Looking for a 'setup recipe'

The incredibly flexibility and power of openwrt is more than a touch intimidating to a noob.

The mentor who encouraged me to run openwrt is sadly now dead so there is no easy connection for me to ask all the dumb or maybe even not dumb questions that I will need to ask to setup a solid secure install of openwrt. IMO this solid secure aspect is most important when one is going to be connecting to
high speed fiber lines like I hope to be real soon now.

I have spent some time looking and I can't find something that to me is foundational.
I can't find a complete recipe for openwrt setup.

It would cover things like either on the gui or on the cli version for all the setup options.

My present router - - - well I've used that system for some about 12 or 13 years so I understand a lot of the options I don't understand the options in openwrt and I really would like to but there is no noob checklist or recipe or whatever it could be called to follow to establish a solid connection.

Hopefully not just viewed as a frivolous noob question!


the info you've provided, doesn't even come close to what would be required, to write any kind of (meaningful) reply ...

I've never looked at a openwrt setup - - - - -

For screen one - - - there are 8 areas to define
areas 1-4 are required
area 5 is useful in these situations
area 6 and 7 are used only rarely
area 8 please don't touch until you have checked out this page or these pages.

Screen 2 covers wireless
blah blah
blah blah

Screen 3 covers WPA
option 1 refer - - name of wireless network
option 2 password (is a pass phrase an available option?)

and on

from the cli it could be like access this config menu (address)
These are the 2 or 3 or 6 or whatever number options
these are the possible parameters for option 1 etc

you know - - - a detailed roadmap on how to set up a solid reliable secure system.

(That is the idea - - - isn't it?)

This 'cheat sheet' would be useful to anyone setting up an openwrt managed router so this is not a one person answer - - - this is an answer for a segment of the community.

Thank you very much for a very informative post.

I was looking for this - - - but not knowing what to 'search' for - - oh well.
(A noob flailing around trying to figure out what to do!)

First off, the only dumb question is one that is not asked. So ask; that's what the forum is for. The worst thing that can happen is, people won't understand the question. This sometimes happens when the asker finds it difficult to phrase their question in common technical terms (this is not a criticism, but a description of a rather typical communication problem; it's perfectly normal for a non-technical person to have limited command of a technical vocabulary). Which brings us to your question.

You keep saying "setup", but it is not clear whether you refer to installation of OpenWrt on your router or to administration of OpenWrt on your router once it is installed. Those are, to be sure. related tasks, yet they are separate. Getting the minimal (aka core) OpenWrt running on a particular piece of equipment is one thing; making a particular feature of OpenWrt work on that piece of equipment is another. OpenWrt is extensible modular software; there are numerous packages that are not included in the minimal initial installation, but can be downloaded, enabled, and configured IF HARDWARE PERMITS.

OpenWrt in its minimal implementation can work on a bedazzling variety on hardware. Some of that hardware, however, is kinda puny and may or may not be capable of supporting some advanced functionality that requires a lot of processor time or memory.

Next, you say that your current router is over a decade old. You also say that you're planning to upgrade to a fiber connection. This immediately raises a question: will your current router become the bottleneck once you upgrade? Especially since you seem to be concerned about security. Security is based on encryption; encryption is computationally intensive; many old routers simply can't do it at speed due to insufficient processing power.

So here's the plan of action I would suggest in your case.

First, please clarify where you are in the "setup" process. Are you having trouble installing OpenWrt or is your OpenWrt up and running already and you need help with administration?

Second, please be VERY specific in describing your hardware. There's usually a sticker on the bottom or the back of a router that lists the name of manufacturer and the model number. The same model number sometimes has multiple versions or revisions, also noted on the sticker. These are VERY important, especially in the installation phase. Firmware that runs perfectly well on Something-Something v.2 may brick Something-Something v.3 and vice versa (or not; the devil is in the details). If you have OpenWrt up and running already, you may want to take a look at the Overview page in the management interface and include what OpenWrt reports under the following headings:

Target Platform
Firmware Version
Kernel Version

Third, please be VERY specific in describing your problem/issue. What do you want your router to do? What does it do instead? What steps have you undertaken to get from here to there and how did the router respond (error messages, etc.)?

Fourth, be mentally prepared for the possibility that what you want is not achievable with the hardware on hand. (See, for example, the discussion of bottlenecking above.)

And finally: if you want a complete recipe, you need to know what you're cooking. A seemingly simple matter: you keep talking about "security", but does your definition of "security" include, for example, parental controls? If you can't state your specific wants, we can't help you figure out if they are even achievable... Again, this is not a criticism, but an invitation to work together and overcome the inevitable difficulties.

With all this in mind, welcome to the forum! :slight_smile:


As a long term Linux user I am quite aware that technical vocabulary is all too often used to obfuscate rather than to clarify. There is an overwhelming reliance on acronyms which are all too often not explained but their meaning is just supposed to be understood.

Likely my use of the word 'setup' links back to my years of working with industrial equipment.
One first 'setup' the equipment and then one 'setup' the process. Same word with different usage - - one of the challenges in a language that doesn't easily allow precise definitions on things - - sorry!

I am aware of OpenWrt's incredible hardware flexibility. If anything it seems that its use on higher powered systems (routers) is lagging behind its longer term support on official 'routers'. In fact almost all the routers for sale through my local 'Staples' store are not supported - - - but that's a different can of worms.

You mention that

you say that your current router is over a decade old.

Well - - - I said the 'system was over 12 . . . years . . . " which is quite different.
I have used, IIRC' some 3 different routers all running some variant of dd-wrt which means that I'm sorta proficient in software setup re: dd-wrt but a total noob at openwrt - - - they may be related but they are in no way equivalent!!!

