Hi! I’m looking to buy a router to install OpenWrt on it, and I’d like to understand the security landscape of these devices. Are there any brands that frequently release firmware updates? Any ones that have some special hardware security features? These kinds of things. Thanks.
idk about updates, but there is blue-merle on mudiV2
though its not vanilla openwrt iirc.
OpenWRT is a firmware replacement for the most part. So the release cadence is based on OpenWRT.
If these are proprietary, OpenWRT may not be able or not willing to utilize them. But this is a blanket statement, if you have specific hardware security features in mind then look at their hardware compatibility table to see if it matches.
Best hardware security feature is to support WPA3 if you plan on using WiFi. That’s most likely the weakest link.
Otherwise, OpenWRT is pretty secure by default, and you can take additional steps to harden it. Remember OpenWRT is consumer grade, and if you have a very intense threat model, I can’t say if it will be sufficient.
When I say firmware, I’m talking about the closed source blobs that ship with the router, such as the CPU code. Like how Android-based OSes like GrapheneOS and CalyxOS need to include updates for these parts, or how you need to update them with fwupd on desktop linux distros, I expected something similar for routers (running OpenWrt or otherwise). Don’t these need updates from the vendor, or do routers do stuff differently than phones and PCs?
Gonna tag @SkewedZeppelin who is our local OpenWRT expert imo, if he is able to assist.
My understanding is that OpenWRT is the firmware, and what you are referring due is either microcode updates or devices drivers. I’m not knowledgeable of microcode updates for embedded architecture. However, there are device drivers which may affect the longevity based of the platform, specifically if the drivers in OpenWRT support them or if they are proprietary (I’m quite unhappy at the mlwifi driver for Linksys that we don’t get WPA3 since Linksys won’t open source it).
Context: I run a Linksys 3200 ACM, and bought a U6+ for WiFi to get WPA3 + ax capability.
I’d recommend getting a good grasp on exactly what you want out of your requirements and posting on the Open WRT forum, as they have many more gurus and enthusiasts to help out. But just as posting questions with poor threat models here, I’d also do a little research to hone your questions in.
1 Like
Just wanted to 2nd this. The OpenWRT forum has a super helpful community. Sometimes it can be a bit hard to get that initial response as there are a lot of topics always being made and you can get lost in the shuffle.
OpenWRT has now its own original hardware:
Sadly, AFAIK, it is only Available via AliExpress as a preassembled unit or a router board and also to one other official seller Joom (never heard of before).
This link to Software Freedom Conservancy page has other
unofficial sellers on Amazon and AliExpress
4 Likes
I’d say the OpenWRT One is likely the best general consumer grade hardware if you don’t have anything specific in mind for requirements. I suspect it’s the best privacy and likely quite good security for OpenWRT, given it’s the most first party support hardware that exists for the project.
OpenWrt Two coming soon as well. They’re partnering with GL.iNet.
5 Likes
OpenWrt does indeed provide the entire kernel and userspace, but depending on device it still will use a proprietary firmware binary for the radio.
For example your Linksys WRT3200ACM hasn’t had a firmware update in ~5 years: History for bin/firmware/88W8964.bin - kaloz/mwlwifi · GitHub
Edit: I just checked the actual file for any potential date and strings shows Nov 25 2019 so even older.
This is definitely something to consider, but I don’t have any particular recommendations for ones that update frequently or work without blobs.
Another edit: y’all it is OpenWrt, not OpenWRT.
3 Likes
Appears that OpenWrr one is indeed a good choice. They have a detailed guide on how to update its firmware. Not sure this is even possible on other routers since this is not desktop linux with fwupd support.
Not really sure if they meant firmware in the sense I’m thinking of. Still probably the best choice.
good to know, this divested os guy knows the blob shit a little too much haha
Have any recommended routers?
OpenWrt One/Two, or I’d suggest perusing the OpenWrt forums and getting an idea of what you need for your setup.
1 Like
Without knowing much about your needs I’ll just throw a recommendation. GL.iNet Flint are good home routers. The Flint 2 (GL-MT6000) is their current offering but the Flint 3 is coming soon.
This is the router that I use, can 100% recommend it.
2 Likes
I have the flint. It’s very nice but I wish it had automatic updates or at least a way to get notified when new updates are available. I don’t think vanilla openwrt has automatic updates either though so maybe a moot point.
1 Like
GL.inet’s OS has been quite behind OpenWrt, at least it used to. Which is why I would recommend using vanilla OpenWrt and subscribing to their mailing list for updates.
2 Likes
Are there any decent suggestions for AX router to flash OpenWrt, in a range of $50/50€? Mainly for a light usage and to put it after ISP’s one, which can’t even change DNS options, so other devices can use it.