What are the best software to install with OpenWrt?

Hello i installed Openwrt and am pretty happy, im back to it since some years ago.

I´m wondering what would be nice stuff to use on it? There are a big bunch of software packages to download and install and i´m wondering what is everybody using:? What do you guys download at the software section?
Also other question, if i do upgrade it later, do i need to config everything again? or Is it ok to save my settings?

My device is the Arch C7 AC1750 and i´m using the latest version stable.

Thanks

3 Likes

addblock, banip, SQM, BCP38 and dns over https proxy. Have fun!

4 Likes

DNSSEC (secure DNS) with recursive DNS is a major advance in security, so you should look into it. It will protect you agains DNS attacks and false DNS entries ("lying DNS").

The name of the main DNSSEC resolver is Unbound.

opkg install unbound luci-app-unbound

https://openwrt.org/docs/guide-user/services/dns/unbound

2 Likes

If you are using WIFI and need to overcome WPA2/WPA3 design flaws, you might consider using a VPN over your WIFI installing a VPN Server on your router. I leave open the choice of VPN, it could be IMHO OpenVPN or IPsec. But others are available.

WPA2 ckrackattack: https://www.krackattacks.com/
WPA3 Dragonblood: https://wpa3.mathyvanhoef.com/

Those are design flaws in WPA 2/3 design, which means these are not bugs. OpenWRT includes fixes but those are only partial.

Consider WEP/WPA/WPA2/WPA3 dead.

The only workable solution until WPA 3.1 is out (supposing it is well-designed in collaboration with the research security community, which I doubt) is to use a VPN over your wireless link. Not a commercial VPN, i.e. your OWN VPN. This kind of configuration is called "roadwarrior" as it will protect your connection over an insecure link, using your own VPN server as a gateway.

A sample configuration for IPsec roadwarrior is avaiable here:
https://openwrt.org/docs/guide-user/services/vpn/ipsec/strongswan/roadwarrior

I am still in the process of whether to implement it ...

I will switch Internet provider (France) in a few days, for the sole reason that my new Internet provider offers a built-in IPSec server and I probably don't want to bother with configuration. This will be my "lazy" choice, as everything including certificate creation, signing and downloading is implemented in a nice web interface. If you don't have such choice, mind about your own VPN.

2 Likes

Thats a very nice list, thank you so much!
I'm actually already using SQM and Cake, now i will start the other stuff, adblock sounds also a good one, i will install it right now -

I am wondering. What is the advantage of using BCP38 when you have only one WAN behind your ISP router.

That's a very good one ffries!

I'm using wireguard around here, i made one with lightsail and ubuntu, works very well!
Thank you for the suggestion, may we get lucky with vpn over wireless!

I was thinking about set up wireguard to work at all my connections from my router but i wonder how much from performance should i lose with it, so by now only wireless, still a lot faster than OpenVPN i must say.

This is something i never used before, installing now great tip!

Thanks.

When your settings are done, test DNSSEC with this tool:
https://dnssec.vs.uni-due.de/

1 Like

I will have a look at wireguard. Might be an excellent alternative to IPsec.
Nice exchange.

Thanks.

2 Likes

Worked, i got an ok from the funny guy at the page!

Super nice tip i never used it before! Thank you very much.

What is the advantage of using BCP38 in short?

I quoted the wrong comment sorry, i still dont know, BCP38 is new to me, i just installed it to see whats up.

Ok, nice to see you have DNSSEC running.

1 Like

Yes, super great! Very excited with it hahah

That's quite a bold statement. Got anything more recent than the two articles you posted that demonstrates either vulnerability is still viable in any mainstream systems/devices?

The world-recognized reaseacher Mathy Vanhoef states in both articles that WPA2/WPA3 have design flaws that are non-fixable. Attacks can be slowed down, not stopped. Please read more carefully.

Feel free to open a separate thread if you would like to discuss that.

1 Like

You must be reading something different to the articles you linked to because he doesn't say that in either of them....

OK, I will start a separate thread. I would be glad to hear that WPA2/WPA3 is fixable.
Here it is: Are WPA2/WPA3 design flaws fixable?

1 Like