Security Focused LEDE Build. 161 Routers supported so far ( TP-Link, Arduino, Archer, Linksys, Netgear, Ubiquity and more )

Hey, after having a bad experience related to router security this year I decided to try to make a security focused LEDE build and share it with everyone. So no one has to go through the same.

Removed:

  • IPv6
  • USB Support
  • Stripped unnecessary exports from the kernel image and unnecessary functions from libraries

Added:

  • Luci SSL
  • Adblock
  • Dnscrypt + Plugins Support. DNScrypt is enabled out of the box. Resolvers by default are ventricle.us and dnscrypt.org-fr because those support DNSSEC. Unfortunately Cisco doesn't and afaik doesn't plan to support it in the near future, or at all.
  • Onbound (Recursive DNS) w/ Luci GUI. DNSSEC is enabled out of the box.

All these include LUCI GUI so the user doesn't need to use Putty or anything else to make it work.

  • By default all ports are stealth and it passes the ShieldsUP! test ( https://www.grc.com/x/ne.dll?rh1dkyd2 ).
  • I also included some iptables with basic and useful features like hiding the modem, forcing everyone to use the router's DNS and a mini firewall that logs certain actions. Also another one to restrict the access to the router administration to one computer/device.
    They are easy to understand for anyone even if they don't have experience with LEDE/OpenWRT and can be edited through the GUI. Looks like this.

181 Router models supported so far,
These are the TP-Link supported models:

TP-Link Routers

tl-mr6400-v1
tl-mr6400-v1-sq
tl-wdr3500-v1
tl-wdr3500-v1-sq
tl-wdr3600-v1
tl-wdr3600-v1-sq
tl-wdr4300-v1-il
tl-wdr4300-v1-il-sq
tl-wdr4300-v1
tl-wdr4300-v1-sq
tl-wdr4310-v1
tl-wdr4310-v1-sq
tl-wdr4900-v2
tl-wdr4900-v2-sq
tl-wdr6500-v2
tl-wdr6500-v2-sq
tl-wdr7500-v3
tl-wdr7500-v3-sq
tl-wpa8630-v1
tl-wpa8630-v1-sq
tl-wr1043nd-v1
tl-wr1043nd-v1-sq
tl-wr1043nd-v2
tl-wr1043nd-v2-sq
tl-wr1043nd-v3
tl-wr1043nd-v3-sq
tl-wr1043nd-v4
tl-wr1043nd-v4-sq
tl-wr2543-v1
tl-wr2543-v1-sq
tl-wr710n-v1
tl-wr710n-v1-sq
tl-wr710n-v2.1
tl-wr710n-v2.1-sq
tl-wr810n-v1
tl-wr810n-v1-sq
tl-wr842n-v1
tl-wr842n-v1-sq
tl-wr842n-v2
tl-wr842n-v2-sq
tl-wr842n-v3
tl-wr842n-v3-sq
tl-wr902ac-v1
tl-wr902ac-v1-sq
tl-wr942n-v1
tl-wr942n-v1-sq

And these are the rest:

