Skip to main content
Post in category: Hardware

Securing an OpenWrt Router

Published
Updated
Read Time 6 min.
Contents

So you’ve decided to change the firmware on your router from the one provided by your hardware manufacturer to the more open and secure OpenWrt firmware. Congratulations!

However, just because you have decided to increase the security of your device does not mean that you can rest on your laurels. Like any software, OpenWrt is also updated from time to time, mainly when security holes and problems are discovered that may cause unstable operation of our device.

Like any network device, it requires some initial setup to improve its security.

Root password

Our router uses the account with the highest privileges in the system by default - root. Its protection should be a priority for us. When logging in for the first time to the newly installed OpenWrt software, we will be asked to change it, but if we ignored it or set a password like admin, let’s change it to a unique one, known only to us, as soon as possible. A hacker who has the opportunity to break into your network will first check the most popular and default passwords used on routers.

To change the user password, go to System > Administration, where, in the first tab Router Password we can set a secure password.

We can also change the password by connecting to our router via SSH and executing the command:

passwd

OpenWrt System Administration router password

SSH

While in System > Administration it is also worth taking a look at the SSH Access tab.

By default, our router listens on port 22 and all available interfaces — including the one used to access the Internet. I don’t have to say that having port 22 open, accessible from the Internet, is not a sensible solution. Although the default Firewall rules will protect us from the possibility of connecting to SSH our router from the Internet, it is worth changing the default settings.

And so: Interface we change to LAN (our local network)

And: Change the Port (on which the router will listen) to e.g. 9922 or any other port of your choice.

openwrt system administration ssh access

Save and Apply changes.

Administration panel (https)

Access to our router settings is done in a user-friendly graphical interface from a web browser. Just go to the page - address of our router (e.g. 192.168.1.1) and log in to our root account.

It’s all well and good, provided that no one on the network is listening to what we enter in the browser, especially since when we visit our router’s administration panel, the connection is made via unencrypted HTTP, so our password that we enter is also sent in unencrypted form. All you need is WireShark and you can easily find out what we are entering.

Therefore, it is worth establishing a connection to our router via an HTTPS encrypted connection.

To do this, in System > Software we need to install the luci-ssl application (if we do not already have it in our system), or from the terminal:

opkg install luci-ssl

If we perform our installation from the terminal, it is worth restarting our access via a web browser after the installation, which is done using the uhttpd package.

/etc/init.d/uhttpd restart

The first time you restart, a secure certificate for access via HTTPS will be generated.

Of course, the certificate that will be generated is not issued by any trusted institution, but signed by our router. For local purposes, this is not a problem at all, but when connecting to our router via HTTPS, we keep a warning about an untrusted certificate.

In the case of Safari we can click Show Details and click the link visit this website.

Safari this connection is not private

With Edge (Chromium) and Chrome it’s not that easy, as these browsers won’t let us proceed any further, even if we enter the advanced options, under which we should see a link allowing us to go to the page anyway.

Edge Chromium your connection isn’t private

Edge Chromium Your connection isn’t private advances

To do this, we can use an unusual method. After going to the page that returns a certificate problem, we can write (we won’t see what we’re typing) in the browser window the word thisisunsafe. After a while, we’ll see that our page will refresh and we’ll be able to continue to our panel.

For Firefox, simply click the Advanced button and at the bottom of the page select the button stating that Accept the Risk and Continue.

Firefox warning potential security risk ahead

Firefox warning potential security risk ahead advanced

A small inconvenience, but it also increases security when entering the password into our router.

To force traffic via HTTPS, go to System > Administration and in the HTTP(S) Access tab, select Redirect to HTTPS and save the settings.

In case we have installed luci-ssl but it does not fulfill its purpose or certificate issues mean that it is not the solution we were looking for, we can remove it at any time.

To do this, you need to uninstall luci-ssl and the libustream-mbedtls and px5g-mbedtls packages from the SSH terminal.

opkg remove luci-ssl px5g-mbedtls libustream-mbedtls

Then you need to delete the local certificates you created

rm /etc/uhttpd.crt
rm /etc/uhttpd.key

And restart the uhttpd package

/etc/init.d/uhttpd restart

Administration Panel (port)

In addition to introducing an encrypted https connection to our administration panel via a web browser (which is not very convenient due to the issue with certificates), we can also change the port on which our panel listens.

By default, this is port 80 for unencrypted HTTP connections or 443 for encrypted HTTPS.

To change these ports, we can install the luci-app-uhttpd package

opkg update
opkg install luci-app-uhttpd

Thanks to this, in the Services options we will receive an additional menu for managing the uHTTPd service.

OpenWrt Services uhttpd

OpenWrt Services uhttpd general settings

In HTTP listeners (and similarly for HTTPS) you need to add a new port through which we will connect to our administration panel. For example, for HTTP, if we want to change the port from 80 to 8080, we add (and remove the rest) the following lines:

0.0.0.0:8080
[::]:8080

We confirm everything by clicking the Save and Apply button.

If we did everything correctly, we go to our panel using the new address:

http://192.168.1.1:8080

UPnP

If you use devices in your network that need to open selected ports on the router so that you can connect to them directly from the Internet, consider an alternative solution.

While OpenWrt does not have UPnP support built in by default, it can be easily added using the miniupnpd and luci-app-upnp packages.

opkg install miniupnpd luci-app-upnp

As of the current time, the miniupnpd package is not available in OpenWrt repositories in version 23.05+ (24.10) and therefore could not be installed. If you want to experiment, I recommend checking out the miniupnpd-nftables package.

It is not without reason that the OpenWrt page on UPnP contains a warning (https://openwrt.org/docs/guide-user/firewall/upnp/start) that using UPnP introduces a significant risk in terms of privacy. It is all related to the fact that any program, hardware, can open an external port on our router without our consent and let anyone from the Internet into our home network. It is like having a door in your house that can be opened by anyone as needed.

It is also not without reason that the official OpenWrt website does not elaborate on how to install this add-on.

However, if we decided to use UPnP in the past, consider the option of removing it.

opkg remove luci-app-upnp miniupnpd

As a replacement, we can always use a rule in our Firewall to forward the appropriate port to the appropriate device on our network.

Network > Firewall > (tab) Port Forwards

Software

Apart from the fact that we have changed the manufacturer’s software on our router to a more secure one, it does not mean that everything should remain untouched for ages. We need to make sure that we constantly update the OpenWrt software and packages that we have installed on the router.

While the OpenWrt main firmware itself is not released very often, other software (firmware packages) used within our router are released with updates several times a week.

Therefore, it is worth taking care to update them regularly. To do this, go to System > Software, refresh the list with the Update list button, and then in the Updates tab, click on each software to update it.

OpenWrt System software

The above method is a bit time-consuming. We can also do it from the SSH terminal, using a single command. Using it, the router will download information about the current software versions and the database on what is “outdated” on our router and perform an automatic update:

opkg update; opkg list-upgradable | cut -f 1 -d ' ' | xargs opkg upgrade

And that would be all.

Best regards.

Share on Threads
Share on Bluesky
Share on Linkedin
Share via WhatsApp
Share via Email

Comments & Reactions

See Also
Secure DNS (in browser and on OpenWrt router)
Installing a VPN server on a router with OpenWrt (WireGuard)
Adding a USB printer to a router with OpenWrt
Turbocharge your internet connection (WARP, IPv6, OpenWrt)
Adding an IPv6 tunnel to a router with OpenWrt
Categories