Hello folks. Long time reader, deciding to make an account because I find resources like this rather difficult to find. Here is my stack and where I stand at the end of phase 1 of my sudden interest in privacy and security. I started ~2 months ago, but most of this time has been learning CLI and starting projects over multiple times. As such, I might be misunderstanding something completely. If you don’t mind taking a look and alerting me of any major flaws or oversights, I’d absolutely be grateful.
Router is a GL-MT3000 from GLiNet, flashed with stable OpenWRT 25.12.1. I have created a trusted wifi network on both bands, a guest wifi network on 5GHz and an IoT wifi network on 2.4GHz. The guest and IoT networks are isolated from one another and the overall network, but through (masquerading?) I am able to AirPlay from my trusted network to a device on my IoT network. I have measured the optimal channels and manually set them and check frequently to reset.
I have irqbalance installed to take advantage of the two cores in my hardware, and SQM installed with Cake / Layer_Cake.qos and optimal settings for a cable connection.
I have uHTTPd to self-sign certificates and redirect LUCI to use https. I have SSH moved to port 2222 and a keyless sign-on enabled through my main device. My account password is 14+ characters and unique.
I have Wireguard installed to use Mullvad VPN, on the closest server not in my country, which is a rented server, so perhaps I should switch? I have a firewall setting to ensure all network traffic has to go through Wireguard to reach the internet.
On a seperate Mini-PC I have Technitium DNS running with no forewarder, only allowing authoritative and recursive look-up. I have DNSSEC, qname minimization, qname capitalization, additional packages for HTTP3/QUIC but set to use TLS for now. I have Hagezi Ultimate, Threat Intelligence, Badware, Fake, Abused TLDs, DynDNS and Rebind. I have considered additional others, but unsure. This device has 8GB RAM free, so blocklists don’t need to be light.
Stats for the DNS over 24 hours are… wild? 7500 queries, 7 server failure, 3553 NXDOMAIN, 2667 recursive, 1320 cached, 3520 blocked, with the one client being my router. Top blocked domains are all Apple. Most frequently connecting devices are Apple and shockingly Switch 2. Phoning home all day long.
So far… I am not sure I am using this right, but the creator ensures its set and forget! I did have to set the SOCKS5 proxy to use Mullvad’s to get ANYTHING to resolve, but thats likely due to a firewall rule.
I was setting DNS manually per device before, but I am now letting everything flow through the router for more privacy, as its all “logged” under one IP.
In the future I’d like to disable the wifi in the Beryl-AX and use an Eero Pro 6 to broadcast mesh, ideally I would have liked to use both but that doesn’t seem possible.