Good afternoon, I recently installed OpenWrt on my router and am amazed at what this community has accomplished.
I have some questions regarding the best configuration to have a secure network. I will quote the list of steps I have in mind.
Install OpenWrt and configure local network and wifi with WPA3 password.
Install Wireguard in OpenWrt and configure clients together with DDNS for connection from outside to my home network.
Configure PiHole?
Hire a public VPN like mullvad and configure it with my router to improve privacy?
The documentation is very good but also very extensive, do you recommend the last 2 points I have indicated? What else do you consider essential to configure in OpenWrt to improve security and privacy?
The objective is that the only service accessible from the Internet will be through wireguard. From what I have documented it seems to be the best solution.
Yes, it's very convenient. When travelling I can check my cameras to make sure everything's good and that certain processes that need to be running at home are still running.
I dislike dynamic DNS because you attract more hacking attempts -- but those happen all the time anyway. It's the most standard way to reliably discover your current home IP address when you're away; it's just annoying that it's public. I don't need it because I have an always-on connection to a VPN provider, so I can simply find my current home IP address by logging into the client area of their website.
I'm not sure I'd put too much weight on the claim that a dynamic DNS will attract more hacking attempts. Just being online will attract attempts, that's the point of securing your network.
Other recommendations for a secure network: get a managed switch and create VLANs:
LAN: Full access, for trusted devices that basically belong to you and need to access both internet and local resources
DMZ/Guest, for devices that need internet access but have no reason to access any other system or device on your network. This includes streamers unless you also use them to access your local NAS. (My suggestion is that you use a local server to provide access to local media, and only use streamers for remote providers.)
Private/Local only: no internet access, for devices that you need access to but which will only cause trouble if they access the internet, like printers and cameras -- assuming you're not using cloud storage for them -- and if you are, you have a trojan in your house and essentially have NO privacy or security and this whole topic is moot. Unless OTOH you put them in the DMZ and only access them via the cloud.
Edit: In addition, if you or anyone in your house teleworks, especially if using an employer-provided computer, either create a VLAN for each teleworker, or at minimum put them in the DMZ. Your telework rig should have no connectivity with your home network whatsoever.
