Get the top HN stories in your inbox every day.
pedrocr
amelius
I love the idea.
I see two problems though. The biggest one is that hardware vendors are starting to add cryptographic signatures to their firmware upgrade process.
And another problem is that the hardware often has very limited memory, which makes it impractical for many things.
Snuupy
> vendors are starting to add cryptographic signatures to their firmware
serial console/TFTP/buy from vendors that don't restrict your choice (ubiquiti, netgear, belkin/linksys, some chinavendors come to mind)
RAM is usually fine, just get a decently specced router.
c0l0
This is a pretty significant release - it marks the end of iptables in the main distribution; the OpenWrt-specific translation layer (previously firewall3, now firewall4) for netfilter-related configuration now targets nftables. Also, yet more devices have made the switch from swconfig to DSA for configuring Ethernet switches.
I've been using 22.03 release candidates on all my networking gear (router, switch, access point) for several weeks without problems, and can only recommend giving OpenWrt a chance :)
Zizizizz
If you don't do anything out of the ordinary with your router is there any benefit to this over for example, the Netgear or tplink firmware?
ce4
Optional packages, installable on-the-fly
Such as adblocking (pi-hole like experience without additional gear)
ssh access, printserver, dynamic DNS, VPNs, different routing protocols, vlan support, tunneling protocols, monitoring, home Automation, wireguard, wpa3, OWE (encrypted open wifi), lots of goodies known from other linux distros, etc
Here are some pointers on whats possible: https://openwrt.org/docs/guide-user/start
Edit: added examples. And er, that stuff is ordinary for me :-)
throw0101c
> Optional packages, installable on-the-fly
Possible on Asus hardware using the third-party Merlin firmware as well:
* https://github.com/RMerl/asuswrt-merlin.ng/wiki/Entware
* https://www.asuswrt-merlin.net/features
The default Asus firmware is decent too.
ncmncm
Wireguard, particularly.
c0l0
You get frequent software updates with meaningful changelogs and detailed lists of bugs/vulnerabilities fixed.
Also, you can be quite sure that there are no software components active that serve the interestest of the device's manufacturer more than those of its owner and users.
Aaronmacaron
I have two cheap WiFi Access Points. They worked fine when I got them. After a few weeks one of them stopped working and I had to restart it. A few days later the other one had the same problem. This repeated every few weeks. Once i got tired of restarting the APs every now and then, I looked into it and figured it was a memory leak in the firmware. Then I installed OpenWRT and I didn't touch the APs since. It just works. Pretty amazing if you ask me.
HeckFeck
The UI isn't slow.
This is a serious pet peeve of mine with other routers. I don't need a heavy frontend just to configure my router, I want to open port forwarding quickly. Fading effects and fake loading swirls are utterly unnecessary. There's none of it in OpenWRT.
ThatMedicIsASpy
My OpenWRT router takes 10s to reboot. Compared to 5-10min ISP router.
gspr
* Security updates for way longer than the vendor would provide them.
* Privacy (lots of stock firmwares phone home). With OpenWrt your hardware is _yours_.
* When you do have to interact with the router, you don't die from its terrible UI (in fact, OpenWrt has a great one).
Nextgrid
Better security in general. The firmware on consumer-grade routers is an afterthought. They are routinely running 10-year-old versions of services which are sometimes exposed to the internet, and all insist on rolling their own shitty web UIs which often include command injection vulnerabilities.
evv555
Integrating wireguard routes into your local network and overriding DNS with trusted endpoints. These are common enough needs these days to be considered ordinary.
muppetman
It doesn't report home
gspr
Been running 22.03 RCs on the RT3200 for a while myself. Never had a more stable home network experience. Thanks, OpenWrt!
GolDDranks
I've been running OpenWrt on my home router for many years, and it works mostly very well. Definitely a boon for a tinkerer!
jtvjan
I really do miss the alliteration-based naming scheme ("attitude adjustment", "barrier breaker", "chaos calmer"...) they had before the LEDE merge.
neilv
Looks like the OpenWrt `/etc/banner` no longer includes a bartender recipe (which I think they had since before alliteration, including for White Russian).
