i know the wiki and other posts say go as big as possible. However right now im working on a budget. Is it possible to run things like OpenSSH,OpenVPN OR Wireguard, Adguard & maybe something else on 128 MB?
Adguard - not on 128mb. But the other things, yes no problem.
No need to run Openssh - dropbear is preinstalled.
1 Like
Aw man really not even adguard light? i was hoping to block alot of the modern "ad-apocalypse" from the router.
is the benefits of OpenSSH unnecessary vs dropbear in your opinion? Would OpenWRT not function as well if dropbear was replaced with it?
Certainly not.
Adblocking of any kind is RAM hungry, depending on the size of your block lists (which make or break your blocking experience). You really have to adapt your expectations (and blocklists) for devices with 128 MB RAM (or even 256 MB RAM, respectively even 512 MB RAM in case of ipq50xx/ ipq60xx/ ipq807x!) and native services like luci-app-adblock, adblock-fast or adblock-lean. But AGH is a lot more complex and CPU/ RAM hungry than the native solutions referenced above, the bare minimum for that is >>512 MB RAM and ~100 MB flash on removable storage (because it will chew up your storage, so make it cheaply replaceable and/ or more sturdy than the internal system flash of your router). AGH just requires considerably more beefy hardware to work.
That doesn't mean you can't do DNS based adblocking on your router, but not with AGH - and only with a rather limited set of blocklists (and accordingly adapted expecations). Blocklists just need RAM (quite a lot of it, especially during corner cases like tcp based DNS queries or blocklist updates), AGH adds extra fluff on that.
1 Like
so what would you suggest for my ram limitations to use for ad blocking?
Choose between either luci-app-adblock, luci-app-adblock-fast XOR adblock-lean, start with the smallest blocklists and test how far you can go (don't declare victory too quickly, give yourself a couple of days of testing before adding more). Which blocklists to choose depends on your requirements - and what you consider to be 'good enough' (as DNS based blocking can never be perfect, client side browser plugins are always more thorough).
Just be aware that 128 MB RAM are the bare minimum for running OpenWrt at all, there isn't much headroom for convenience or heavy services (and blocklists are heavy in nature).
1 Like
Ok thanks alot for the advice. ill keep what you said before in mind while i save up for the GL.iNet GL-MT6000. Also one last question is it wise to get rid of dropbear and replace it with OpenSSH? I know OpenSSH has extra feature would it break anything if it did that or is it just best to stay with dropbear?
What features do you need/want, and why?
Dropbear is lightweight and reliable (and secure), so unless you have a specific need for other ssh features that aren't in dropbear, there is usually no reason to change things.
oh none in particular maybe me just being greedy is all just asking. I had saw the differences between the two and was curious.
If you don't have a specific need, don't mess with it. More than likely, you'll end up breaking things.
1 Like
Will definitely keep that in mind. Does it matter if under the SSH settings if run multiple dropbear instances with different ssh port numbers?
That's fine.... what is the use case though? (i.e. there may be other approaches that would be preferred, depending on what you're doing)
Eh, just over cautiousness i feel using non standard ports reduce the risk of automated attacks and port scanning. 2200 & 2222 would be less likely to be targeted.
This is mostly a myth. I mean, there is a non-zero reduction to be had, but it's marginal gains.
But...
- Why 2 ports/instances and not just one?
- Why worry about it when ssh is (by default) only exposed to the lan. The firewall does not allow unsolicited incoming connections.
1 Like
This is mostly a myth. I mean, there is a non-zero reduction to be had, but it's marginal gains.
I figured as much just wanted to ask and get opinions im still learning about OpenWRT so answers like these are helping me out alot.
The only gain from using non-standard ports is that it forces the attacker to first scan your device to find where the specific service is running at. This reduces the attack surface on more generic and less skilled brute force attacks that will not perform any initial scan, skipping your host if the service's standard port is not open (or filtered).
The real security approach, which not only will outright deny breaches to brute force attacks but also make it extremely difficult (if not impossible) for actual skilled hackers, is to firewall the service's port, allowing communication only to maintenance host(s) via a VLAN. You then combine this with disallowing password authentication, only accepting logins via maintenance encryption keys.
Interesting, how would i set something up like that? & would it effect me if i want to SSH into say something else on my network. i haven't dived into the VLAN portion of Openwrt yet but ill be getting around to it.
lynxthecat/adblock-lean: Lean and powerful adblocking solution for OpenWrt is currently the lightest adblock solution and it has a 128MB preset but I haven't tested it on a 128MB device personally. There is no LuCI UI or package for it - you will have to ssh and set it up but it's fairly easy to do so.
Just use Adguard's DNS service if your router isn't powerful enough (or in fact any other blocking public DNS service). Not sure about OpenVPN since it requires OpenSSL but Wireguard is very lean and works fine.
Regular Adblock works without a single OOM event with adguard, adguard_tracking, disconnect, oisd_small lists enabled.