How do you decide to trust a router?

Hi.

New to posting but longtime security/privacy nerd.

I’ve been looking at an OSS software+hardware router product. It seems to be a small project at this point without a lot of repuation online. The security features have piqued my interest though. The big and unique one for me: Each networked device gets its own /30 subnet.

If appropriate I can post a link. Seeing that my account is new I don’t want the appearance of shilling anything.

My threat model: malware/viruses/etc.; surveillance capitalism; home LAN. State actor are specifically _not_ part of my model.

As I said, it’s OSS but I’m no network engineer. I could read the code but assessing the quality would be beyond me. Which leaves me, how do you decide to trust something something as important as a router? Right now I’m running a router that is less-than-ideal but a known entity.

I find it hard to trust almost any router. I don’t think any of them offer anything resembling secure boot or verified boot and they’re usually running an outdated Linux or bsd kernel. I don’t feel like I could ever be confident that my router isn’t compromised, so I don’t really view it as trusted.

It would have to be administrated, configured, and maintained by me alone.

Protectli Vault (Pro) can utilize Secure or Measured Boot:

Based on an example test result from 3mdeb targeting the Protectli VP6670 for their latest Dasharo Coreboot firmware release on June 6th, 2025, UEFI Secure Boot is supported for both Ubuntu and Windows (#L105 and #L106), while Measured Boot, also known as verified boot, is supported for Ubuntu (#L75):

Related:

Would an OpenWrt One be suitable?

If that isn’t enough and want something more capable (x86-based) you could build your own. Almost any PC equipped with a dual NIC card can be quite easily turned into a Linux router.

This is interesting. Where exactly does it leave you though? Clients would be locked down. Do you bother with VLANs, force redirecting DNS, etc. or just treat everything as compromised and pointless to compartmentalize?

It would probably be fine and definitely an upgrade from what I’m on now.

This one particular project I found though enforces microsegmentation. Every device on my network would be assigned its own /30 VLAN (without the overhead of me creating a ton of VLANs myself). Very few devices need to talk to each other and the ones that do, do so over Tailscale.

Does your threat model really warrant such thinking when there are open source firmware you can install on routers? You don’t even trust such routers?

Everyone has different threat models, use cases, and workflows, so solutions will differ between individuals.

Yes. I am aware. But there is only so careful you can be with tech in general and installing the right software on the right hardware. If there is still a trust issue, then I have to ask what I asked.

In such a case, I don’t know one can be online in the first place.

Sure, then I can give a few example attack surfaces for your convenience:

1. Boot firmware (bootloaders and payloads).
2. CPU microcode and binary blobs.
3. Supply chain infrastructure.

These are all related to the RoT and CoT concepts referenced by @fria.

I think that fria spoke in general, unless you can prove that there is no tampering with the firmware (even if the software is FOSS), you have no way to trust a router 100%.

Realistically, if you don’t have strangers coming in and out from your place on a daily basis, you should be fine.
Moreover, most people just go on the Internet with the most insecure and default box from their ISP, hence anything with OpenWrt on it will be better than the defaults and a significant jump in security.

Yet nothing will be ever bullet-proof and the hardware can still call home etc.
So yes, depends where you draw the line.

I’m fine with having it a fully-wiping the default ROM and having OpenWrt on it.
Good enough for me.
Yet, secure boot sounds quite cool too if enforceable but I am not sure a lot of devices from this list support that.

If you have the money and need, why not enforcing that one indeed.
More peace of mind, datacenter kind of security haha!

I assume you meant “phone home”.

In your hyperlinked post, Protectli is referenced in its own list under the first horizontal rule, which is the same URL referenced in the first onebox I shared earlier in this topic along with the 3mdeb example test results.

Typo yes, just fixed.

Yes. Mostly wanted to bring attention to other potential nice routers.

At the end of the day, best idea is to look on OpenWrt’s forum for secure boot compatible hardware.
Mostly trying to have a 1-stop shop reference for all the links that I do see available/discussed on this forum into an easy to search topic rather than go over 50 different topics for newcomers, been there it’s very daunting to do…

Just act like the router is already compromised.

If you know Linux networking well or are up for a challenge you can build your own router with a mini PC that has more than one network port or wired and wireless interfaces (if you don’t need wired LAN connectivity and just want a wireless router).

You really just need to enable IP forwarding (sysctl -w net.ipv4.ip_forward) and configure nftables rules to do NAT and only allow connectivity from LAN to WAN and not vice versa (which isn’t actually that complex of a ruleset).

Example nftables.conf (relevant chains only, you’d definitely also want input and output chains but those aren’t related to router functionality directly)

...

chain forward {
    type filter hook forward priority filter; policy drop;
    iif $lanif oif $wanif accept
    ct state { established, related } accept
}

chain postrouting {
    type nat hook postrouting priority srcnat; policy accept;
    iif $lanif oif $wanif masquerade
}

...

This should allow forwarding traffic from LAN to WAN, SNATed to the WAN interface IP, and allow only return traffic related to connections initiated from the LAN to return from WAN to LAN. This plus a basic DHCP server would give you bare minimum home router functionality.