So I've made some significant progress on my "personal-fork" of DivestedWRT and am in a place where i feel like i can boast^H^H^H^H^Hshare a bit.
Some background, i had an OK internet provider (500mb down/50ish up) but when my contracted ended they wanted to double the price, and someone else just rolled out fibre in the neighborhood.. so tl;dr - i switched to the new company and got faster speeds/a nice discount
longer version: it seemed the perfect time to dust off the WRT32X that's been sitting in storage since i bought it, once i found out my block got wired for fibre this summer.. while my. old ISP had a decent modem and i was using a linux-VM as my auxiliary router (for things like VPN'ing, DHCP/DNS via PiHole, giving IPv6 where my ISP had been falling behind (almost 150 pages of a forum topic going back to 2010)... badly... i never actually got around to deploying/playing with OpenWRT when i picked the router up on eBay (for cheap) two years ago.. until a month ago... *cue the suspenseful music *
So anyway, the rest was a no brainer. I waited until the existing ISP's contract was up this mkd-month and at the beginning of the month signed up for the same speed down ~500 up but now symmetric (kinda).. and i was off to the races (e.g. get all the network services i had set up working over the last few years, but on a new network and new router, before my old service got torn down next month)..
Oh and a very pleasant surprise: seems my upload didn't get capped correctly to be the same as my download and i can actually upload almost at gigabit speeds (closer to ~900mbps but way higher than the 500mbps i signed up for i can download at).. hmmm yahhh i don't think i'll be opening a support ticket to get that fixed though 
The rest below is a report on the details of my setup, in case anyone was interested in the tweaks i've chosen to make or had questions/needed help on how I did anything:
-
tweaked the build-system to be containerized (but using an alpine-based "lightweight" setup, or as lightweight as can be given all the build dependencies needed)
-
tracking all changes for the router's config's/customizations using git (this however is a private repo so i can't share that however, as it's got security-sensitive information specific for my network - if there's interest around something specific perhaps i can share extracts from it) - essentially i'm patching the DivestedWRT patches
that might sound dirty to you but it seems so far to work surprisingly well (tho trying to understand git diffof a diff is uhmm.. interesting, to say the least)! -
the rebuild process "bakes-in" the current set of configs, so the whole router can be upgraded with all settings intact, without relying on sysupgrade doing any config preservation of its own (not that there's anything wrong with sysupgrade, but i prefer the immutable-infrastructure approach where i can just blow it all away to an earlier working-config when i inevitably screw up - something i've already had to do a few times).
Then i went and removed (and some reasoning behind those decisions - prove me wrong ):
-
all other build-targets, except the one for my WRT32x (no need to build the other dozen WRT-flavors or buffalos, etc)
-
all localizations (i don't speak the other 30+ languages DivestedWRT bundles, this build is only intended for me... though understandably as DivestedWRT is intended for the masses, others might)
-
Bluetooth/SDIO-based junk.. (i mean who really needs that third antenna? it was reported to potentially cause issues (though i admittedly haven't had this device long enough to know if i even experienced them, just seemed like a low-risk tweak that's easy to back-out if needed), and i supposedly could enable 160MHz on 5GHz.. though i haven't quite gotten 160MHz to work yet myself tho, on the left-TODO list, any guidance appreciated!))
-
USB/MMC support from the kernel (c'mon it's just supposed to be router not a storage server, for me it's one less attack-vector if someone has physical access and i've no interest in usb-based network adapters either)
-
all UPnP traces (it's a security risk and i don't currently need/would make use of its functionality)
-
WireGuard, just cuz i don't need it at the moment and to further slim down the build (ya ya this wasn't going to be that-huge a space-saver.. it was more about only leaving packages that i'm aiming to use in the near-future - mainly for security's sake, i say)
...ok come to think of it, i may add WG back one day, as it's amazingly-simple to setup but only when/if i need it.. mmm yah could be nice-to-have functionality one-day.
Next I added the following packages:
- rsync (needed for my syncing/building scripts to copy multiple files/dirs off the router for future rebuilds, in lieu of me relying on sysupgrade)
- bash (yahh... perhaps it's gotten a bit bloated for a shell, but i have come to rely on some advanced shell-history tricks and with all the tweaking often need to log in and do things, and busybox just wasn't cutting it)..
- openvpn (incl luci support), as per my recent post
- strongswan, for my road-warrior clients to VPN in (but oh man.. more on this below)
And here's some functionality i now have:
-
half a dozen or so networks/separate VLANs for different things (think: layered security each level can only reach the adjacent one: separate mgmt network, lan network, wifi network, wan-network, guest network, etc), along with 802.1q trunking to a "baby"-core switch.. anyone remember router-on-a-stick?
-
locked down access to router (and switch) that's on my mgmt network, so that it's only accessible from lan network, not from wifi or home networks (or guest wifi, of course).
-
providing NTP for internal hosts (on the TODO: fw redirect outgoing requests to the router), as well as DNS (ditto re FW), and DHCP (via dnsmasq for ipv4/odchpd for ipv6, but i'm also doing multi-dnsmasq instances so each VLAN has its own sub-domain).. that last one was a quirky-one! And was after much struggles and misunderstandings.. ...ugh.. DHCP is a bit of an odd-bird i think many folks eventually find this invention rather aggravating when it doesn't work (and like magic when it does)! they say, with great power comes.. sorry, wrong story.
-
more about the filtered-DNS: using OpenDNS (this seems to work only intermittently for some reason at the moment, if i had kids i'd be more on it to fix, but obviously i spend all my time on tech and seems i'm am too busy to have kids).. oh and divblock (tho divblock has been a bit of a PITA, i've already found 4 sub-domains blocked i need to make domain-level exceptions, related to me doing my day-job in the last week and a half.. might disable this or go back to pi-hole for the shiney GUI & graphs).
-
able to use WPA3 fully.. yeeehhh NOPE kidding folks - that's still broken on these WRT series with the crappy closed-source marvell wifi drivers :-/
-
able to use OpenVPN to get to my colo-servers' private mgmt network
-
able to allow "road-warrior" clients to VPN into my home-network via strongswan, using the newish swanctl config support (i have 2 apple-based device i rely on mainly that need this ability
- i'm using TLS for auth, and no extra software needed on the devices themselves as ipsec-support is native)..
This last one was the hardest part for me, and i encountered a lot of openwrt-documentation woes (the OpenWRT wiki's saying one things while that approach not yet being updated for UCI, also other new functionality not being documented on that wiki.. i'll probably roll up my sleeves and have to update the wiki myself) and even a bug, for good measure..
Now I'm still in disbelief this setup works! But yah.. I spent what-felt like days on just that reading all the various "water-bird"-related references and trying to piece together based on a previous example and my rusty knowledge of ipsec (most of the forum posts just tell people to just use wireguard instead 
- i KNOW wireguard is way simpler, but it also requires additional software on the clients, which i really wanted to avoid needing - plus i seem to be a big masochistic and i get to learn quite a few IPSec-ey things along the way).
For more info on the above, see this post where i elaborate on some of the more technical details of my ipsec-journey..
Welp, I still need to do more thorough testing on the functionality of VPN clients, but at least i reached a break-through milestone for VPN services, where when my old internet service stops working next week, i won't be stranded vpn-less..