I’m in the beginning stages of rebuilding my wired and wireless network in my home. I will be using an OpenWRT router and placing wireless access points around the home. I have my eyes set on TP-Link Omada and Ubiquiti Unify hardware. Will I need to worry about privacy and security concerns since they’re just access points and all data will go through the router? I figure the router with the right configuration and running the latest OpenWRT should mitigate any privacy and security concerns. What do you guys think and what else do I need to know?
Thank you.
no.
they’re still complete fully functional computers that have the ability to phone home with telemetry of the connected devices or traffic that passes them at will.
OpenWrt itself has no inherent ability that would mitigate such behavior.
1 Like
I would argue that OpenWRT can if you put the devices in a no-internet VLAN.
@iluvprivacy I’ve used both with OPNsense and they both work great for home internet. I moved from unifi to omada, but with both they got segmented into their own VLAN that doesn’t have internet access.
Also to note, you have to do the same thing with the controller and keep up to date on firmware updates yourself to manually flash.
1 Like
That would require the access point to tag the traffic from the supplicants?
Well I can speak specifically to omada, you can assign them a “management VLAN” in the controller and they get placed in whatever VLAN you designate and assigned relevant IPs.
The traffic tagging would presumably be done by OpenWRT.
1 Like
Then how do I get wireless access with an OPNsense/OpenWRT router?
What do you mean? If you have router with Wifi, you’ll have access after installing openWRT. It’s just a regular setting, like in any other device.
Or do you mean how to connect and set-up access points?
A router doesn’t have to have wireless access. I guess I was wrong that any privacy/security concerns would be mitigated by connecting with the router. So what should I do about the AP?
I don’t quite follow. If you’re using unifi/omada, the APs work as expected. When you put them in a no-internet VLAN you’re just preventing them personally from getting to the internet. They still handle relevant traffic normally.
I’m sorry, but I don’t understand. If I put them in a no-internet VLAN, then how will they still act as an AP and let me use them to access the internet?
This isn’t the right way to think of it. Let’s say you slap a computer that has a malware doing network requests on an OpenWrt managed network - the computer will still do those network requests and OpenWrt will send them. OpenWrt can give you confidence in what the software is running on the router, not what computers on the network are doing.
Everyone saying use VLANs and special steps are making their lives harder without saying what it is they are securing against.
What are you concerned about? Privacy != security. What is your specific concern here? If you don’t trust the stock firmware of your AP, also make it run OpenWrt (note you may lose some niceties of AP management in the process). I have one AP running OpenWrt as a dumb AP.
If you want the stock firmware and are worried about it phoning home, then I would go back to my above point. If this isn’t a real concern, then maybe it’s not as big of a deal for you.
As for security, keep the firmware up to date and ensure your AP settings are solid. Your router has to protect agains WAN, but your AP likely just needs to be secured for your LAN, which is a different threat model.
2 Likes
Which access points use OpenWRT? Are any of the Omada hardware devices compatible with OpenWRT?
I don’t know. In these cases I’d say look at the OpenWrt hardware support page and see if you have a supported model.
But remember I’m not sure how well AP controller software will work in your use case.
1 Like