Can Anyone Setup my Routers for me? I will PAY

So, I installed OpenWRT and love how this software really lets me control every aspect of the router. Can I donate to this project in any way? It is definitely worth paying for.

Now for my issue. I had a friend loose $250,000 of bitcoin to a hacker. Apparently bitcoin leaves a public record of every transaction. He thinks that a keylogger was remotely installed and the hacker got the key. This is my reason for my paranoia.

So, I want to build a home network as secure as possible using my old hardwar e. Yes, I understand that no system is secure. Even the NSA gets hacked. Still, I want to make my system like Fort Knox.

My system will be a laptop running coreboot, me cleaner and Seabios. OS will be Qubes. From there, I want to install OpenWRT onto my TP-Link Archer C60 and run a lan cable to that router, which will connect to an Asus RT-N66U also running OpenWRT. I want to connect the TP-Link to my Asus via a small lan cable so it can have the wan disabled but my Asus router should allow my wife and daughter to connect via the wan. 2.4 or 5 GHz but I'm not sure which one is better. Furthermore, I want the Asus router to connect directly to ExpresVPN and the TP-Link to connect directly to NordVPN. Since these VPNs only use specific ports (as per the config file), is it possible to restrict access to a single port like that and reject/close all other ports? Somewhere, I read that Ipv4 needs port 68.

I installed wireshark but don't know how to read the data. I see destinations like 239.192.152.143 using the LSD protocol but when I entered this address into my browser, the website doesn't exist.

I read the forums but just got confused. For example, disabling uPnP. Is that done via a config file or the setup webgui (luci)?

So, I am willing to pay someone for telling me how to follow Jeff's advice on setting the firewall properly, which scripts to run, how to disable IpV6, uPnP and do whatever it takes to make the router as secure as humanely possible. I read that suricata and other IDS programs probably won't run on the Asus router, so maybe that needs to run on my old laptop. Speed isn't that important to me, security is.

So, how much would anyone want to help me? Drop me a PM with the cost. I'm not computer savvy enough anymore to figure this out. My last experience with software was writing batch (.bat) files in DOS. Yup, that was before the internet even....

Thanks,

A good way to provide security is to build it in accordance with threat modeling.
Unfortunately, usually the weakest link is not the router but the human.

You can't guarantee the security when multiple users have quasi-administrative privileges and are not limited with strict regulations.
Even if you earnestly follow all safety recommendations and remain vigilant, will every member of your family and your friends do the same?

Imagine that one of your family member's or friend's devices accidentally becomes compromised and connects to your network.
The whole network segment becomes untrusted and all the devices in that segment as good as connected to the internet with no router.

But the more isolated segments you have, the more work it requires to maintain, up to the point when it compares to a full-time job.
So, instead of relying too much on private network isolation, better rely on encrypted protocols and minimize unencrypted traffic as much as possible.

Also you can't configure the system once and be sure it stays secure forever.
Every day there are new vulnerabilities and attack methods including social engineering.
It requires quite some work to keep up and maintain all the devices properly configured and up to date.

It's a good idea to disable unnecesary services such as UPnP if you don't need them.
However IPv6 is already an essential part of modern device communication stack, so dropping it would be unwise.
Usefullness and effectiveness of IDS is very questionable in a home network environment compared to resources it requires to set up and maintain.

Security always limits your freedom and too much security can make it unbearable, so balance is required.

There is nothing you can do on your network infrastructure that can prevent yourself from "accidentally" downloading some malware that grabs some data from your computer and sends it somewhere else...

IPS software such as Snort can...if it has the signature of such malware and traffic.

Is the concern specifically for Bitcoin or other cryptocoins? Because securing a dedicated Bitcoin vault is much easier than securing everything in your home. Buy a separate computer, put it on a separate Physical Ethernet network, configure a firewall on that device, and place a dedicated firewall / VPN device in front of it. Never use the vault for anything other than Bitcoin transactions. don't even install a browser on it... never plug an external device like USB key into it etc etc

@dlakelan, My concern is mainly Bitcoin but also privacy. Google, Amazon and just about everyone else keeps track of what I do online so the only way I get some privacy is to protect myself. I thought you had to connect to the internet to use bitcoin but will look into a bitcoin vault.

Well, yes the vault will need internet access, but it doesn't need general purpose internet access, it just needs to do bitcoin transactions. It seems to me a reasonable method to handle this would be to set up a Linux based system using a minimal distribution placed onto a standard high quality SD card with a write-protect tab.

Put the operating system on a hardware write protected SD card (with the little write-protect tab), put the /home directory on a USB key that can be unplugged and stored in a fireproof box. The operating system is incapable of being modified by malicious code because the hardware prevents anyone from writing to the SD card... and the USB key containing the bitcoin wallet is incapable of being modified by malicious software because it's not attached to anything that could have any malicious software on it...

when you want to do a bitcoin transaction, you boot the machine from scratch (guaranteed to be booting the contents of this write-protected SD card which are known good) and then plug in your USB key with the bitcoin wallet, and run the transaction app to do the transaction.... then after the transaction, you shut the whole thing down, and move the USB key back to the fireproof box.

I'd recommend keeping a copy of that USB key offsite like in a bank safe deposit box as well.

In addition to this write-protected SD card, you also have the network filter device so it looks like this:

Standard OpenWrt Router for internet access --------> Specialized second OpenWrt based router for protecting the bitcoin vault with its own firewall.
|
|
|
-------------------> Alternate Network for general purpose browsing.

You'd use a VLAN and a separate switch port on the main router for the bitcoin network, and make the second OpenWrt device a bridge using bridge netfilters with no IP address, so it's not reachable unless you walk up to it and plug in a cable to a special management port.

great first step in maintaining privacy, revealed all your hw/sw
unless these are false specs, better consider changing your setup

@psyborg, what's wrong with my specs? How else can I explain what I'm trying to do without listing the HW? A hacker can get this info pretty quick, no?

you explain it in private conversation with someone that sets up network for you. on public site you should reffer to the devices under generic names. e.g. PC1 PC2, router 1 etc

@psyborg, DOOH ! Now I get it. Thanks for the tip.

BTW, I've been trying all day to get my newly flashed router to work. The WIFI is enabled but no SSID and LED is visible...

Any ideas?

Sounds like you might need to make a new thread for this issue.

If you're talking about OpenWrt, did you enable the WiFi and configure the LEDs?

@lleachii, thank you and everyone who replied to me with tips. I love this forum and how professional and polite you all are.

I've spent the last 2 days going through the User Guides, forum, etc. and really understand OpenWRT a lot better. My router has bad B43 support so the Wifi is not really supported. I did turn on the Wifi but there are only 3 configurable LEDS and there are 9 LEDs on the router.

That's OK because I will use R1 just as a LAN router. I need to flash my other TP Link router but the latest firmware won't allow third party firmware so I'm going to remove the BIOS and flash it.

Let's close this thread.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.