FitzBox 4040, flash OpenWrt, commissioning WireGuard
comprehensive manual
The following manual is based on the knowledge of other users, which I collected over weeks. It is not possible to list all the sources I found.
Please feel free to use, add to and publish this guide.
FritzBox 4040
The 4040 is a router that has no modem and therefore always works on the 2nd place, seen from the Internet. Standard Lan-IP 192.168.178.1
It is very important to know that the memory of the box is divided into several partitions and the bootloader is located on a partition that is neither touched nor changed during reset, nor recover the original software from AVM with the recovery tool, nor during flashing.
This means that the bootloader is usually accessible as long as the memory is not destroyed and the box boots. In the first seconds of booting you can get access via a rudimentary ftp.
For a recover to the original software this is not important. You have to download the appropriate recovery tool from AVM and follow the instructions from AVM. If the electronics of the box is functional, the installation of the original software runs by itself.
Flash the box with a suitable third-party software, here OpenWrt.
The best way to do this is to set your PC to IP 192.168.178.10 or higher and set the default gateway to 192.168.178.1, connect a switch between PC and FritzBox and disconnect the box from power. By setting the default gateway, the box immediately searches at this IP and
by the connection to the switch the network interface of the PC is already active and valuable seconds are not lost.
If you use LINUX you open a console and enter the command :
ftp -n -v -p 192.168.178.1
without sending it.
Then you plug the box to the power cable and count from the moment of plugging in without haste and without stumbling, thus completely normal speed:
twenty-one, twenty-two to sixand at that moment you press the enter key on the PC and send the prepared ftp command.
If the short time window in which the box is reachable via ftp has been hit, the box answers with:
Connected to 192.168.178.1 (192.168.178.1).
220 ADAM2 FTP Server ready
Continue one after the other with the following command on the console (always pay attention to the correct spelling):
quote USER adam2
quote PASS adam2
quote MEDIA FLSH
binary
(Now it is very important that you have downloaded the correct binary from the OpenWrt website.
For flashing the box from the original software to OpenWrt you absolutely need the binary:
openwrt-*-4040-squashfs-eva.bin is required! (recognizable by the eva in the name)
For upgrading the box from one OpenWrt version to the next, only the openwrt-*-4040-squashfs-sysupgrade.bin
file).
With the command on the console
put openwrt.bin mtd1
you push the binary to the box with the existing FTP connection.
(openwrt.bin is here a placeholder for the downloaded Openwrt-*-eva.bin.
If the binary is stored at LINUX under /home/User/, no path is necessary. Otherwise: /path to binary/*.bin)
If everything runs correctly you get the following output on the console:
local: openwrt.bin remote: mtd1
227 Entering Passive Mode (192,168,178,1,12,0)
150 Opening BINARY data connection
226 Transfer complete
5505028 bytes sent in 24,7 secs (223,21 Kbytes/sec)
After that you can check the transfer with the command:
quote check mtd1
and if it worked you will get the message:
150 Flash check 0x9F288C3D
If this or similar message does not appear, something did not work and you can start again. (Then check if you really have the right binary for the flash process.
If all worked, end the ftp session with the command quite, disconnect the box from power and set your PC to the IP: 192.168.1.10 or greater. The box can be reached with OpenWrt under the IP 192.168.1.1.
The 1st boot process after flashing takes a few minutes and when the LAN LED is on you can call the box in the browser via 192.168.1.1.
After the 1st boot there is no password for the new OpenWrt yet. So this is then the 1st task.
Under: Network/Interfaces you set up your internal network under "LAN" according to your wishes (then of course set the PC again to this network) and under "WAN" the network to the outside. Here I have made the experience that at the beginning it is better if you set the box to DHCP so that it gets the IP from the modem or upstream router. Then it usually works with the access to the Internet immediately.
Done! OpenWrt is installed and working.
Before you continue, please update your box under System/Software.
Select "Updates" and click on "Update lists..." in the upper right corner.
Confirm the window that appears at the bottom and then "install" package by package.
WireGuard
For the function with WireGuard I installed the following packages on version 22.03.3:
wireguard-tools
kmod-wireguard
luci-app-wireguard
luci-proto-wireguard
wg-installer-server
qrencode
Additionally I installed the nightcomander "mc" and the editor nano for access via ssh.
No additional packages are required for access via ssh!
Preparation for a WireGuard VPN
Example: the OpenWrt router has the IP 192.168.0.1
First check if there is no entry for this IP in /home/USER/.ssh/known_hosts. If yes, please delete it.
