Secure Modern Router Recommendations

Hey guys! I'm looking to buy a new router to install OpenWrt since my current router does not seem to have support(it's also getting pretty old). I have spent hours looking through various recommendations and tutorials, but the suggestions all seem very fragmented. From my research I don't really see like one or two routers that people recommend, probably because everyone has different goals and budgets.

I'm looking for a very fast and secure router for gaming and running some basic home network devices. I'd like something with FOSS firmware as I read about in the Buyers' Guide. I run coreboot on my laptop, I honestly didn't know people used it on routers too, so that would be a really nice addition. I currently have a separate modem+router setup, but I would be interested in replacing it with a two-in-one device as long as it doesn't compromise anything or provide any downsides. I'd prefer to stay away from hardware made in China if possible as I have heard some concerns about potential tampering from their government(not sure if it's true or not, but I don't want to risk it). I would really like if I could get something without hardware security conerns like the Intel Management Engine, AMD Platform Security Processor, but I don't know if such a device even exists. I have never installed OpenWrt before, but I trust my ability to follow directions and I have some friends who have installed it, so I'm not too concerned about the device being easy or hard to set up. My budget is around $500 - $700

GL finding hw not made in China.

If you don't need a 10/10gbit capable device, you're probably aiming too high.

What are your requirements, except for not made in China?
VPN ?
SQM ?
ISPs speed ?
Ethernet ports ?
Wifi ? AC ? AX ?

2 Likes

Check this out and align to availability in local store:
https://openwrt.org/toh/views/toh_available_16128_ax-wifi
Hundred bucks per floor or so

1 Like

I didn't know Chinese routers were so common, I always heard to avoid Chinese networking equipment, but out of fears for privacy/security which is really my main goal.

My ISP speeds are about 250 mbit down 25 mbit up, not amazing. I'd like a few Ethernet ports to connect some of my devices, maybe 2 or 3 would be fine, more is obviously better. I don't think I would need a VPN directly on my router, but wouldn't that be a software feature and not a hardware feature? I need wifi, I don't know the big differences between wifi5/6 so I'm honestly not sure which I need. And I literally have no idea what SQM is, I just recently heard about the term on the forum as I'm a little bit of a noob when it comes to routers.

I appreciate all the help by the way, sorry if I sound like a noob.

Hey, I appreciate the help but it looks like there's 142 routers on there. My main difficulty is filtering down the list to the best options, specifically for privacy/security with FOSS bootloader and good specs for fast speeds.

For that speed just pick one from "ideal" list, check if you need USB, and one more LAN port than you imagine connecting directly in near future.
Say if you can order > gigabit at home maybe go for 2.5gbit, but on the other hand todays gigabit can serve future 2.5gbit as range extender.

1 Like

EU, USA, Russia or China, what is the difference? They all nowadays have the same official surveillance laws to spy on their people.

To be honest I don’t think Russia and China ever will come up in EU and USA level on this. China has maybe 2billion wiretaps.

NSA, Microsoft and US Cyber command has together the whole earth wiretapped with backdoors.

1 Like

Yeah, I won't even comment. :joy:

But, to the task at hand. I'd get a x86 minipc with an Intel N100 CPU, the 4-6 x 2.5G Intel 226 ones are like $100-150 bare bones. A 64G SSD and a 4G stick of RAM and you've got an unbrickable, super fast router for under $200.

Add on a nice AP for your wireless needs, I like the Zyxel NWA50AX Pro, "Pro" is the one with the 2.5G backhaul, they're currently $85 (and have been for months) on amazon https://www.amazon.com/gp/product/B0C6MRDNQ6.

Both devices run OpenWrt, configure as full router/firewall on the minipc and as a simple access point on the WAP, off you go...

1 Like

I'd get a Dell Edge 620, they're ~$75 on ebay.
Quad core Atom CPU, 8GB RAM, 128GB SSD + 16GB eMMC, 6 Ethernet ports, 2 SFP+.

Unfortunately not fan less.

2 Likes

Is there any hardware I can buy that is NOT filled with backdoors? lol

Officially built routers I doubt it.
I guess the hardware with least probability of hardware backdoors is computers like raspberry that ain't supposed to be routers to begin with or old equipment before the surveillance laws came creeping.

But the router ain’t really the problem or the meaningful protection against governments, they are tapping the data traffic through the isp or directly from the smartphones or smartpads or computers inside the network instead.

1 Like

Filtering tips (stable release not snapshot, 2.5gbe ports, 2.4ghz is AX, not N)


Openwrt does not change bootloaders, if you are lucky you can examine their recovery function source, you will need a flash programmer to recover from replacing loader.

1 Like

I assume you don't own any Android based device ?

1 Like

If you want to go through the extra mile and eliminate bootloader + firmware binary blobs than look into https://librecmc.org/ - this is however badly maintained and not suitable for modern hardware...

1 Like

Also worth looking at BSD, which support up to wifi4 on even modern ath*k and mt76. Obviously you need a mainstream mini-pc amd64 or arm64 to drive it.

1 Like

I do own an Android based device, but I own many different devices. Why do you ask?

because it'll spy on you more than your network ever will.
you're making your network Defcon 5 kind of secure, while the clients are left untouched ?

i believe you're addressing the "spy issue" from the wrong end.

1 Like

I use graphene, so I don't think there's too much spying going on. I also run pihole to block some telemetry from apps I use.

then you're not really using Android ... ?

pihole will only block what doesn't use hardcoded IPs, like the YouTube app, but I'm sure you already knew this.

1 Like

Graphene is still based on AOSP, they actually contribute to AOSP heavily as well. And yeah, I know pihole isn't full-proof as they can do many things like avoid domains entirely or send their telemetry data through the same domain as legitimate traffic needed for their service. Fortunately many services do not do this.

Most of my end devices are already secure and privacy-respecting. I think a good router is my last step for my home network, but from this advice I've been seeing, it seems like the best option would not using a typical router. It seems like it would be much better to use a NUC like s76's meerkat or purism's librem mini as it will allow for secure firmware as well. Sounds like a lot of money and work that I'm not looking forward too though ;( I really wish there was a better option. Maybe the rpi5 would be a good choice if it's compatible.