FritzBox 4040, flash OpenWrt, commissioning WireGuard

FitzBox 4040, flash OpenWrt, commissioning WireGuard

comprehensive manual

The following manual is based on the knowledge of other users, which I collected over weeks. It is not possible to list all the sources I found.

Please feel free to use, add to and publish this guide.

FritzBox 4040

The 4040 is a router that has no modem and therefore always works on the 2nd place, seen from the Internet. Standard Lan-IP

It is very important to know that the memory of the box is divided into several partitions and the bootloader is located on a partition that is neither touched nor changed during reset, nor recover the original software from AVM with the recovery tool, nor during flashing.

This means that the bootloader is usually accessible as long as the memory is not destroyed and the box boots. In the first seconds of booting you can get access via a rudimentary ftp.

For a recover to the original software this is not important. You have to download the appropriate recovery tool from AVM and follow the instructions from AVM. If the electronics of the box is functional, the installation of the original software runs by itself.

Flash the box with a suitable third-party software, here OpenWrt.

The best way to do this is to set your PC to IP or higher and set the default gateway to, connect a switch between PC and FritzBox and disconnect the box from power. By setting the default gateway, the box immediately searches at this IP and

by the connection to the switch the network interface of the PC is already active and valuable seconds are not lost.

If you use LINUX you open a console and enter the command :

ftp -n -v -p

without sending it.

Then you plug the box to the power cable and count from the moment of plugging in without haste and without stumbling, thus completely normal speed:

twenty-one, twenty-two to sixand at that moment you press the enter key on the PC and send the prepared ftp command.

If the short time window in which the box is reachable via ftp has been hit, the box answers with:

Connected to (

220 ADAM2 FTP Server ready

Continue one after the other with the following command on the console (always pay attention to the correct spelling):

quote USER adam2

quote PASS adam2



(Now it is very important that you have downloaded the correct binary from the OpenWrt website.

For flashing the box from the original software to OpenWrt you absolutely need the binary:

openwrt-*-4040-squashfs-eva.bin is required! (recognizable by the eva in the name)

For upgrading the box from one OpenWrt version to the next, only the openwrt-*-4040-squashfs-sysupgrade.bin


With the command on the console

put openwrt.bin mtd1

you push the binary to the box with the existing FTP connection.

(openwrt.bin is here a placeholder for the downloaded Openwrt-*-eva.bin.

If the binary is stored at LINUX under /home/User/, no path is necessary. Otherwise: /path to binary/*.bin)

If everything runs correctly you get the following output on the console:

local: openwrt.bin remote: mtd1

227 Entering Passive Mode (192,168,178,1,12,0)

150 Opening BINARY data connection

226 Transfer complete

5505028 bytes sent in 24,7 secs (223,21 Kbytes/sec)

After that you can check the transfer with the command:

quote check mtd1

and if it worked you will get the message:

150 Flash check 0x9F288C3D

If this or similar message does not appear, something did not work and you can start again. (Then check if you really have the right binary for the flash process.

If all worked, end the ftp session with the command quite, disconnect the box from power and set your PC to the IP: or greater. The box can be reached with OpenWrt under the IP

The 1st boot process after flashing takes a few minutes and when the LAN LED is on you can call the box in the browser via

After the 1st boot there is no password for the new OpenWrt yet. So this is then the 1st task.

Under: Network/Interfaces you set up your internal network under "LAN" according to your wishes (then of course set the PC again to this network) and under "WAN" the network to the outside. Here I have made the experience that at the beginning it is better if you set the box to DHCP so that it gets the IP from the modem or upstream router. Then it usually works with the access to the Internet immediately.

Done! OpenWrt is installed and working.

Before you continue, please update your box under System/Software.

Select "Updates" and click on "Update lists..." in the upper right corner.

Confirm the window that appears at the bottom and then "install" package by package.


For the function with WireGuard I installed the following packages on version 22.03.3:







Additionally I installed the nightcomander "mc" and the editor nano for access via ssh.

No additional packages are required for access via ssh!

Preparation for a WireGuard VPN

Example: the OpenWrt router has the IP

First check if there is no entry for this IP in /home/USER/.ssh/known_hosts. If yes, please delete it.

Then on the console

ssh root@

At the 1st login via ssh you will be asked if you agree with the procedure and the password for root. This is the password you used for OpenWrt.

