How big is the OpenWrt userbase?


are there any numbers how many router running with OpenWRT? Other interesting numbers?

OpenWrt project infrastructure > Services > Statistics

In addition, it is likely not possible to count users who build OpenWrt from source code with kernel modifications, as they are excluded from the package download statistics.
Also, there are OpenWrt-based projects including stock firmware from some vendors.


The OpenWrt help twitter has 238 Followers. I know it's not a lot but.. :slight_smile:


You need a shodan enterprise account to say how many users exist with any kind of certainty. is a search engine for security research, is not a toy, and is a quick way to get yourself on a few NSA watchlists. You need a free account to search for anything at all, and you need a paid account to search for anything useful.
How it works:
All devices connected to the internet have a banner containing metadata. Shodan searches this banner.
For example, if you are on a linux distro, see if you have easy access to a program called bannergrab. Install it, then use bannergrab to see the banner of your router's landing page at or whatever you set it to followed by the port (80/443).
$ bannergrab 80
On a router with openWRT installed you'll see something like this:

[user@home ~]$ bannergrab --verbose 80
    _                                                _
   | |__   __ _ _ __  _ __   ___ _ __ __ _ _ __ __ _| |__
   | '_ \ / _` | '_ \| '_ \ / _ \ '__/ _` | '__/ _` | '_ \
   | |_) | (_| | | | | | | |  __/ | | (_| | | | (_| | |_) |
   |_.__/ \__,_|_| |_|_| |_|\___|_|  \__, |_|  \__,_|_.__/
                         Version 3.5
         Copyright (C) 2007-2008 Ian Ventura-Whiting

HTTP/1.0 200 OK
Connection: close
ETag: "421-20a-5f550c1b"
Last-Modified: Sun, 06 Sep 2020 16:19:39 GMT
Date: Sun, 31 Jan 2021 00:09:47 GMT
Content-Type: text/html
Content-Length: 522

I think the only part of this banner that really identifies anything is the ETag: "421-20a-5f550c1b" part. If I understand it correctly, anyone with the openWRT luci landing page set to port 80 should have this etag. Therefore if the etag were to be searched on shodan, I think it would reveal how many active openWRT users are currently connected to the internet.
If I understand how shodan works, the search is done on recently archived/updated data, and not live like doing an nmap search. Scanning the internet for connected devices without permission with something like nmap is illegal and very conspicuous. Maybe someone on here with a real shodan account could search and share.

1 Like

The forum has up to 27,000 users

1 Like

this redirects to which gives a 404

On GitHub something similar named, but no development activity since very long

brew search bannergrab
Error: No formulae or casks found for "bannergrab".

Is this true?
Can somebody else confirm? If true this is a bug and should be fixed.

I don't like when everybody on the internet knows my router os.

It's not. Neither Luci or SSH are, by default, available from the WAN interface.


...and this estimation falls far too short, as there are many openwrt access points behind other routers because of the HW policy of the internet service providers...

I run a fritz box because my provider delivers coax cable, and I run 2 openwrt access points.

yum install bannergrab
dnf install bannergrab
Those work for me. Other distros may vary.

If I'm not mistaken, "How big is the user base?" has nothing to do with the number of devices each user has. I'm sure there are many ways to mask or alter this.

There is a reason Shodan is considered "the scariest search engine on the internet." There is no way to avoid leaking basic data with anything connected to the internet. Getting upset about this is like getting pissed off because your house is on googlemaps street view. It's just a house. No one knows how to tie it to you just because they see it on GM... Of course google is way worse than Shodan. They know that house is yours, if you're in it, and where you are within a few cm.
I recommend watching this (warning long but worth it IMO):


By default Luci is not available on WAN, estimating the number of OpenWrt routers on the internet this way is like estimating the number of people in a county by how many were arrested yesterday... Not entirely useless if you have in addition a lot more info, but you don't have that info

1 Like

I don't have an openWRT router directly connected to my WAN, and I don't know much about bannergrab or other similar tools. Indeed, attempting the same ultra simple bannergrab on my public IP does nothing. There are probably several options in Kali or Parrot for capturing the wan facing side of the device though. The example of the landing page was mostly intended as a practical illustration of what a banner is. As far as I understand it, all hardware connected to the internet has some kind of metadata to parse. It is far easier to parse open ports, but everything that is connected has a far as I understand it.

Shodan calls the following "openWRT (luci landing page):"
HTTP/1.1 200 OK Connection: Keep-Alive Transfer-Encoding: chunked Keep-Alive: timeout=20 ETag: "17b-1a3-541dd9df" the saved searches list on this page:
I can't see the actual results with my free account, but shodan lists the results as from Feb 26th 2016, so that etag is for an old version of the page. While browsing I saw several similar search queries for specific router model landing pages too. I'm no expert though. I just assume the worst, and hope for the best.

The general technique you're talking about might be called "fingerprinting" but OpenWrt would fingerprint basically as "some kind of linux device"


Jake, I just wanted to point out, that many people run openwrt as accesspoints on devices that are behind firewalls, unreachable for scanning tools. And for lots of them the firewall might not be running openwrt.

I would define an openwrt user as a person running at least one openwrt device. But you could also argue an openwrt user is every person using an openwrt device (e.g. by using a public wifi somewhere, which by chance is ran on an openwrt AP).

1 Like