Routers

a60
a60-sq
alfa-ap120c-sq
alfa-ap96-sq
alfa-nx
alfa-nx-sq
all0258n-sq
all0305-kernel.bin
all030
all0305-sq
all0315n-sq
antminer-s1
antminer-s1-sq
antminer-s3
antminer-s3-sq
antrouter-r1
antrouter-r1-sq
ap121-16M-sq
ap121-8M-sq
ap121f-sq
ap132-sq
ap135-020-sq
ap136-010-sq
ap136-020-sq
ap143-16M-sq
ap143-8M-sq
ap147-010-sq
ap152-16M-sq
ap531b0-sq
ap90q-sq
ap96-sq
archer-c25-v1
archer-c25-v1-sq
archer-c5-v1
archer-c5-v1-sq
archer-c58-v1
archer-c58-v1-sq
archer-c59-v1
archer-c59-v1-sq
archer-c60-v1
archer-c60-v1-sq
archer-c7-v1
archer-c7-v1-sq
archer-c7-v2-il
archer-c7-v2-il-sq
archer-c7-v2-sq
archer-c7-v2-sq
archer-c7-v2
archer-c7-v2-sq
arduino-yun-sq
bhr-4grv2
bhr-4grv2-sq
bsb-sq
bxu2000n-2-a1-sq
c-55-sq
cap324-nocloud-sq
cap324-sq
cap4200ag-sq
carambola2-sq
cf-e316n-v2-sq
cf-e320n-v2-sq
cf-e380ac-v1-sq
cf-e380ac-v2-sq
cf-e520n-sq
cf-e530n-sq
cpe210-220-v1
cpe210-220-v1-sq
cpe505n-sq
cpe510-520-v1
cpe510-520-v1-sq
cpe830-sq
cpe870-sq
cr3000-nocloud-sq
cr3000-sq
cr5000-nocloud-sq
cr5000-sq
dap-2695-a1-sq
db120-sq
dgl-5500-a1
dgl-5500-a1-sq
dhp-1565-a1
dhp-1565-a1-sq
dir-505-a1
dir-505-a1-sq
dir-825-b1-fat-sq
dir-825-b1-squas
dir-825-b1-sq
dir-825-c1
dir-825-c1-sq
dir-835-a1
dir-835-a1-sq
dir-869-a1
dir-869-a1-sq
dlan-hotspot-sq
dlan-pro-1200-ac-sq
dlan-pro-500-wp-sq
dlrtdev01-fat-sq
dlrtdev01-squas
dlrtdev01-sq
dr344-sq
dr531-sq
dragino2-sq
eap120-v1
eap120-v1-sq
eap300v2
eap300v2-sq
eap7660d-kernel.bin
eap7660
eap7660d-sq
el-m150
el-m150-sq
el-mini
el-mini-sq
ens202ext
ens202ext-sq
epg5000-sq
esr1750-sq
esr900-sq
ew-dorin-16M-sq
f9k1115v2
f9k1115v2-sq
fritz300e-sq
gl-ar150-sq
gl-ar300-sq
gl-ar300m-sq
gl-domino-sq
gl-inet-6408A-v1
gl-inet-6408A-v1-sq
gl-inet-6416A-v1
gl-inet-6416A-v1-sq
gl-mifi-sq
hiwifi-hc6361-sq
hornet-ub
hornet-ub-sq
hornet-ub-x2-sq
ja76pf-kernel.bin
ja76p
ja76pf-sq
ja76pf2-kernel.bin
ja76pf
ja76pf2-sq
jwap003-kernel.bin
jwap00
jwap003-sq
jwap230-sq
lima-sq
mc-mac1200r
mc-mac1200r-sq
minibox-v1
minibox-v1-sq
mr1
mr1
mr12-sq
mr1
mr1
mr16-sq
mr1750
mr1750-sq
mr600
mr600-sq
mr900
mr900-sq
mw4530r-v1
mw4530r-v1-sq
mynet-n600
mynet-n600-sq
mynet-n750
mynet-n750-sq
mynet-rext
mynet-rext-sq
mzk-w04nu
mzk-w04nu-sq
mzk-w300nh
mzk-w300nh-sq
NBG6616-sq
om2p
om2p-sq
om5p
om5p-sq
om5pac
om5pac-sq
omy-g1
omy-g1-sq
omy-x1
omy-x1-sq
onion-omega
onion-omega-sq
oolite
oolite-sq
pb42-kernel.bin
pb4
pb42-sq
pb44-kernel.bin
pb4
pb44-sq
pqi-air-pen-sq
qihoo-c301
qihoo-c301-sq
r602n-sq
re450-v1
re450-v1-sq
rw2458n
rw2458n-sq
sc1750-sq
sc300m-sq
sc450-sq
smart-300
smart-300-sq
som9331
som9331-sq
sr3200-sq
tellstick-znet-lite
tellstick-znet-lite-sq
tew-673gru-fat-sq
tew-673gru-squas
tew-673gru-sq
tew-732br
tew-732br-sq
tew-823dru
tew-823dru-sq
tube2h-16M-sq
tube2h-8M
tube2h-8M-sq
ubdev01
ubdev01-sq
ubnt-air-gateway-pro
ubnt-air-gateway-pro-sq
ubnt-air-gateway
ubnt-air-gateway-sq
ubnt-airrouter
ubnt-airrouter-sq
ubnt-bullet-m
ubnt-bullet-m-sq
ubnt-loco-m-xw
ubnt-loco-m-xw-sq
ubnt-ls-sr71
ubnt-ls-sr71-sq
ubnt-nano-m
ubnt-nano-m-sq
ubnt-nano-m-xw
ubnt-nano-m-xw-sq
ubnt-rocket-m
ubnt-rocket-m-sq
ubnt-rocket-m-ti
ubnt-rocket-m-ti-sq
ubnt-rocket-m-xw
ubnt-rocket-m-xw-sq
ubnt-rs
ubnt-rs-sq
ubnt-rspro
ubnt-rspro-sq
ubnt-uap-pro
ubnt-uap-pro-sq
ubnt-unifi-outdoor-plus
ubnt-unifi-outdoor-plus-sq
ubnt-unifi-outdoor
ubnt-unifi-outdoor-sq
ubnt-unifi
ubnt-unifi-sq
ubnt-unifiac-lite-sq
ubnt-unifiac-mesh-sq
ubnt-unifiac-pro-sq
uImage-lzma.bin
vmlinux.bin
wbs210-v1
wbs210-v1-sq
wbs510-v1
wbs510-v1-sq
weio-sq
wlr8100-sq
wndap360-sq
wndr3700-sq
wndr3700v2-sq
wndr3800-sq
wndr3800ch-sq
wndrmac-sq
wndrmacv2-sq
wnr200
wnr2200-sq
wp543-squash
wp543-squas
wpe72-squash
wpe72-squas
wpj342-sq
wpj344-sq
wpj531-sq
wpj558-sq
wpj563-sq
wrt160nl
wrt160nl-sq
wrt400n
wrt400n-sq
wrtnode2q-sq
wzr-450hp2
wzr-450hp2-sq
wzr-450
wzr-600dhp
wzr-600dhp-sq
wzr-600
wzr-hp-ag300h
wzr-hp-ag300h-sq
wzr-hp-ag3
wzr-hp-g300nh
wzr-hp-g300nh-sq
wzr-hp-g30
wzr-hp-g300nh2
wzr-hp-g300nh2-sq
wzr-hp-g300
wzr-hp-g450h
wzr-hp-g450h-sq
wzr-hp-g4
xd3200-sq
zbt-we1526-sq
zcn-1523h-2-8-sq
zcn-1523h-5-16-sq

