Hi all, newbie OpenWRT user here. I got my home network to work thanks to the help of the community. Is there a list of generally recommended packages to install onto the main router? In particular, I am interested in those that enhance privacy and security.
I understand this is a very case-by-case question, but I reckon there are at least a few packages, among the thousands out there on the package page, which are beneficial for most cases.
Very much so.
Vpn packages could be relevant. But you need another endpoint (typically a commercial vpn service, often paid). So the packages you install depend on what vpn service you plan to use.
You could install things like Adblock to limit advertisements and tracking by those services.
It's rather important to note that commercial VPN services don't magically improve your privacy nor security. By using them, you merely shift the insight in what you're doing on the net from your local ISP (working within the regulatory framework and privacy laws your location) to an unknown entity providing the VPN services somewhere else. Many of these have been caught logging more than they admitted already - and silently handing over logs at their own courtesy. The only thing commercial VPNs may provide, is evading geo-ip based blocking and maybe, just maybe, hiding from light cases of copyright enforcement and litigation.
Recommend luci-app-unbound for recursive and encrypted DNS over TLS queries from a supported host.
I find all of these generally useful (or at least interesting) on my gateway router:
luci-app-sqm
luci-proto-wireguard luci-app-wireguard
collectd luci-app-statistics
adblock luci-app-adblock tcpdump-mini curl ca-certificates
iperf3 irqbalance htop
I started out with a USB hard drive plugged into a router and installed below packages, until I realized after losing precious files (should that occur - it in fact did not), I would realize I really needed something with redundancy and simple backup so I would actually keep up with it. But for a simple network file storage, convenient file transfer between devices and media server solution I might install below and attach an ext4 formatted USB hard drive:
luci-app-ksmbd ksmbd-utils ksmbd-avahi-service
minidlna luci-app-minidlna
For shared home file storage, I instead now use a dedicated 2-bay RAID 1 NAS plus a backup drive that stays unplugged in a safe place when its not making backups. I just can't bring myself to pay for cloud backup and trust a third party with my files, though I probably should just give in on that and ditch the home NAS.
This is absolutely correct! As @slh mentioned, it can be useful for geo-ip and other similar scenarios, or to protect your information when you might be on a public wifi network (although tls/ssl encryption is supposed to handle most of this). The other reason a VPN might be useful is if you don't want your ISP to know what you're doing, but your VPN provider would then have that data-collection ability. So pick your poison.
This is a great thread and use cases are very important, both the type of role the device is performing AND the amount of space the device has on it. If you're working with limited space then you have to consider which packages are more important, with even possibly stripping out some of the defaults to make room.
I also like: iftop, nano, nut (for the attached UPS although it can be annoying to configure), luci-app-advanced-reboot. Also as listed in various hardening guides these are great too: fwknop, ostiary, fail2ban.
It would be neat to see a wiki page on recommended packages for which configurations. Or even some type of installation planner where you could pick your router, use case, and the available space. Then it could give you a recommended package list of what to keep/remove (I say remove because if the router doesn't have specific features (such as WiFi support) then obviously you don't really need those packages.)
It all depends more or less entirely on your use case and preferences.
For example, there may be a use case for running AdGuard Home on the router. It installs like a package (opkg install adguardhome), but deploys its own administrative interface, independent from LuCI (or you can just edit its YAML configuration file). Is it your use case? I have no idea...
Couple of suggestions for the privacy/security area:
adblock-fast
banIP
dnscrypt
wireguard client
vlan background + example
perform a local vulnerability scan with Nessus Essentials