Aside from the fact that you are behind on the 19.07 series (latest was 19.07.10), the 19.07 release in general is unsupported and has been EOL for several years already. It has known security vulnerabilities that will never be patched.
I strongly advise that you upgrade. The upgrades will not be compatible with your existing configuration, so you will need to configure again from scratch. This generally shouldn't take all that much time/effort as long as you know what your desired end-result looks like (you can also use a backup of your existing config as a human readable reference). We can help you with that, too.
I am aware of the older version, is it really a security concern if the router is on NAT behind the main one?
What is the upgrade path anyways I have seen various info on places that confuse, I also remember seeing weird wifi performance on some of the newer versions if I remember, are the newer versions stable for this target?
Is anything completely safe though? Even the latest and greatest is susceptible to attacks and if anything it would affect way more users, in my opinion a lot of security comes from the user behaviour itself and all the "in the name of security" is a little overhyped.
But I appreciate the advice and concern, I have solved this and have no other issues currently, but may upgrade the router when I get time and I am really bored out of my mind.
You do have a point about user behavior being a key factor. But let's use a very oversimplified example:
You have a door. In the case of severely outdated security, the door does not have a lock at all. And as a result, you find that things are getting stolen. You upgrade and install a basic lock -- turns out it's easy to pick. It deters some burglars, but the ones who are a just bit more experienced get in without issue because so many know how to defeat the lock... and they continue to steal your stuff. So you install a much more secure lock -- one that has no known ways to pick it as of the time that it was released. Your problem is solved for now, as long as you do your part and lock the door (user behavior).
Yes, over time, some of the most experienced and determined lock-pickers will research the lock and find its weaknesses... and eventually someone will figure it out. At that point, the lock manufacturer will figure out a way to patch the vulnerability and issue an update -- keeping you secure again until a different vulnerability is discovered. It is indeed a cat and mouse game, and it's not perfect, but at least you can sleep a bit easier at night knowing that there aren't any known vulnerabilities.
That door analogy does do make sense, but with software its a little more complicated and a lot of things have to align to even have a chance to "pick at the door". @slh for example mentioned attacks from the wireless side and I am not the slightest concerned about that as I live in a rural area and its extremely unlikely there will be a Joe Schmo near my house who decided to attack this exact wifi, when he would have way more out of his time doing it in the city with hundreds of networks.
I look at it from this perspective, you as a hacker/lock-picker what would you personally choose to exploit, in the case of openwrt, the version that probably the majority is using and theres plenty of it to exploit/profit of or the opposite?
Surely some will also go with older versions especially if theres some publicly available (script kiddies), but as far as I checked the published ones for this version dont affect me.
To clarify I still agree that its probably a good idea that less aware users should upgrade or when its really critically necessary.
You just cant look at upgrading stuff from one direction, it definitely has pros/cons same as older stuff.
I am also writing this from and mainly using win7, I do have a castrated win10 on dual boot for some stuff
Of course, there can be new bugs and such in newer versions. But it is not uncommon for security issues to be the highest risk to a user, so unless there is a serious bug, major security patches will often outweigh minor bugs that creep in later. But in your case, if you're comfortable with the security vulnerabilities as very low risk in your environment, that's fine, of course.
but you wouldn't run windows XP or earlier, right?
What has to be added to the lock analogy, is that on the internet, your 'house' attracts an international crowd of burglars, who can -and do- attack you 24/7 from the within the comfort of their own home. These attacks have become a business, and adding further routers to their botnet is a financial incentive - and there is overlap with state financed/ tolerated hacking (troll/ propaganda armies, finding weaknesses in their potential enemies' infrastructure, extortion, crypto mining, …), for whom it is is beneficial to be able to hide on and behind the router of Joe Sixpack in rural Nowhere County/ Antarctica, right off the information highway. And when it comes to the wireless attack vector, to an attacker with directional antennas, 1.5-2 km can mean 'in range'.
As a potential victim, you are an interesting target because:
it's a numbers' game, one more unwitting participant in a zombie botnet, one more proxy to hide behind
[various uses, ranging from criminal to 'political']
to mine crypto currency, using your electricity
to fish credentials to other services
as a ransomware target
to extort you directly (nice pictures you have on your disk)
to attack others
for the lulz
This is a fallacy, 'known' security issues are a commodity, they are added to the attack framework once and run wild automatically, no knowledge or effort required. It's not surgical, it's shooting a fish in a barrel, with a shotgun. You also miss to account for older -typically ancient- versions of OpenWrt often being used as the base for most commercial routers firmwares, so the numbers you assumed to be in your favour certainly aren't - vendor mutilated and old 'OpenWrt based' firmwares outnumber genuine -contemporary- OpenWrt by a large margin.
To come back to your rural Nowhere County/ Antarctica scenario and the real world, I live in almost such a place, doesn't mean there's no crime either. Copper is getting stolen from stations of the cross (tiny 'roofs', double letter sized, a millimetre tick, so not much to be gained), golden crosses are stolen from the display vaults of small rural village churches by criminal groups coming from hundreds of kilometres away and then held for ransom, shoplifting is going rampant, drugs are smuggled, grown and consumed, violent crimes aren't unheard of. Don't tell me your corner of the world has nothing of that, no bored scriptkiddies searching for unfiltered internet access.
In other words, you've waved it away and ignore the risks, because you can't tell me you've done a security audit worth its name and not upgraded immediately.
But again, on the internet, every router is is sitting right on Times Square/ New York - and there are shady 'services' in all shades of grey searching for, listing, auctioning potential victims and their botnets, as well as strong financial, criminal, political and military incentives to have as many routers, as much network access available as possible. Your only defense is to stay on top of security issues and to remain updated as well as possible.
@psherman right, same as I wouldnt go earlier than 19.07, even though you could also run XP not in its default state and with a modern browser and just not being a complete dumbass
@slh I agree with that, I have run a public server for quite some time and I have seen the constant burglars background noise, but it wouldnt apply in this case as this router is not directly exposed to the internet there is no such noise
Coming back to the rural area, sure theres some crime here too but I gotta say thats pretty bad, worrying about my openwrt version wouldnt be my first thing, I am from the EU and feel pretty safe in this part of it.
When I made the XP statement, I wasn't suggesting that <19.07 is equivalent to win xp and that 19.07 is okay from a security standpoint (it's not). But as the arguments to operate a modern and secure version don't seem to resonate with you, I'll just refer back to a statement that @slh said...