Download

Last Update: Sept. 8, 2017:

  • Removed uHTTPd and OpenVPN completely for now.
  • Changed 1st DNS resolver to ventricle.us, was having some issues with the previous one.
  • DNSSEC is enabled by default now.

Click on List View or it's gonna be hard to find the one you are looking for.
Let me know how it works for you, what packages would you like to see in future releases, what models should I consider (please no 4 MB models, I can't do anything with those, already tried). Will try to check comments everyday.
Cheers.

1 Like

Why remove IPV6? Seems a bit like cargo-culting to me.

IPV6 is the future of the internet, full stop - denying its existence and trying to hobble along with IPV4 and associated band-aid solutions is no longer an option.

Also, in the politest possible way, don't defer to GRC on anything, there's plenty out there on Gibson and ShieldsUp! in particular.

1 Like

Because removing IPv6 gives you more space to put other things to. Of course, only if you do not need IPv6. Removing it is a valid way for 4MB devices to free some valuable space.

1 Like

Is there alternative/economical way to run luci/web ui without uhttpd?

What's so insecure about the dnsmasq so that you dropped it?

It's useful from a privacy angle. IIRC, a dns leak test like https://www.dnsleaktest.com/ will show dnsmasq's upstream dns servers as the dns server. On the other hand, for unbound, it shows the dns server as the public IP which the pc and unbound are at.

1 Like

Is there a reason dnsmasq is the default over unbound in LEDE? AFAIK, dnsmasq also does DHCP, but that can also be done by odhcpd, right?

What about adding luci-app-bcp38? and builds for wrt1200 wrt1900 and wrt3200acm

The reason is if it aint broke, don't fix, it due to:

  1. dnsmasq was there almost a decade before unbound, so it is the default
  2. dnsmasq is a dns forwarder, whereas unbound is a resolver, which is more than a dns forwarder, and kinda does what the ISP dns server already does for you.

But for security, privacy and anti-censoring purposes a DNS resolver is the preferred solution, right?