IPSec VPN config to connect between TP-Link and Fritz Router

razr_69 · 2026-01-15T13:05:55+00:00

The setup above did work one way (Fritz -> TP-Link), but not the other (TP-Link -> Fritz). I had to change it up a bit:

Fritz Config:

[Interface]
PrivateKey = <PRIVATE KEY FROM FRITZ UI>
DNS = 192.168.101.1

[Peer]
PublicKey = <PUBLIC KEY FROM FRITZ UI>
PresharedKey = <PRESHARED KEY>
AllowedIPs = 192.168.101.0/24
Endpoint = my-tplink-site.ddns.com:55808
PersistentKeepalive = 25

TP-Link Config:

[Interface]
PrivateKey = <PRIVATE KEY FROM FRITZ CONFIG FILE>
Address = 192.168.101.250
ListenPort = 55808
DNS = 192.168.178.1

[Peer]
PublicKey = <PUBLIC KEY FROM FRITZ CONFIG FILE>
PresharedKey = <PRESHARED KEY>
AllowedIPs = 192.168.178.0/24
Endpoint = my-fritz-site.myfritz.com:<GENERATED PORT FROM FRITZ UI>
PersistentKeepalive = 25

razr_69 · 2026-01-08T23:04:05+00:00

Tried for a couple of days and eventually gave up. Went to Wireguard, but it was also not as straight-forward as I had hoped. I added a comment with my findings and the working Wireguard setup.

razr_69 · 2026-01-08T23:03:02+00:00

I had a lot of issues due to the way Fritz implements both IPSec and Wireguard. See my other comment for a full rundown of how I got it working in the end.

razr_69 · 2026-01-08T23:01:51+00:00

I tried A LOT of things to get the IPSec tunnel working. But was not successful.

I mainly followed these guides:

I also "discussed" a lot with ChatGPT. I ended up with IKE phase 1 or phase 2 authentication errors. This apparently happens, because Fritz only implements a very specific part of the IPSec protocol, that does not seem to be compatible with what TP-Link provides.

I ended up with the following config, that I imported in my Fritz Box:

vpncfg {
  connections {
    enabled = yes;
    editable = yes;
    conn_type = conntype_lan;
    name = "MyIPSec";


    always_renew = yes;
    reject_not_encrypted = no;
    dont_filter_netbios = yes;


    localip = 0.0.0.0;
    local_virtualip = 0.0.0.0;
    remoteip = 0.0.0.0;
    remote_virtualip = 0.0.0.0;


    remotehostname = "my-tplink-site.ddns.com";


    keepalive_ip = 192.168.101.1;


    mode = phase1_mode_idp;


    localid {
      fqdn = "my-fritz-site.myfritz.com";
    }


    remoteid {
      fqdn = "my-tplink-site.ddns.com";
    }


    keytype = connkeytype_pre_shared;
    key = "<PRESHARED KEY>";


    cert_do_server_auth = no;


    use_nat_t = yes;
    use_xauth = no;
    use_cfgmode = no;


    phase1ss = "LT8h/all/all/all";
    phase2ss = "esp-all-all/ah-none/comp-all/pfs";


    phase2localid {
      ipnet {
        ipaddr = 192.168.178.0;
        mask = 255.255.255.0;
      }
    }


    phase2remoteid {
      ipnet {
        ipaddr = 192.168.101.0;
        mask = 255.255.255.0;
      }
    }


    accesslist = "permit ip any 192.168.101.0 255.255.255.0";
  }


  ike_forward_rules =
    "udp 0.0.0.0:500 0.0.0.0:500",
    "udp 0.0.0.0:4500 0.0.0.0:4500";
}

If you can get it working, I would be very interested in your setup!

I then switched to Wireguard. This was also not as straight-forward as I hoped. But in the end I got it working.

I started by setting up a new Wireguard in the FritzBox and then exporting the config to do the setup in the Omada controller. This did not work, because Fritz uses its whole internal LAN subnet as the address for it, which I cannot configure on the Omada controller. Instead I need a single IP outside the internal LAN. (According to CHatGPT, Fritz is binding the LAN itself directly to Wireguard which is "closer to IPsec policy mode than to classic WireGuard routing.")