If you are successfully logged in the following screen appears:

BusyBox v1.35.0 (2023-01-03 00:24:21 UTC) built-in shell (ash)

| |.-----.-----.-----.| | | |.----.| |_

| - || _ | -__| || | | || _|| _|

|___|| |||||_____||| ||

|__| W I R E L E S S F R E E D O M

OpenWrt 22.03.3, r20028-43d71ad93e


now you can, without any further action, create the keys for WireGuard at this point:

wg genkey > wg.sec


cat wg.sec

you will see the private key. Couple this to a text document.

wg pubkey < wg.sec >

creates the public key of the server


shows the public key of the server. Copy it to a text document.

Both keys should be marked accordingly, because they must not be mixed up!

Now we terminate the ssh connection and log in to the OpenWrt.

Create a new firewall zone via "Network/Firewall" ("Add"). Name it "VPN" and set "Input", "Output" and "Forward" to "accept", "accept" and "reject". Check "Masquerading" and "MSS clamping". Allow "lan" for "Allow forward to destination zones" and confirm with "Save". Switch to the "NAT Rules" tab and add a new rule with the name "VPN". In "Source address" enter the WireGuard network "" in the "Custom" field and press Enter.

(For the WireGuard network you can also use any other network in the private area. It must only not be identical with the network between modem and router or between router and LAN in the home network! Important here is the /24)

If not inserted automatically, set the "Outbound Zone" to "lan". Finally change the "Action" to "Masquerade".

Create WireGuard server

In the OpenWrt web interface, switch to "Network/Interfaces" and create a new interface with "Add new interface". Name this "WG0" and select "WireGuard VPN" as the protocol.

In the following window, copy the "Private Key" from the text file into the corresponding field, set the "Listen Port" to 51902 and add the interface address "".

(for the WireGuard network you can also take any other network in the private area. It must only not be identical with the network between modem and router or between router and LAN in the home network! Important here is the /24)

In the "Firewall Settings" set "VPN" as zone. After that, your WireGuard interface is ready to configure the devices that you want to use to access your network from outside: the clients, called "peers".

To make the WireGuard server accessible from the outside, create a port share for port 51902 in your home router. Select "UDP" as the protocol and your OpenWrt router as the destination. Be sure to enable port sharing for both IPv4 and IPv6.

For me everything worked only after I created a new rule under Firewall/Port Forwards:

Name: (freely selectable)

Protocol: UDP

Source zone: WAN

External Port: (the port which is used in the whole Wireguard network for servers and peers.)

Destination zone: VPN(WG0)

Internal IP address: (IP of the Wireguard server)

Internal Port: (the port used in the whole Wireguard network for servers and peers).

→ save → save & apply

Bringing clients home

The WireGuard client software is available for all major operating systems such as Windows, macOS, Linux, Android and iOS: while there are visual differences, the required parameters are the same everywhere and are either displayed as a form or have to be entered manually. Open WireGuard on your client and create a new configuration with the following parameters:









(Here again enter the network of your choice. Very important is again /32 and /24 at the right places! MTU= can be left empty in my experience)


In the OpenWrt web interface, switch to the configuration of your WireGuard interface ("Edit") in the network overview and then to the "Peers" tab. Create a new configuration with "Add Peer", copy the public key of your client into the corresponding field, enter "" as "Allowed IPs" and check "Route Allowed IPs". Then confirm all settings with "Save" and "Save & Apply".

Then establish an alternative Internet connection on the client - for example, via mobile radio - and activate the WireGuard connection. In OpenWrt under "Status/WireGuard Status", you can see whether the connection has been successfully established using the "Latest Handshake" item. Also check whether you can reach destinations in your home network. If not, check the "AllowedIPs" and the NAT configuration.

Set up additional WireGuard clients like the first one, but increment the "Address" in the client configuration and the "Allowed IPs" in the OpenWrt peer by one, i.e. "", "" and so on. (amo)

When everything is entered, please don't forget to restart the /Network/Interfaces one by one.

When I completely rebooted OpenWrt again and the peers, e.g. on the cell phone were really activated, I immediately had the connection indication under Status/WireGuard and thus the confirmation of success.

Thank you very much to all those I was able to learn from!

BTW, there's a luci-app-wireguard - a lot of your setup could be done via web GUI.

Good guide!

How to flash Fritzbox 4040 with ftp and OpenWRT.

I made another important observation.

I reset a FritzBox 4040 to Fritz OS with the recovery tool from AVM and adjusted the LAN and WAN settings for my network. e.g.:

Later I tried to flash this box with ftp and OpenWRT. Strangely the bootloader did not respond to either or

When I booted the box completely, the FritzOS was still available at

So I started the recovery tool again without letting it finish flashing and looked at what IP the bootloader of the box was responding to.


Immediately the bootloader reacted to ftp -n -v -p and I could flash the box to OpenWRT.

Good success