Recommend:
To the knowledge base

WireGuard cannot establish a VPN connection to the FRITZ!Box

Although the VPN connection was successfully configured, WireGuard cannot establish a VPN connection to the FRITZ!Box. One of the following error messages is displayed:

  • "unknown host"
  • "Error bringing up tunnel: Unable to resolve DNS hostname"
  • "Error bringing up tunnel: Service not authorized by user"
  • "Failed to send handshake initiation [...] no route to host"

Simply proceed as described below. After each measure, check whether the problem is solved.

1 Allowing WireGuard connections on the device

If WireGuard displays the message "Error bringing up tunnel: Service not authorized by user", a different app is preventing the user from establishing a VPN connection.

  1. Check the security apps installed on the device (for example Blokada) and make sure that they do not block WireGuard.

2 Checking accessibility of the FRITZ!Box in the internet

So that WireGuard can establish a connection to the FRITZ!Box, the FRITZ!Box must have an IP address that is accessible on the internet and the device with WireGuard must be able to reach this IP address. WireGuard connections via IPv6 and IPv4 are possible.

IPv6 connections

For IPv6 internet connections, both the FRITZ!Box and the device with WireGuard must be connected to the internet over IPv6. If only one of both sides received an IPv6 address, it is not possible to establish an IPv6 connection and WireGuard tries to establish the connection over IPv4.

You can call up the menu "Internet > Online Monitor" in the FRITZ!Box user interface to check whether the FRITZ!Box is connected to the internet via IPv6.

You can check whether the device is connected to the internet over IPv6 by calling up www.test-ipv6.com or www.ipv6-test.com on the device.

IPv4 connections

If WireGuard cannot reach the FRITZ!Box over IPv6, it tries to establish the connection over IPv4. An IPv4 connection is only possible if the FRITZ!Box receives a public IPv4 address from the internet service provider and the device with WireGuard is connected to the internet over IPv4. If the FRITZ!Box only received a private IPv4 address or the device with WireGuard only received an IPv6 address, an IPv4 connection is not possible.

You can check whether the FRITZ!Box obtained a public or private IPv4 address by following the steps in our guide Identifying the address range of the IPv4 address for the internet connection.

You can check whether the device is connected to the internet over IPv4 by calling up www.test-ipv6.com or www.ipv6-test.com on the device.

Note:In some mobile networks, mobile devices only receive an IPv4 address, in others they only receive an IPv6 address. With some mobile network providers, IPv6 can also only be used if specific wireless access points (APN) are used. Refer to your mobile network provider for information on supported IP protocols and usable wireless access points.

3 Checking the MyFRITZ! status of the FRITZ!Box

If the VPN connection occasionally cannot be established, there may be an issue with the MyFRITZ! service. Therefore, check whether the FRITZ!Box is successfully registered with MyFRITZ! when you try to establish the VPN connection:

  1. Click "Internet" in the FRITZ!Box user interface.
  2. Click on "Online Monitor" in the "Internet" menu.
  3. If MyFRITZ! is active, continue with the next section.
    • If MyFRITZ! is displayed as not active, wait until the technical issues have been resolved and try to establish the VPN connection at a later time. If the error is permanent, reconfigure the MyFRITZ! account.

4 Deleting a VPN connection and reconfiguring it

If the VPN connection cannot be established at all, then an invalid domain name is saved in WireGuard for the FRITZ!Box, for example an incorrect MyFRITZ! address. Therefore, reconfigure the WireGuard connection:

  1. Delete the VPN connection in WireGuard.
  2. Reconfigure the WireGuard connection in the FRITZ!Box. Proceed as described in the corresponding guide: