Make OpenWrt more secure

openrouterman · March 1, 2023, 5:26pm

I just installed openwrt noob here so how can i make my system more secure which are the conf i need to change
And mostly wireless part
802.11w Management Frame Protection
And 802.11r what is this and what i need to change.
Thanks by default
Xiaomi mi4a v1 router

krazeh · March 1, 2023, 5:28pm

By leaving it alone. The defaults are fine. If you don't know what you're doing then you're far more likely to create a problem with your setup than make anything better.

flygarn12 · March 1, 2023, 5:37pm

Set password on router.
Set wifi security to wpa2 (or wpa3 if the clients you have can handle it)
Set your own password for the wifi.
Maybe change the SSID to something more useful than ‘openwrt’ but this has nothing to do with security. But why flash for your neighbors what you are using.

openrouterman · March 1, 2023, 7:20pm

Good it is a advertisement opensource never actually put ads it will be openwrt and it is good. I will keep this name

But can you tell me more about this two.

feliciano · March 1, 2023, 10:52pm

802.11w protects the management frames, difficulting fooling the router by forging connection attempts packets
802.11r allows the client to roam quickly from one AP to another (provided you have more than one)
There is also CRACK attack protection, which "Complicates key reinstallation attacks on the client side by disabling retransmission of EAPOL-Key frames that are used to install keys"

Take into consideration all these security measures may not be totally compatible with all your clients, so you can enable those, try to connect, and if you experience some issues, you may disable one at the time to troubleshoot.

stangri · March 2, 2023, 1:53am

Unplug the cable from WAN port.

shep · March 2, 2023, 2:51am

Security is relative to the native Xiaomi 4a firmware:

In fact, the reason you can install OpenWrt on that router is due to a vulnerability.

I also suggest that strong passwords/encryptation keys, turning off Luci when not in use and keeping your firmware up to date is a sizeable improvement over what you started with.

openrouterman · March 2, 2023, 5:30am

I can't only rely on local network.

darksky · March 2, 2023, 9:50am

Satire... you asked how to make it more secure. Disconnecting from the WAN will do that.

openrouterman · March 2, 2023, 1:45pm

Yes obviously but then why not just unplug it and make most secure system ever.

openrouterman · March 2, 2023, 3:22pm

Can anyone send me a guide to set up firewall

krazeh · March 2, 2023, 4:00pm

It's already set up by default.

openrouterman · March 2, 2023, 4:10pm

I did not install that luci-ssl package but i saw https option is available in router settings should i turn it on or it won't work if i dont have that package.

psherman · March 2, 2023, 4:10pm

As others have stated multiple times, you do not need to change the firewall configuration from the default state since it is already secure. It blocks unsolicited traffic reaching the router itself or attempting to reach your internal network (lan). It only allows traffic that has been initiated by hosts on your side of the network.

Don't touch it if you don't know what you are doing. Below is a link to the firewall documentation. These are not "instructions," but you will find examples of how to work with the firewall using UCI command syntax and the text file eqivalents. Don't run any of the commands or make any changes without fully understanding what you are doing and why. Again, you probably don't need to make any changes... if you have a specific question about how to achieve a certain goal (i.e. "I want to create a road-warrior VPN configuration, how do I open the firewall for that") we can help you.