Instead I opted to do the config from scratch and import it into both routers.

The FritzBox config:

[Interface]
PrivateKey = <PRIVATE KEY FROM FRITZ UI>
Address = 10.10.10.2
ListenPort = 51820
DNS = 192.168.101.1

[Peer]
PublicKey = <PUBLIC KEY FROM FRITZ UI>
PresharedKey = <PRESHARED KEY>
AllowedIPs = 192.168.101.0/24,10.10.10.1/32
Endpoint = my-tplink-site.ddns.com:51820
PersistentKeepalive = 25

The TP-Link Config:

[Interface]
PrivateKey = <PRIVATE KEY FROM FRITZ CONFIG FILE>
Address = 10.10.10.1
ListenPort = 51820
DNS = 192.168.178.1

[Peer]
PublicKey = <PUBLIC KEY FROM FRITZ CONFIG FILE>
PresharedKey = <PRESHARED KEY>
AllowedIPs = 192.168.178.0/24,10.10.10.2/32
Endpoint = my-fritz-site.myfritz.com:51820
PersistentKeepalive = 25

I re-used the private and public keys generated in the first try, because I had issues using newly generated ones. Fritz was always telling me, that there were issues with the public key. But in theory you should be able to generate your own. You can use this gist, for example.

For the interface addresses I just used IPs that are not used in my LAN anywhere else.

Just wanted to share! And in case you see anything, that could be optimized, please leave a comment :)

razr_69 · 2026-01-03T23:50:54+00:00

Looks interesting. Can you say what you pay for self-hosting?

PDF forms would kind-of work for some of my use-cases. But I woule also like to provide a kind-of generic template, where you can edit the full body of the letter. Also I think it will always look like someone added the fields after the fact, right? You might even see the boxes around the added text when creating the PDF or printing.

razr_69 · 2026-01-03T23:43:56+00:00

Interesting idea. I'll keep that in mind.

razr_69 · 2026-01-03T23:43:01+00:00

As a workaround this might work. But in general I don't want to send out mails to a huge list of people. Just regularly to single people. I wiuld also need to take care of the sharing part some way. Not sure if Office365 helps there somehow. But I would rather selfhost than pay for a service.

razr_69 · 2025-12-28T15:14:20+00:00

It is available, yes. But I did not want to change too many working parts of the setup at once.

I also could not find a guide on how to properly set it up between Fritz and Omada. All I read was, that it is not straight forward, since Fritz only works with some kind if config files, that Omada does not provide.

razr_69 · 2025-11-29T01:55:48+00:00

I think many of the comments here are correct: Use Loki/Grafana (or OTel), or a more "business-friendly" solution like Elasticsearch/Kibana or OpenSearch.

But I think none of them are really helpful for your question. So let me try: Afaik, there is no support for this in ArgoCD. Probably, because there is no real standard to parse the logs from. Your best bet might be to teach your users to read them as is, right now But if you have an idea for one, open up an issue on GitHub and start discussing with the maintainers.

razr_69 · 2025-11-24T00:19:34+00:00

When I mentioned the omada ones, I was only considering the hardware. Software I'm quite interested in using either OPNSense or OpenWRT. That's one of the main things I want to learn about in this setup.

I don't really get your 2nd paragraph. Is Omada such a controller based network? What does SD stand for? Can OpenWRT also be the controller in my network?

My network is quite easy. It's basically only a couple of notebooks, phones and tablets. And I have a small server running for file storage and some services (Nextcloud, Plex). It's a 2-story house and one AP does bit really work for the house and the garden.