I once included one of the OpenWrt login banners in a "screenshot" for the Racket community, and neglected to explain why alcohol was involved: https://www.neilvandyke.org/racket-openwrt/
dehrmann
What about the mixed drinks? I think it was only White Russian and Kamikaze.
numpad0
Tangential but on the topic of IP routers - recently my EdgeRouter X died. During autopsy, heat deformations were found on its Flash right next to an inductor for input DC-DC circuit.
So, naturally I hopped onto a train and bought a used NEC UNIVERGE IX2105 to replace with; a compact, fan-less, half A4 sized sheet metal pizza box with blue accent on matte white. Functionally a Cisco ISR 892J or 1941, physically smaller. Current models in its siblings range from ~$750 to $2.5k, however this Model 2105 is no longer officially supported, and are sold cheap in used market($30-50). It still has one GbE and one integral 4-port L3 switch, with up to 440Mbps advertised VPN throughput, an Apr/2022 built firmware, and full support for IPv6, OSPF, BGP, etc(that shamefully I had failed to understand).
I suspect it runs BSD in some shape or form as `show copyright` command shows licensing terms for FreeBSD and BSD library among others, but it won't let me drop into shell, nor does the typical *nix daemon parade on boot. The CLI is basically a Cisco, or like VyOS/Ubiquiti, except there are no obvious telltales of dancing bash contraptions and required facade massaging, unlike with many Linux-based routers. Firmware files for its lineage are also extremely small by modern standards(~8MB), RAM sizes are small too(16~128MB).
It does its things, and does well. A downside is it's proprietary. I used to run OpenWRT in 11b/g days but I suspect that was before it incorporated a unified config file. I was obviously on VyOS/EdgeOS until last week, and while it had served me good, it did trip over stones once in 2-3 years. I've also heard RouterOS is great but stable as Stable build bricking itself. I've used OpenWRT but that was before iPhone and perhaps before it even had a unified CLI configuration. Is OpenWRT better in stability/footprint/simplicity these days?
blutack
I run Openwrt on an Edgerouter-X nowadays and it's rock solid. Has same/better routing perf + stability as the original ubnt firmware, but with native wireguard, full package management, a much better UI, much better configuration and backup system and no phone home stuff.
Just did the upgrade today and it was flawless. Which is much better than I can say for the stock firmware upgrade process!
It's incredible that the openwrt team can produce such a better product in pretty much every way than the original manufacturer can.
Fnoord
That's a known issue on Edgerouter X and Edgerouter Lite. I use an Edgerouter Lite and am on my third flash drive. The flash drives are just cheap USB drives, in contrast to X where they're soldered on. An industrial grade USB drive would cost almost the same as the device itself. I bought a 2 GB one but it refuses to install EdgeOS on less than 4 GB. However the device itself works well, and has three ethernet. As switch I use an EdgeSwitch 16 port, which provides PoE for the Unifi WLAN AP (UAP Pro or whatever). It all runs Linux, and I got root on the devices. Wouldn't want it any other way. Except perhaps a Turris Mox modular router or running the firewall/router on the same server as my NAS (as VM in Proxmox). But it allows less flexibility IMO. Then I would use OPNsense, Turris runs op OpenWrt. I don't want to use a proprietary OS like RouterOS or an out of date OS which is no longer supported.
anotherhue
> daemon parade on boot
Now I can't unsee this.
Thanks for the heads up on the heat issues.
itsphilos
It is worth noting that this release currently breaks the banIP package [1], which relies on the old fw3. So for those relying on it, it might be worth waiting for a short while.
[1] https://forum.openwrt.org/t/banip-support-thread/16985/751
molticrystal
There is a fuller list of broken packages and their status over here:
mtmsr
I do love OpenWrt but the upgrade experience is still a pain because user-installed packages need to be reinstalled manually. More so if your WAN connection relies on these packages (USB modems), then you have to either pre-download them or build a custom image.
c0l0
There is a VERY elegant solution to this problem, called "attended sysupgrade", that is not as widely known as it should be.
