Whoa! Maybe time to back up a bit...
First off, what are you trying to achieve and why?
You don't have to answer here, but what is sooooo valuable about that router or what it is protecting that you're going to such extremes to try to protect a cheap piece of consumer-grade hardware running what is basically a consumer OS? This is coming from someone that was paranoid enough to be running isolated VLANs for IoT devices even before they were called IoT.
Next, there is no such thing as "completely secure". There is only the ability to lengthen the time it takes for someone to achieve the goal. Safes are rated in the number of hours it would likely take for someone to gain access. You either have to make it hard enough that it isn't worth it for them to break into yours, that you'll catch them before they do, or that yours is significantly harder than the next guy's of equivalent value.
Then there's that most people concerned with security know that you can never secure a computer that you can't control physical access to.
If what you're protecting is really that valuable, go buy some commercial gear, locked cages for it, external antennas, and put your cabling into steel conduit.
Oh yeah, you're gluing your Ethernet cables into the router, right?
Want to lock down OpenWRT? There is only so far you can go. No r/w filesystem, remote logging, replace dropbear with OpenSSH, only allow keyed access with 802.11X port-level authentication, no root login, strip out every executable you don't absolutely need,... but it's still not really a secure system. Meh, go with FreeBSD with kern.securelevel cranked up running off optical media or, if you really insist, Linux with SELinux in fully enforcing mode. Better get a couple network sniffers and firewalls to protect it as well, and get an IDS running.
Extreme, perhaps, but I want to get you to laugh yourself back to reality. It's a $100 / 100€ -class consumer router.
What to you really need?