VPN Issue on FritzBox

Forums › 2degrees (including Slingshot, Orcon, Flip, Stuff Fibre, MyRepublic, 2talk and Vocus) › VPN Issue on FritzBox

gocheck

34 posts

Geek

#265535 26-Jan-2020 13:08

A few years ago I set up several VPN users on my FrtizBox 7490 for myself and my family members working in China. It’s an IPSec Xauth PSK type VPN. It’s a dynamic IP so myfritz.net was used as the dynamic server. We have been using the VPN almost every day since then without any major issues.

However, from around 20th January we could not connect to the VPN anymore. Even on my 2degrees mobile phone, I could only connect to the VPN when the phone connected to my home WIFI. When the phone was on cell data it could not connect to the VPN. And my family members in China could not connect to the VPN at all.

A weird thing happened the next day. My FritzBox 7490 was suddenly down with the red Info light on. I called 2degrees and they sent me a new router Fritzbox 7530.

I set up a VPN user on the 7530 and tried it out on my mobile phone. The same issue happened again. My phone could only be connected to the VPN when my phone was in the home WIFI. So I called 2degree again. It seemed that the staff knew what happened. He put me on to a static IP (203.86.206.xx). After that my phone could connect to the VPN through cell data. But there were some website access issues. I could not connect to some websites, even myfritz.net.

I had to call 2degrees again. The staff removed the static IP. I could access those websites after that but could not connect to VPN again. Then I called 2degrees the 4th time. The staff assign me a new static IP (123.255.55.xx). After that my phone has no issue of connecting to the VPN and visiting any websites.

Then I set up several VPN users for my family members in China. They said they could connect to the VPN now. However, they could not visit any restricted websites (by Chinese authorities) through the VPN, i.e. google.com, youtube.com etc. But there was no issue to visit unrestricted websites, i.e. trademe.co.nz etc.

I do not know what happens there. I do not know why dynamic IP does not work on VPN now. Considering the timing, it is unlikely the GFW in China has been updated to block the IPSec Xauth PSK type VPN. Has 2degrees changed some setting recently made it not working?

VPN is a must-have for my family members and me. Could anyone help me to solve this problem please? Many thanks!

1 | 2

1119 posts

Uber Geek

ID Verified

Lifetime subscriber

#2407008 26-Jan-2020 13:33

2degrees now uses CG-NAT so if you don’t have a static IP. - your incoming VPN is no longer going to work. You will need a static IP for this.

-- opinions expressed by me are solely my own. ie - personal

freitasm

BDFL - Memuneh
79314 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2407054 26-Jan-2020 17:13

Make sure you are using the static IP and they can connect. Then make sure their VPN client is set to use your gateway as the DNS server.

What client are your family using?

gocheck

34 posts

Geek

#2407170 26-Jan-2020 21:05

freitasm: Make sure you are using the static IP and they can connect. Then make sure their VPN client is set to use your gateway as the DNS server.

What client are your family using?

Yes I am using the static IP now and we all can connect to the VPN. But only me in NZ can visit websites without any issue. My family members in China cannot visit any restricted websites banned by the Chinese Government through the VPN, just like not using VPN at all even they are connected. It looks like the VPN is not fully functioned.

We are not using any 3d party clients. Just the default VPN function in Android or Apple phones. Add a new VPN with IPSec Xauth PSK type, which is the only one supported by Fritzbox.

gocheck

34 posts

Geek

#2407174 26-Jan-2020 21:08

Jiriteach: 2degrees now uses CG-NAT so if you don’t have a static IP. - your incoming VPN is no longer going to work. You will need a static IP for this.

Thanks that makes sense why need a static IP now. But even with a static IP the VPN is not as functional as previous.

freitasm

BDFL - Memuneh
79314 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2407177 26-Jan-2020 21:11

When creating the VPN on Android there's "Advanced Options" and you can enter DNS servers and Forwarding Routes there. Are you sure there was no DNS entered on that (the label has e.g. 8.8.8.8) but should really be left blank.

gocheck

34 posts

Geek

#2407178 26-Jan-2020 21:15

freitasm:

When creating the VPN on Android there's "Advanced Options" and you can enter DNS servers and Forwarding Routes there. Are you sure there was no DNS entered on that (the label has e.g. 8.8.8.8) but should really be left blank.

