FritzBox LAN 2 LAN VPN with pfSense

In this article I described how to set up a FritzBox LAN 2 LAN VPN with StrongSwan. Meanwhile I replaced Ubuntu on the server with pfSense. Of course I have set up my FritzBOX VPN connections again. So here’s a tutorial on how to set up a FritzBox LAN 2 LAN VPN with pfSense.

The prerequisites remain the same in comparison to the StrongSwan instructions:

  • Register your FritzBox with a DynDNS service (e.g. and find your FritzBox domain name (e.g.
  • Find your FritzBox’ private subnet, typically
  • Find (or define) the subnet on the remote site, e.g.
  • Find the hostname of the remote site, e.g.
  • Define a secret secret, e.g. S3cret123! (no, please do not use that, that’s my secret secret!)

Configure your FritzBox

Last time I presented a large configuration file that had to be imported into the FritzBox to set up the VPN connection. In the meantime I have found which encryption and hashing algorithms the FritzBox uses by default, so that we can simply use the default settings of the FritzBox and therefore the web interface built into FritzOS 7.x:

Configure pfSense

The pfSense configuration is similarly simple:

IPSec Phase 1 Configuration
IPSec Phase 1 Configuration
IPSec Phase 2 Configuration
IPSec Phase 2 Configuration


In my opinion, it’s pretty easy to set up a FritzBox LAN 2 LAN VPN with pfSense. The only hard thing is to figure out the preferred encryption and hashing algorithms supported by the FritzBox.

I have this running now with pfSense 2.4.4 with both a FritzBox 7490 and a FritzBox 7590.

An additional note: Sometimes does a Dual Stack connection not seem to be completely stable. In this case it helps to set Internet Protocol to IPv4 in phase 1.

12 thoughts to “FritzBox LAN 2 LAN VPN with pfSense”

    1. Actually, it’s quite easy: pfSense’s “My Identifier”/”Distinguished Name” should be the same (host)name you enter in the FritzBox’ “Internet-Adresse”. It’s basically the hostname of your pfSense gateway. I guess entering an IP address should also be possible, but as far as I know it has to be the same value on both sides, so if you use an IP address for “Internet-Adresse”, you should enter this IP address also as “My Identifier”/”Distinguished Name”.

      pfSense’s “Peer Identifier”/”Distinguished Name” has to be the (primary) external hostname of your FritzBox. I’ve only tried it with MyFritz DynDNS service, so the MyFritz name ( is the right one here. With other DynDNS services try its respective hostname.

      Please let me know if you got it working 🙂

      1. …did not manage to get it working. But using OpenVPN Site to site is surprisingly easy and sufficient till wireguard makes it into the bds kernels…

  1. from my fritz!box network a can see lan pc on pfsense but from pfsense i cant see any pc on fritz!box

      1. PING, BROWSE etc.
        From my Fritz(network) I can connect to servers and computers in pfsense network, but from pfsense network I cant connect to other side(Fritz Network)

        1. Could be a routing issue. Please check your Outbound NAT settings/firewall configuration. Or maybe the target system blocks pings. Please notice: I can’t ping my FritzBox from pfSense, but i can access its webinterface (no idea why).

  2. Hi Matthias!
    Is your setup still running? I cannot get the tunnel to establish between my 7590 and the pfSense box….I tried everything you said and 1000 other things. No luck.

  3. Hi Matthias,

    it works perfectly with modern FritzBoxes running OS 7 e.g. 7.21.
    Also it seems to work basically for my older Fritzbox 7390 running on FritzOS 6.86. I had to change both phases to use 3des and SHA-1.
    But the connection there seems to be reestablished after e.g. around 200 seconds.
    Do you know better parameters? I got it working this far also without a specific config file. Just with the paramters set in the FritzBox standard GUI.

Leave a Reply

Your email address will not be published. Required fields are marked *