Help aspiring dev get started - I want to build secure wireguard only router for travel

Hey community

I got a 750S from GL-Inet. I know not much about linux or firewalls but I want to get started and learn. I have a project in mind and hope it can serve as a medium for me to increase my knowledge.

My project objective is this. I want to create a super secure travel router with no bloat or added services that are not absolutely necessary. The router is perform 3 functions:

  1. Use wireless radio or ethernet connect to internet source
  2. Encrypt traffic with fail-safe via Wireguard. Ensure proper entropy can be provided for encryption (i.e. USB TRNG).
  3. Rebroadcast encrypted secure AP on wireless radio.

That's it. No file sharing, captive portal detection, server features just absolute bare bones minimal attack surface using only essential technology to perform this function. Everything locked down and secure as possible.

If any dev's can give good pointers or tips or information to get me started on my journey. If things from your own experience you learn you can share that might save me a lot of time and hair loss I appreciate. Also any considerations i need to give before undertaking project. It's difficult I know what I want but not much about the technology so it feels very daunting right now I am intimidated but optimistic is can be good learning experience :slight_smile:

Install, learn, and get comfortable with the OpenWrt build system. Learn git, if you don't know it already. Set up a git repo for your config as well as the source, either with the ./env/ tooling, or manually, by creating symlinks for ./.config and ./files/ to ./env/.cofig and ./env/files/.

Before you get to what you need to add, figure out what you can remove. Yes, that probably means dumping LuCI and getting used to command-line configuration. Consider replacing dropbear with the OpenSSH tools. (Not straightforward, as you'll find out the first time you boot into failsafe if you haven't thought through that configuration.

Take a dump of all partitions of the device now. NAND requires nanddump, not dd.

Figure out a logging strategy that persists over reboots and crashes

Dedicate an adapter to 192.168.1.254/24 (or whatever makes sense for bootloader access). Get comfortable with the basics of wireshark and tcpdump.

Get a serial connection before you need one (see my photo on the AR750S page, as soldering in the headers isn't easy with the huge heatsinks in place.)

Learn how to use the U-Boot boot loader

When you build your own kernel, consider making the SBL, bootloader, ART, ... partitions read-only.

Once you get it stripped down and running, then is when I'd add wireguard, or the like.

(Ask for links or references, as you need.)

  • Make a image with all the Wireguard packages pre-installed, and rngd
  • Make the configs for rngd
  • Done