Yes I'm quite sure I didn't tell them to fill in DNS. BTW the Google Public DNS has been banned in China.

freitasm

BDFL - Memuneh
79314 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2407231 26-Jan-2020 22:00

gocheck:

freitasm:

When creating the VPN on Android there's "Advanced Options" and you can enter DNS servers and Forwarding Routes there. Are you sure there was no DNS entered on that (the label has e.g. 8.8.8.8) but should really be left blank.

Yes I'm quite sure I didn't tell them to fill in DNS. BTW the Google Public DNS has been banned in China.

And because it's banned, if by chance that number was entered there the whole thing would stop working despite being connected to your VPN, hence my question.

Since you are sure there's no number there, I don't have any other question - someone else?

Sharesies

Trade NZ and US shares and funds with Sharesies (affiliate link).

Oblivian

7304 posts

Uber Geek

ID Verified

#2407252 26-Jan-2020 22:31

A visual of above.

Either proxy is set, or your local dns isn't being passed as the default route

Or they're not really connected. Give them the router LAN (192.x.x.x) address, if they can't hit that. They sure won't be getting anywhere in nz.

You should also see a green connected light in the user/vpn area.

Jiriteach

1119 posts

Uber Geek

ID Verified

Lifetime subscriber

#2407258 26-Jan-2020 23:21

What’s their gateway IP after connecting to the VPN? Get them to Google what’s my IP once they are connected and it should be your static IP.

This is only going to be the case if the setting of send all traffic via VPN is enabled, else the client config is not correct.

DNS servers should be auto pushed with the config but else if Google’s are banned, try Cloudflares - 1.1.1.1 and 1.0.0.1.

Sounds to me like not all traffic is being routed via the VPN. Easy check though.

-- opinions expressed by me are solely my own. ie - personal

freitasm

BDFL - Memuneh
79314 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2407259 26-Jan-2020 23:26

I have just created a VPN client on my Android device and you don't have an option to set default gateway. Also the suggestion above (and my previous one) would not make any difference because once the VPN is connected the Google DNS wouldn't be blocked anymore as it would go encrypted through your connection anyway.

Jiriteach

1119 posts

Uber Geek

ID Verified

Lifetime subscriber

#2407260 26-Jan-2020 23:34

freitasm: I have just created a VPN client on my Android device and you don't have an option to set default gateway. Also the suggestion above (and my previous one) would not make any difference because once the VPN is connected the Google DNS wouldn't be blocked anymore as it would go encrypted through your connection anyway.

Not sure about Android - on iOS, send all traffic via VPN is default. Might have to specify it for certain clients on other platforms. On my Mac’s, I have to explicitly set this.

-- opinions expressed by me are solely my own. ie - personal

freitasm

BDFL - Memuneh
79314 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2407261 26-Jan-2020 23:35

On Android there is no checkbox for this. All traffic is sent via VPN.

Oblivian

7304 posts

Uber Geek

ID Verified

#2407273 26-Jan-2020 23:52

It would appear that may be the case for stock, but other releases or apps may be able to toggle the --redirect-gateway options?

Ie CyanogenMod/openvpn if i read it right.

gocheck

34 posts

Geek

#2408071 28-Jan-2020 12:47

Jiriteach: What’s their gateway IP after connecting to the VPN? Get them to Google what’s my IP once they are connected and it should be your static IP.

This is only going to be the case if the setting of send all traffic via VPN is enabled, else the client config is not correct.

DNS servers should be auto pushed with the config but else if Google’s are banned, try Cloudflares - 1.1.1.1 and 1.0.0.1.

Sounds to me like not all traffic is being routed via the VPN. Easy check though.

Their gateway IP was my static IP. I could see they had connected on the Fritzbox event log

freitasm

BDFL - Memuneh
79314 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2408079 28-Jan-2020 12:54

Interesting. I'd have thought the gateway would've been the router's internal IP, not the external static IP.

1 | 2