Feb. 15, 2014

Open-WRT on a new TP-Link router

Routers are funny things. Sitting there in your house, usually bundled by your ISP. Mine is a Technicolor 582n from PlusNet. It emits a high-pitched whistle and gets hot alarmingly quickly.

It’s in the ISP’s interest to supply them as cheap as possible, so most are just rebadged commodity systems. The Technicolor is similar to a lot of UK ISP routers; it’s really a rebadged Thomson box, running… well, who knows?

This Bruce Schneier essay voiced a lot of the worries I’ve been having about my router. I’ve no real idea what’s going on in there, in the most important gateway to my house (or actually outside your house, since there’s wifi). Its logging is terrible, and so is its configuration software. Many routers are based on ancient Linux backend (the one I checked was from 2003). Maybe it has an unpatched vulnerability too…

So, it was time to take a bit of control! The good news is that there are free, open router firmwares available, so you have a good degree of confidence you can trust your box.

I found 3 main alternatives currently being maintained:

  • Open-WRT is the Grandaddy of the projects. It’s under constant development and features hundreds of downloadable packages and options. It also supports more platforms and router devices than the others. Here’s the bad news: the documentation is pretty awful. Most of it assumes you’re developing the router software, rather than using it. It took me 2 weeks of reading before I got a grasp of what to do. Given that I’m reasonably technically competent, that’s quite a high barrier to entry.
  • DD-Wrt supports fewer devices, but is a little more polished and “professional”. It sells commercial versions pre-bundled with some routers.
  • Gargoyle is a variant with a nice simplfied UI and a decent list of supported machines.

Given that my main reason for changing was for the transparency of knowing what was running on my network, I went for Open-WRT.

One important point is that the open firmware variants rarely support the internal ADSL modem bit of an all-in-one router. So I needed to split the job in two: one dedicated router device, connected by an Ethernet cable to your dedicated modem. This sounds expensive but often you can convert your ISP-supplied router into the dedicated modem, with that box set to “bridge mode”.

The whole project now breaks into 3 steps:

  • Either find an old compatible router box or buy some new router hardware, and get it running the Open-WRT firmware;
  • Log into the new router and set up the passwords, wifi and firewall rules;
  • Switch your old ISP modem-router to bridge mode.

Sourcing new router hardware was surprisingly hard. You generally need a box with specific hardware components, namely the wireless chipset, for an open solution to work, and enough RAM to run comfortably. I wanted to use an old Netgear, but that wasn’t supported. Trawling the Open-WRT compatibility lists is a nightmare, but eventually it became obvious that the TP-Link options were excellent value for money, so I plumped for a the snappily titled TL-WDR3600. Checking the specs, you get a lot of hardware for your money, and it runs quietly.

All Open-WRT builds are specific to a hardware revision, so once you’ve made your choice, you need the right build of the firmware. Here are all the builds of version 12.09 to pore through (categorised by hardware, stupidly), and this is the TL-WDR3600 build.

Then connect to the router using a standard Ethernet cable direct from your PC to the router. Disconnect from your normal home network. Armed with the right file, you can then log into the original router’s configuration web site at 192.168.1.1 and “update” the firmware. Reboot, and bing, you have a nice secure open-source router to use!

Your router isn’t ready for prime-time yet though. You’ll need to log in and feed it some proper settings. I’ll do that next time.