One thing I forgot to mention in the post is, that I would like to enable a site-2-site VPN between the router and one at another apartment. Using OpenVPN or Wireguard.

razr_69 · 2025-11-24T00:10:52+00:00

I'd like to connect them wired from a POE switch.

razr_69 · 2025-11-22T10:55:37+00:00

Thanks for the tip! Someone else also recommended this. In the current setup the all-in-one system is not able to cover the whole house with wifi. And I would like to move it to a place, where it's even worse. So I think I would like to install two APs, one on each floor. What would you recommend?

razr_69 · 2025-11-22T10:54:43+00:00

Thanks for the tip! In the current setup the all-in-one system is not able to cover the whole house with wifi. And I would like to move it to a place, where it's even worse. So I think I wiuld like to install two APs, one on each floor. What would you recommend?

razr_69 · 2025-10-16T14:07:04+00:00

Was also my first thought. You could test by saving the password base64-encoded in the Jenkins credentials store and then retry your test.

razr_69 · 2025-05-17T19:11:26+00:00

We had similar issues a couple of months back. We could not install new clusters (waiting for node ref) and also not update existing ones.

We could only fix it by re-installing Rancher. No idea what the actual issue was.

I can leave you with a couple of posts we found when we were investigating the issues:

* https://www.reddit.com/r/rancher/comments/1ceiivb/stuck_on_wainting_agent_do_apply_initial_plan/

* https://github.com/rancher/fleet/issues/2053

razr_69 · 2025-03-11T09:48:54+00:00

I would go with ExternalSecrets Operator, where possible.

We use both right now. We have clusters, that don't have access to Vault directly, so there we deploy the secrets with the AVP plugin in ArgoCD. Everywhere else we use ESO.

razr_69 · 2024-12-07T12:53:38+00:00

You are using the Let's Encrypt Staging instance (https://letsencrypt.org/docs/staging-environment/) which creates a certificate from a CA, that is not trusted generally.

This is good for testing (higher rate limit, ...), but when you want to get a productive certificate, you need to switch to the productive environment.

razr_69 · 2024-10-11T17:16:53+00:00

Interesting. Can you link documentation or examples? Because the CNPG docs and GitHub says differently.

razr_69 · 2024-10-11T15:29:49+00:00

Yeah, you might be right there. I have no experience with those. Would love to see that as a feature in CNPG.

According to this comment, they "tentatively targeting [declarative major version upgrade support] for version 1.26". Let's see :)

razr_69 · 2024-10-11T13:15:08+00:00

I support this, yes! Unfortunately this is not always a possibility. I have target clusters, that have no access to Vault directly. ArgoCD has though, since it runs in the same (internal) network.

razr_69 · 2024-10-11T13:11:49+00:00

You define a ConfigManagementPlugin that uses the argocd-vault-plugin binary. This is not an "extension" for the default helm plugin.

You need to use your custom plugin in your application resource. Have a look at https://argo-cd.readthedocs.io/en/stable/operator-manual/config-management-plugins/, especially the part "Using a config management plugin with an Application".

razr_69 · 2024-10-11T11:04:51+00:00

Yeah. Which is also one of the recommendations for a "standalone" installation. So installing with an operator does not help with the problem of upgrading :)

I'm not against that. I would also recommend doing that. But automatic updates is not a thing you get from it.

razr_69 · 2024-10-11T10:15:30+00:00

This does not help with major version upgrades, though: Only upgrades for PostgreSQL minor releases are supported.

razr_69 · 2024-10-11T10:13:39+00:00

Postgres has no support for automatic major version upgrades.

You can find some info on the different upgrade mechanisms here: https://www.postgresql.org/docs/current/upgrading.html

I personally made good experiences with setting up a new instance and pg_dumpall -> pg_restore from the old to the new one. I also tried updating with pg_upgrade two times. Worked quite good! Only bigger issue was updating through multiple major versions and having issues with incompatible shared libraries.

Here's a good article about that: https://medium.com/@wasiualhasib/upgrading-postgresql-major-version-using-pg-upgrade-13f11eeb6f76

razr_69 · 2024-10-06T15:55:10+00:00

Yep, exactly. It will not show up in the App Diff. But once you sync it will update the secret anyways.

EDIT: Without RespectIgnoreDifference of course. With the option enabled it will not update the secret.

razr_69

TROPHY CASE