How to harden security on R7800? AdGuard?


I've just flashed the latest build of @hnyman on to my R7800 router.

So far I've always used DNScrypt to harden security but I've discovered AdGuard which seems to offer a all-in-one solution. DNScrypt seems to be already used out of the box when using AdGuard.

So my question is: what is the best way of hardening the security/privacy on my R7800?

I want to get my build as secure as possible but still want to play online games from time to time.

So which packages would you recommend to install and configure?
Should I go for AdGuard and I will be good or better install DNScrypt and some other packages?

I would really appreciate it if someone who has knowledge in hardening security with openwrt could help.

Regarding Wifi: I've turned it completely off for now with the hardware switch.

Thank you.

1 Like

DNSCrypt and AGH do similar but not same things.

They both allow you to use encrypted DNS lookups.

AGH however also allows filtering/adblocking. This can improve privacy depending on how you configure the adblock/filtering lists. There are privacy based lists out there you could add to AGH which will block trackers etc by blocking their dns lookups.

Crowdsec can be used to harden your router much like it can do for a server. However unless you are running services on your router you should be fairly secure out of the box. There is an opkg version of crowdsec.

In addition to blocklists and encrypted DNS, you can also turn off password auth and only use keys for SSH. Changing the port is also good to thwart the automated casual scans and add option MaxAuthTries '1' in /etc/config/dropbear

Thank u both for your replies.

@mercygroundabyss, so you mean that AGH does not encrypt DNS via DNScrypt? ...should I install both DNScrypt AND AGH then?

Will look into Crowdsec ofc too... seems like a very nice tool.

Also I will turn off pw for SSH.
@account4538, which port do you mean exactly should be changed? The one to log into the router?


The SSH port to a random high port #. I might see one scan a month at most but port 22 will see daily scans all day long.

You can also move the standard port 443 or turn off LuCI altogether depending on your threat model or how far you want to take it.

1 Like

you don't need dnscrypt if u have AGH. AGH does encrypted dns lookups itself.

Also Luci and ssh for your openwrt shouldn't need locking down too much as its only exposed to your LAN side. Of course if you require remote access and have done rules to allow WAN side access you need to be far more careful.