Picture alt text: Screenshot of OpenWRT running on my home router, displaying one of the generated graphs showing active network connections.

Routers and router administration. They're not just for Cisco or Juniper, or for a corporate networking team!

Linux... on my Router?

Like in my previous eReader post, you might be surprised to know that nearly every consumer router that's on the market is running some form of Linux under the hood. While it may have the kernel, some local utilities like busybox and a dropbear listener for ssh, for the most part these are not always user accessible, and system functions will be handled via the router's web interface. If you're feeling adventerous and have a supported router and a desire to take control over it, you can do so with a third party embedded Linux distribution like OpenWRT and LibreCMC.

What's OpenWRT and LibreCMC?

OpenWRT is a full replacement firmware for routers, supporting ARM, MIPS, and x86 architectures. What that means is while it's meant to be a distro just for embedded devices used as routers, it can be run as a main OS on personal computers. It has its roots in Linksys being forced to release code modifications it made on their WRT54G line of routers, thanks to some members of the Linux Kernel Mailing List discovering that the company was violating the GPL.

It adds advantages like a full package manager allowing you to install any applications you can think that you might want on your router, and since it's running a full embedded Linux environment you can customize it like any computer you own. In college I had an OpenWRT router I kept in my dorm room which I used as a makeshift VPN to connect back to my dorm network when at home, as well as have the router run an IRC client (weechat) that I'd connect to wherever on campus. Take a look at OpenWRT's available packages to get an idea of what you can do.

LibreCMC is a fork of a fork of OpenWRT, designed to not have any unfree software blobs running in its firmware and to exclude the ability of running any nonfree software from running on the platform. You can expect the same features more or less as OpenWRT, along with knowing you don't have any hidden proprietary code running on your router, similar to the "Respects Your Freedom" approved Linux distributions, however as it's a smaller team handling this and due to this there's not as many supported devices. Other distributions like DD-WRT and Tomato also can also trace their roots to the Linksys WRT54G's release of GPL code, but these pieces of software are not entirely free software, closer to what you'd get with a vendor's pre-baked router firmware.

One fun example of OpenWRT being more than just for routers was the Ben NanoNote , one of the first fully open hardware computers. While based on OpenWRT, it featured a full desktop environment (LXDE) and applications you'd typically find on a Linux desktop. Hard to find now, but when I was first getting into Linux this was one thing I always wanted to snag for myself.

What about PFSense and OPNSense?

These are also good, but they run BSD and not Linux , so it's clearly inferior 😉

These are also free software routing distributions, however they do not target embedded devices like OpenWRT and instead (mostly) relies on you recycling an old desktop to turn into a router. Recycling is good, but so is using a lower powered router you may already have in your home!

  • goatman93 [he/him]
    hexagon
    ·
    4 years ago

    Fairly similar!

    For security, OpenBSD is the gold standard for any unix-like system, they've prioritized clean and audited code in their OS, helped create OpenSSH, and have led the effort to clean up OpenSSL with LibreSSL, FreeBSD on the other hand is closer to the average Linux distribution where there's cleanup efforts, but the main project hasn't implemented many security controls that exist in OpenBSD. Shaun Webb has done a lot of work porting many of the improvements OpenBSD has made for security over to FreeBSD with his HardenedBSD project, which I believe OPNSense is based on, but I'm not too familiar with what FreeBSD has brought into the main branch from his project.

    I work in InfoSec professionally so I'll say for the most part the above doesn't matter, to most people, as long as you harden the base install by limiting ssh, not allowing root login, updating the OS and software often, etc. A majority of attacks happen because of insecure defaults or neglected configs. If you have a stricter threat model, then things like OpenBSD or SELinux or grsecurity on Linux might be where you should look.

    For ease of use, I'll take that in two parts. pf, the BSD firewall used in PFSense and OPNSense, as well as the majority of BSD distributions, is easier to work with than iptables and has a much cleaner syntax. If you're used to mostly Linux which uses the GNU coreutils in userspace, the BSD coreutils might be a bit off-putting as there's features and flags that are missing and are different respectively, but the same can be said for the BusyBox coreutils as well in OpenWRT. If you use OpenWRT or OPNSense and mostly use the web interface for both, most of this doesn't matter since you'll be using an abstraction for these.

    The network stacks are pretty close in terms of performance now, however BSD (depending on the distro) doesn't have the same amount of driver support that Linux has, so hardware choices will be more limited if you pick an embedded board, and if you go the x86 router route you'll just need to pay a bit more mind as to what NICs you're using. Historically the differences were a bit wider. At work when our network stack was being designed, Linux was chosen because the TCP/IP stack and iptables (circa ~2000) was a lot more mature. Now they're similar enough that it's effectively the same thing.

    Unrelated, but OpenBSD is also a victim of the Bush Administration and US Military, they got a bunch of DARPA funding cut from them after Theo de Raadt, the lead developer spoke out against the Iraq war, which is cool.