WireGuard support for simple setup of VPN connections

General remarks

Note: Not available for FRITZ!Box 6490 and 6590

WireGuard(R) is a modern and easy to understand VPN solution that aims to be faster, simpler and leaner than IPSec. In contrast to IPSec and OpenVPN, it uses a reduced number of (state-of-the-art) cryptography methods.

WireGuard(R) is usually easier to configure than other solutions and impresses with its fast connection setup.

For most operating systems, there are apps/programs from WireGuard(R) themselves for connecting single devices to a network via VPN.

WireGuard is a registered trademark of Jason A. Donenfeld (https://www.wireguard.com)

WireGuard is not compatible with other VPN protocols. Connections to IPSec or OpenVPN peers (as well as to FRITZ!Box products configured in this way) are therefore not possible.

Like other VPN methods, WireGuard works on layer 3 of the OSI layer model and generally supports IPv4 and IPv6. The concept is based on peer-to-peer architecture. The VPN connection is made possible by the exchange of public keys between the remote sites, with the help of which IP packets are encapsulated in UDP and sent in encrypted form.

Essentially, you configure a WireGuard interface with your own private key and the remote sites' public keys to be used and then send packets over it – and of course you must have done the same thing on the remote site.

WireGuard itself does not contain any mechanisms for key distribution, an often criticized and "complicated" point about IPSec. Both parties therefore require the public keys of the respective remote site and can then "simply" send encrypted packets via the correspondingly set up interface.

The concept for the FRITZ!Box, however, is that both key pairs can be generated on the FRITZ!Box for setting up a connection and all the necessary dial-in data (private and public key of the person dialing in, public key of the FRITZ!Box, address, algorithms...) can be imported on the client side via a file or QR code, e.g. in the WireGuard App. For different connections, even for the same device, a new private key is then generated for the connection each time. Do not let the QR code or configuration file fall into the hands of unauthorized persons, as they may otherwise be able to use the configured VPN connection.

There are no plans to allow both conventional (IPSec) and WireGuard dial-in to a FRITZ!Box user. A WireGuard configuration is assigned to a device, not to a user. This means there is also no user assignment or user-related authentication for WireGuard connections.

Hardware-assisted encryption/decryption is currently not supported for WireGuard.

For your FRITZ!Box to be accessible via WireGuard VPN, you need a MyFRITZ! address your (you'll need to register your FRITZ!Box with MyFRITZ!Net) – or a third-party DynDNS address for your FRITZ!Box.

WireGuard connections for single devices

To connect a single device via WireGuard VPN (roughly comparable to the well-known "user dial-in" via IPSec VPN), you need the corresponding WireGuard app or the WireGuard program for the respective operating system (until WireGuard is potentially also offered with on-board operating system resources). In the simplest and most obvious case, you configure the WireGuard connection on the FRITZ!Box, take a picture of the generated QR code with the WireGuard app (or import the generated file) – and the WireGuard VPN setup is done.

Set up guide

Internet > Permit Access > VPN > Add VPN Connection

  • "Configure a WireGuard connection for a laptop/PC" => Generates a file to import.
  • "Configure a WireGuard connection for a smartphone" => Generates a QR code to photograph

Please note that the connection configuration – QR code or configuration file - is not permanently stored on the FRITZ!Box (for security reasons). It's therefore best to set up the connection completely immediately. Of course, a new WireGuard VPN connection can be generated at any time.

Do not let the QR code or configuration file fall into the hands of unauthorized persons, as they may otherwise be able to use the configured VPN connection.