely connect to our local home network. Right now only the following routers are compatible with firmware version FRITZ!OS 7.39 that support this VPN service:

We must keep in mind that WireGuard is a VPN very modern and easy to set upthe main feature of this VPN is the security it provides and the download and upload speed, this new protocol allows us to achieve high transfer rates in the VPN tunnel and is much more efficient than IPsec. Unlike IPsec or OpenVPN where we have a large number of cryptographic protocols available, in this VPN we only have a suite of ciphers that have been carefully chosen to have the best security and speed. Of course, it does not support IPsec or OpenVPN, it is a completely different VPN protocol. A very important detail that hardware encryption acceleration will not be available at the moment, however, where WireGuard shines most compared to IPsec or OpenVPN is that on hardware that does not have hardware encryption acceleration it behaves really well.

Other features are that it is compatible with IPv4 and IPv6 networks without problems, its architecture is based on peer-to-peer. The VPN connection is possible thanks to the exchange of public keys between remote sites, all packets are encapsulated in UDP in a fully encrypted way. Basically what we must do is configure an interface with its own public and private key, and then use the public key in the different peers that want to connect, and these peers must have their public key in the list of allowed keys on the server. WireGuard does not have a mechanism for key distribution, in the configuration we must “exchange” the public keys of both peers so that there can be communication.

AVM has decided that both peers generate the keys from the FRITZ!Box router, with the aim of facilitating this exchange of public keys for users. In this way, we will simply have to generate the VPN client keys and all the data necessary for the connection will be generated by the FRITZ!Box router. Once this data is generated, we can export a configuration file or scan a QR code from the WireGuard application for mobile devices. Of course, this configuration file and QR code should only be used by us, we cannot share it because otherwise they could be passed off as us.

Right now when we want to use the IPsec VPN on the FRITZ!Box, this VPN is tied to a specific user. However, with WireGuard you are not tied to a specific user but to a device, therefore there is no user mapping or user related authentication for WireGuard connections. However, internally they could associate it even if no username and password of said user are going to be used, so that it appears in the graphical user interface that a certain user has connected.

To configure this VPN we must go to the «Internet > Allow access > VPN > Add VPN connection«, once inside here, we will have two options:

  • Configure a WireGuard connection for PC: it will generate a configuration file to later import it into the final equipment to make the connection.
  • Set up a WireGuard connection for smartphone: generates a QR code that we must scan.

Both the file and the QR code are not stored in the FRITZ!Box for security reasons, that is, we can only download it once or view the QR code once. If we do not configure the VPN client, then we will have to recreate another peer with new data.

Related Articles