My hardware - - (I have two - - one for backup) is a NanoPi R4S 4GB.
This SoC was bought after reading some of the first months worth of posts on

NanoPi R4S-RK3399 is a great new OpenWrt device

and as although my new fiber install (the heavy equipment is some not that many days away from drawing in the piping with cabling to follow) is immanent I will not be subscribing at the max rate offered.
(Max rate offered looks to be either 1 Gbit or 2.5 Gbit - - - unclear - - - think the 2.5 Gbit is quite new!!) I have had to exist on a 9 Mbit down 2 Mbit up connection for some over 10 years so I'm thinking a 250 Mbit connection is going to feel HUGE for some time.

The suggestion from the nanopi r4s thread is that this machine can handle (barely IIRC) up to a Gbit so I still have a couple steps of head room from 250 MBit that I've subscribed for.

# uname -a Linux Bravo1 5.10.139 #0 SMP PREEMPT Sat Sep 10 02:23:20 2022 aarch64 GNU/Linux

and I'm getting complaints like
`* pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.144-1-23c3f734f8e38fe957092b233241bf3b) for kmod-usb-core'
already so I already have a kernel issue. Have asked over on the nanopic thread for advice on how to update the kernel so that I can run more software. (Seems like its a 'snapshots' vs system thing.)
Have 4 GB of memory should make it possible to run more software but I 'am' looking for guidance.

Have some dozen tabs or so open trying to understand setup.
The options are vast and not understanding what I'm doing makes things even worse.

Re - - QoS - - - reading You can browse the scripts here:qos-scriptsThere is direct LuCI-support forqos-scriptscalled:luci-app-qos. NOTE: luci-app-qoswon't start until you enable theqosInitscript within the System–>Startup tab as well as enable qos under Network–>QoS - - - it seems like I need to install both qos-scripts and luci-app-qos and then I need to enable qos in 2 different places. Further down in the troubleshooting section - - - well that section is current as of how many years ago?
Does that mean that other recommendations on there are also 'old'?

(And that's only the beginning of the questions - - - grin!)

Thank you for the welcome - - - I have been trying to read posts for about 8 or 9 months but now with an install (on less than minimal hardware) am finding that much of that reading hasn't helped my understanding much.

TIA for your assistance.

Since the NanoPi has a release build starting in 22.03, you should run that release build instead of a snapshot. Release builds keep the packages in sync with the kernel so you can install more packages later without having to re-flash an upgrade of the whole OS, which is necessary with snapshot builds.

A luci-app extends the GUI to configure something by translating GUI entries to UCI calls which ultimately end up as lines in an /etc/config file. It is only a configuration interface-- it doesn't add any runtime functionality beyond what is provided by the underlying application package.

Thus, a CLI user can forego everything related to luci. If you only have qos-scripts, QOS/SQM would be configured with the CLI via /etc/config/sqm and enabled with service sqm enable and service sqm start.

I'd love to 'run the release build'.

But - - - where do I find the squashfs of such or am I expected to do my own compiling?

(I went with what I could find - - - still learning this stuff.)

(If I'm compiling - - - - where do I get a list of the packages I need to draw in for a complete install?)


Did you check

No - - - - the only page that I could find was - - -
(using the search terms openwrt + nanopir4s)


In the 'Installation' section there is the 'Frimware OpenWrt Install' area.
This turns out to be a snapshot image.

So thank you for the link to a great solution.

Now I have to figure out what in the heck various packages I actually should install.

I would like to run Asterisk and a pihole equivalent would be wonderful.
Really don't know what comprises a solid install that provides high security and greatly reduces the data harvesting indulged in by most commercial entities on the web today.
I have asked for a 'recipe' but so far all that I've gotten is getting pointed at a list of the packages - - - and nothing else. Tough to know without experience what is a great setup.

Thank you for your link - - - if you have any ideas or a similar pointer to where I might find a 'recipe' for a solid secure system - - - please?


Well - - - digging through https://downloads.openwrt.org/releases/22.03.0/targets/rockchip/armv8/packages/ and https://openwrt.org/packages/table/start?dataflt%5BCategories_pkg-categorys*%7E%5D=usb (using the 'package categories') and then reading the list here 'https://firmware-selector.openwrt.org/ ' (page for the nanopi r4s) well - - - I've spent likely well over 10 hours reading and looking.
I think I'm even more lost than I was before I started.
I don't know what comprises a solid highly secure install (again - - - I just can't find anything except bits and pieces and there are at least 100s of those if not 1000s). Its not clear if the 'firewall 4' on the build page is the same as 'all the necessary bits for a good nf-tables' install - - - I can't find anything listing 'firewall 4' as a 'package' title.
In an install on a distro one selects a main package and the installer drags in all the other relevant bits.
Does that happen here? - - - - (dunno!)
i would like to install Asterisk and WireGuard and QoS and adguard and usb tools so that I can add a usb stick for more storage but even there things are quite confusing. The message on 'Asterisk' is - - - careful you don't want to install too much - - - but what is enough - - - the main location for packages is 'network---telephony' but there are some likely over 200 packages to chose from - - - can I say I'm lost?
WireGuard - - - is it only the two packages listed here 'https://openwrt.org/docs/guide-user/services/vpn/wireguard/basics ' ? Or do I need the server - - - will that be enough?
I suppose that I will be able to get an install setup but I'm thinking that this is going to take me some 2 to 300 hours to achieve.
A very basic question - - - is it better to have the 'packages' in the build or does it make more sense to install something like the previously mentioned list of packages as a 'build' and then to add my other 'would likes' as installs after the build is running - - - please advise.