It's probably best explained in a video on what may be the best youtube channel on OpenWrt-related things: https://www.youtube.com/watch?v=FFTPA6GkJjg
Or, if you prefer textual information: https://openwrt.org/docs/guide-user/installation/attended.sy... (OpenWrt's infra is kinda slow today for me, must be many people checking out the new release :))
oynqr
Wow, I've been running OpenWRT for years and never heard of this, thanks. Although I suppose it does nothing to resolve config upgrade issues, right?
c0l0
It does exactly as much as using `sysupgrade` with any other suitable image will or would do :) So yes, limitations apply - but for most users with a bunch of custom installed packages, this is enough of a game changer regardless.
josteink
> I do love OpenWrt but the upgrade experience is still a pain because user-installed packages need to be reinstalled manually.
Just use image-builder. Or better, create a script which uses image-builder for you.
For me, upgrading to newer releases for my 7 OpenWRT devices, is mostly just updating a version number and waiting for the build to complete (a few minutes at tops).
It's not really hard.
I may have gone in a bit over-the-top, with makefile and dependencies at all[1], but at the core of things, it's not really hard.
janinge
You could also make the OpenWRT router connect trough your phone’s hotspot feature temporarily, while you set up your primary connection. Three clicks in the GUI is all that’s needed to join a wireless network for WAN connectivity.
ur-whale
One question I have is: I would like my wifi router to be 100% "invisible", as in: I want the router to behave exactly as if it was an ethernet switch, where devices connected to the router via wifi would behave exactly as if they were connected to an ethernet switch.
In other words configure my router such that the only difference between it and a switch is the fact that connected devices are not connected via an ethernet cable but via a wifi connection.
I specifically don't want any kind of NAT, firewalling, filtering or any other kinf of "smart" features. Just a dumb switch that uses wifi instead of ethernet physical connections.
Does OpenWRT support this mode of operation?
janinge
Yes. If you’ve bought a consumer router, and not an “access point”, it will likely have a Ethernet port labeled WAN. Due to this label, the OpenWRT profile for this model will most likely also set up this port as a WAN port for you by default (where it requests DHCP from somewhere and applies NAT and some basic firewall rules). Just delete this interface, and make the LAN network also span the WAN port. Then disable DHCP and IPv6 RA on the LAN interface. Your router is now a dumb “access point”.
rpigab
I think you're looking for a secondary router set as a "Wireless Access Point" or "Dumb Access Point". I have the same issue, I have 2 wifi routers, with 2 subnets, and it's a pain for some devices, if I'm connected to wifi on subnet A with my phone, I can't cast Youtube to the TV if the TV is on subnet B, I have to switch networks. https://openwrt.org/docs/guide-user/network/wifi/dumbap
I'm gonna try to set a WAP/DAP soon.
sofixa
Can't you disable DHCP on one of them and connect it physically to the other? Won't that make it work as a dumb AP, basically?
rpigab
They are connected, and defaut gw is set so you can have internet without problem, but maybe I'm just missing additional routes to specific devices, didn't spend much time looking into it since I usually am connected to the right network when close to my TV. Either way, it's an use case for dumb access points so I should set this up.
runlevel1
EDIT: I missed that you don't want NAT. The device below, should be able to run in that mode, but I've only done so with IPv6.
Yes, and if you want auto-updates, check out the Turris Omnia: https://www.turris.com/en/omnia/overview/
It's the best wireless router I've ever owned.
Pros:
- nice simple GUI for your typical stuff
- advanced GUI (that runs in parallel) for advanced stuff
- auto-updates with timely patches
- open source (inc. their additions) -- based on openwrt
- developed by a reputable non-profit that's been around since the 90s (CZ.NIC)
- a little pricey
- current model is a few years old, so it's not the fastest option out there
- the current model doesn't support 802.11ax
numpad0
"Router" is a bit of a misnomer, because most products are package deals with routing features and access point features built into a single unit, but there is no recognized word for a "Happy Meal" and the equivalent to "hamburger" is used. The word for "fries" is access point.
e12e
Yes, I recall doing this in a topology where I had:
internet-router > dedicated switch > access point
Where nodes on the switch where on the same lan as the wireless clients.
As others have mentioned, this should be possible also if you use the built-in ethernet switch (I can't recall if I ever did that..).
eointierney
Yes it does, and very well, I just deployed three Flints (GL-AX1800) to do exacly this.
Not affiliated, just a happy customer
jhoelzel
Thank you! I love openwrt and have been using it as a workrouter for years now with vpn integrations, wifi repeater function and some routing magic, I was able to create the perfect business network for my needs.
Thank you OpenWRT. Wifi 6 support is gonna be awesome!
