TL;DR -- OpenWRT is great. Thanks! I donated.
Context: SOHO power-user WAN/LAN/Wifi/VPN network.
Previous setup: Opnsense on APU2E4, with multiple Ubiquiti puck-form WAPs, using Ubiquiti's firmware & a local instance of Ubiquiti's proprietary "controller" WAP-management software.
Previous experience: Ubiquiti's WAP ecosystem is pretty slick and geared toward the medium-size enterprise where it's important to be able to live-monitor and live-update 10s to 100s of WAPs at the same time.
Problem: Over the years I realized that Ubiquiti isn't all that interested in security. Recently I realized that their Controller software still doesn't support ed25519 SSH keys in WAPs, for example, and it's not possible to turn off SSH password authentication on their WAP firmware either, at least not in a convenient, persistent, non-kludgy way. (This goes for many other major network vendors as well. Even CISCO doesn't support ed25519 except in its flagship Catalyst switch/routers that cost >$5,000.)
Research: Since I've recently migrated to ed25519-sk SSH keys, I started hunting around for a FOSS firmware solution. I was pleasantly surprised to learn that OpenWRT supports many of Ubiquiti's current and past WAPs.
Action: Was able to use a pretty-straightforward cross-grade path:
ssh to shell followed by
dd on the WAP command line, not requiring any physical access to the WAP motherboard.
Result: Migrated my Unifi WAPs to OpenWRT without a hitch. Took a few hours to wrap my head around OpenWRT's VLAN configuration but I got it sorted and now everything's working fine.
Thank you, OpenWRT team(s). I've written a check to the SF Conservancy
( https://sfconservancy.org/ ) with the funds marked specifically for OpenWRT.