Your home router is the single device that handles all network traffic for every device you own. Most consumer routers run proprietary firmware that phones home to the manufacturer, rarely gets security patches, and exposes your network through insecure defaults like UPnP. OpenWrt is a Linux-based open-source firmware that replaces all of that with a transparent, fully configurable system.
Is Your Router Supported?
Before anything else, check the OpenWrt Table of Hardware. Search for your router’s exact model and hardware revision (the version number printed on the label). The page will tell you whether a stable build is available, which features are supported (WiFi speeds, USB, etc.), and any installation caveats.
Well-supported routers include:
- TP-Link Archer series (many models)
- Netgear R7800, R9000
- GL.iNet travel routers (ship with OpenWrt pre-installed)
- Linksys WRT3200ACM
Avoid buying an unsupported router specifically for OpenWrt — the hardware support table is your friend before purchase.
Installing OpenWrt
The installation process varies by device. The general steps for routers with a web-based firmware upload:
- Download the correct factory image from the OpenWrt downloads page for your exact model.
- Log into your router’s existing admin panel.
- Navigate to Firmware Update or equivalent.
- Upload the OpenWrt factory image and wait for the reboot.
Do not use a sysupgrade image for initial installation. Factory images are for fresh installs; sysupgrade images are for upgrading existing OpenWrt installations.
After installation, access the OpenWrt admin panel (LuCI) at http://192.168.1.1. Set a root password immediately — the default has no password.
# Via SSH
ssh [email protected]
passwd
Disabling Manufacturer and OpenWrt Telemetry
OpenWrt itself has minimal telemetry, but some packages check for updates in ways that reveal your IP. Disable automatic update checks:
In LuCI: System > Software > Configuration Uncheck Check for updates on startup.
Remove the opkg package check ping if present:
opkg remove attendedsysupgrade-common 2>/dev/null
Also disable the NTP server ping if you are using a local time server:
# /etc/config/system
config timeserver 'ntp'
option enabled '1'
option enable_server '0'
list server 'time.cloudflare.com'
DNS-over-TLS with Stubby or Unbound
By default, OpenWrt uses dnsmasq for DNS, which forwards queries in plaintext to whatever upstream resolver you configure. Add DNS-over-TLS to encrypt these queries.
Install Stubby:
opkg update
opkg install stubby luci-app-stubby
Configure Stubby to use a privacy-respecting upstream:
# /etc/stubby/stubby.yml
resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
- GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
upstream_recursive_servers:
- address_data: 194.242.2.2
tls_auth_name: "extended.dns.mullvad.net"
tls_port: 853
listen_addresses:
- 127.0.0.1@5453
Then tell dnsmasq to forward to Stubby:
# /etc/config/dhcp
config dnsmasq
option noresolv '1'
list server '127.0.0.1#5453'
Restart services:
/etc/init.d/stubby restart
/etc/init.d/dnsmasq restart
Verify with:
dig @127.0.0.1 -p 5453 example.com
VLAN Isolation for IoT Devices
Smart TVs, cameras, and IoT devices are notoriously insecure and often phone home aggressively. VLAN isolation puts these devices on a separate network segment that cannot communicate with your trusted devices.
Create an IoT VLAN in LuCI:
-
Network > Interfaces > Add New Interface
- Name:
IOT - Protocol: Static address
- Address:
10.20.0.1/24
- Name:
-
Network > Wireless > Add
- Create a new WiFi network (SSID: “IoT-Network”)
- Assign it to the
IOTinterface
-
Network > Firewall > Add Zone
- Name:
iot - Input:
REJECT - Output:
ACCEPT - Forward:
REJECT - Covered networks:
IOT
- Name:
-
Add a forwarding rule: Allow
iotzone to forward towan(so IoT devices can reach the internet), but do NOT allow forwarding fromiottolan.
This ensures your smart speaker cannot communicate with your laptop, even if it is compromised.
Disabling UPnP
Universal Plug and Play (UPnP) allows applications to automatically open ports on your router. Malware and misconfigured apps abuse this to expose your devices to the internet without your knowledge.
Check if UPnP is running:
ps | grep mini
If miniupnpd is running, disable it:
/etc/init.d/miniupnpd stop
/etc/init.d/miniupnpd disable
Or in LuCI: Services > UPnP and toggle off Start UPnP and NAT-PMP service.
If specific applications need port forwarding, configure it manually under Network > Firewall > Port Forwards.
Firewall Zone Hardening
OpenWrt’s default firewall is reasonable but can be tightened.
Ensure the WAN zone rejects all inbound connections:
# /etc/config/firewall
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
Disable IPv6 if you do not use it (reduces attack surface):
opkg remove odhcp6c
# In /etc/config/network, remove or comment out IPv6 sections
Enable SYN flood protection:
# /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
Drop invalid packets:
# Add to /etc/firewall.user
iptables -I INPUT -m conntrack --ctstate INVALID -j DROP
iptables -I FORWARD -m conntrack --ctstate INVALID -j DROP
Additional Hardening Steps
Disable SSH password authentication (use key-based auth):
# /etc/config/dropbear
config dropbear
option PasswordAuth 'off'
option RootPasswordAuth 'off'
Upload your public key:
ssh-copy-id [email protected]
Change the default LAN IP to avoid subnet collision with VPNs:
If you use a VPN that assigns 192.168.1.x addresses, you will have routing conflicts. Change your router’s LAN to 10.0.0.1/24 under Network > Interfaces > LAN.
Enable automatic security updates:
opkg install auc # attended sysupgrade client
OpenWrt with these settings gives you a router that respects your network rather than reporting back to a manufacturer, protects your DNS queries, and isolates untrusted devices from your main network. It is the privacy foundation that every other tool in your stack builds on.