CorrectHorseBat
>Wifi 6 support is gonna be awesome!
Are there any devices with good Wifi (6) support? Last time I bought an expensive router with advertised OpenWRT support and the wifi was horrendous.
Snuupy
Belkin RT3200, goes on sale at Walmart for $60.
bubblethink
Do you have this device, and if so, what's the peak bandwidth you are able to achieve over wifi?
WhyNotHugo
OpenWRT is amazing, it's a regular Linux on consumer-level routing hardware. I kinda feels a bit like a BSD in some design decisions.
A pain point in upgrading the OS is that packages that were previously installed need to be reinstalled. In my case, this includes `dnsmasq-full`, which is dnsmasq with DNSSEC support and a few other features that are enabled in the regular `dnsmasq` package that comes by default. So after an update, there's not even DNS/DHCP in my local network. I need to configure static IPs, SSH into the device, and start reconfiguring it.
I keep very tidy notes on how to reconfigure from scratch, so it's not a big deal, but I really shouldn't need to do this on every OS update. Having to do this leads me to just sticking to a very close-to-default configuration, because any customisation will result in more issues upgrading next time.
It's improving though, this upgrade was smoother. Or maybe I just keep better notes?
josteink
> A pain point in upgrading the OS is that packages that were previously installed need to be reinstalled.
Which when you start having lots of OpenWRT based devices kinda gets a pain. And we hackers we solve pains, don't we? ;)
So when a new OpenWRT release hits the market, I usually just have to update the OpenWRT release-number at the top of my makefile, and Github builds all the images for all my devices, with all the packages and customizations I already have in place.
All devices upgraded in less than 30 minutes.
My setup, for those interested: https://github.com/josteink/openwrt-build/
orev
On the firmware download page, there’s a link you can expand to “customize image”. You can add more packages there and get a single image with everything included. You’ll still want to backup your config beforehand, as sometimes new releases need more space so the config partition is wiped out. But that’s still much easier to restore afterwards.
Or you might also use the “attended sysupgrade” process which takes care of the firmware update directly from the device.
ur-whale
The key thing with OpenWRT is this (the list of supoported devices):
https://openwrt.org/toh/views/toh_fwdownload?dataflt%5B0%5D=...
rnhmjoj
I hoped this would fix the squashfs corruption[1][2][3] on the mt7621, but it doesn't seem so. It looks like I'll have to keep playing russian roulette on every boot for another two years, at least.
[1]: https://forum.openwrt.org/t/patch-squashfs-data-probably-cor...
nisa
nasty bug - but there are often .dot releases (https://github.com/openwrt/openwrt/tags) - if this will be fixed you don't have to wait 2 years.
ncmncm
Maybe replace with better hardware, if it is troublesome enough.
oynqr
Thanks for the heads-up, but I suppose I'm fine since my router only reboots for sysupgrades.
rnhmjoj
Unfortunately the issues are not with just the reboot: as files are (re)read from the flash storage the kernel pages become corrupted and files unreadable.
Eventually the programs start crashing as config, shared libraries, etc. are being pulled from under their feet.
Get the top HN stories in your inbox every day.
OpenWRT is amazing. It's a great distribution that's incredibly well tailored for routers/APs. Not having to deal with whatever the manufacturer slapped together is amazing.
For those that have never tried it it's also worth it just to understand more deeply how amazing these cheap devices are. For ~100$/€ you get a single board computer, plus a managed switch, plus 1 or 2 wifi cards. The managed switch in particular is very interesting. The computer is just another connection to the managed switch and you can configure it in any way you want. Traffic can go directly from one port to another without going through the CPU.
These capabilities together make a network of OpenWRT devices really flexible. I use it to replace the included router from our Internet/TV/Phone provider. The VLANs are needed to access the different IP networks for the different services. That you could do with a normal network card but then I also use VLANs inside the house wiring to take the IPTV network to the TV box. I then use a separate SSID to carry that VLAN in a point-to-point connection to another OpenWRT AP as a client so I don't have to run wire to that place and so the broadcast traffic doesn't swamp other normal Wifi clients. All this can be done with these very cheap devices that already have all the needed hardware. For all the deserved fame RaspberryPI gets these routers are equally amazing hardware for a lot of things.