Then on the console
ssh root@192.168.0.1
At the 1st login via ssh you will be asked if you agree with the procedure and the password for root. This is the password you used for OpenWrt.
If you are successfully logged in the following screen appears:
BusyBox v1.35.0 (2023-01-03 00:24:21 UTC) built-in shell (ash)
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|___|| |||||_____||| ||
|__| W I R E L E S S F R E E D O M
OpenWrt 22.03.3, r20028-43d71ad93e
root@OpenWrt:~#
now you can, without any further action, create the keys for WireGuard at this point:
wg genkey > wg.sec
with:
cat wg.sec
you will see the private key. Couple this to a text document.
wg pubkey < wg.sec > wg.pub
creates the public key of the server
cat wg.pub
shows the public key of the server. Copy it to a text document.
Both keys should be marked accordingly, because they must not be mixed up!
Now we terminate the ssh connection and log in to the OpenWrt.
Create a new firewall zone via "Network/Firewall" ("Add"). Name it "VPN" and set "Input", "Output" and "Forward" to "accept", "accept" and "reject". Check "Masquerading" and "MSS clamping". Allow "lan" for "Allow forward to destination zones" and confirm with "Save". Switch to the "NAT Rules" tab and add a new rule with the name "VPN". In "Source address" enter the WireGuard network "192.168.20.0/24" in the "Custom" field and press Enter.
(For the WireGuard network you can also use any other network in the private area. It must only not be identical with the network between modem and router or between router and LAN in the home network! Important here is the /24)
If not inserted automatically, set the "Outbound Zone" to "lan". Finally change the "Action" to "Masquerade".
Create WireGuard server
In the OpenWrt web interface, switch to "Network/Interfaces" and create a new interface with "Add new interface". Name this "WG0" and select "WireGuard VPN" as the protocol.
In the following window, copy the "Private Key" from the text file into the corresponding field, set the "Listen Port" to 51902 and add the interface address "192.168.20.1/24".
(for the WireGuard network you can also take any other network in the private area. It must only not be identical with the network between modem and router or between router and LAN in the home network! Important here is the /24)
In the "Firewall Settings" set "VPN" as zone. After that, your WireGuard interface is ready to configure the devices that you want to use to access your network from outside: the clients, called "peers".
To make the WireGuard server accessible from the outside, create a port share for port 51902 in your home router. Select "UDP" as the protocol and your OpenWrt router as the destination. Be sure to enable port sharing for both IPv4 and IPv6.
For me everything worked only after I created a new rule under Firewall/Port Forwards:
Name: (freely selectable)
Protocol: UDP
Source zone: WAN
External Port: (the port which is used in the whole Wireguard network for servers and peers.)
Destination zone: VPN(WG0)
Internal IP address: (IP of the Wireguard server)
Internal Port: (the port used in the whole Wireguard network for servers and peers).
→ save → save & apply
Bringing clients home
The WireGuard client software is available for all major operating systems such as Windows, macOS, Linux, Android and iOS: while there are visual differences, the required parameters are the same everywhere and are either displayed as a form or have to be entered manually. Open WireGuard on your client and create a new configuration with the following parameters:
[Interface]
PrivateKey=
Address=192.168.20.2/32
MTU=1400
[Peer]
Endpoint=:51902
PublicKey=
AllowedIPs=192.168.20.0/24,
192.168.1.0/24
(Here again enter the network of your choice. Very important is again /32 and /24 at the right places! MTU= can be left empty in my experience)
Peers
In the OpenWrt web interface, switch to the configuration of your WireGuard interface ("Edit") in the network overview and then to the "Peers" tab. Create a new configuration with "Add Peer", copy the public key of your client into the corresponding field, enter "192.168.20.2/32" as "Allowed IPs" and check "Route Allowed IPs". Then confirm all settings with "Save" and "Save & Apply".
Then establish an alternative Internet connection on the client - for example, via mobile radio - and activate the WireGuard connection. In OpenWrt under "Status/WireGuard Status", you can see whether the connection has been successfully established using the "Latest Handshake" item. Also check whether you can reach destinations in your home network. If not, check the "AllowedIPs" and the NAT configuration.
Set up additional WireGuard clients like the first one, but increment the "Address" in the client configuration and the "Allowed IPs" in the OpenWrt peer by one, i.e. "192.168.20.3/32", "192.168.20.4/32" and so on. (amo)
When everything is entered, please don't forget to restart the /Network/Interfaces one by one.
When I completely rebooted OpenWrt again and the peers, e.g. on the cell phone were really activated, I immediately had the connection indication under Status/WireGuard and thus the confirmation of success.
Thank you very much to all those I was able to learn from!