last update: 2016.08.21.
HW: 1043ND v1.1 or any other from the shelf with enough built-in storage.
No wifi needed - a bigger & better router does that
This one is used for connecting to the ISP and forward the internet connection to other routers and run a few custom scripts
Make it ~secure
Have a good config
Use an ad/malware domain filtering in the /etc/hosts file
Have a good physical security
xxxxx -> the non-default port for SSHDy.y.y.y -> the IP for the router, use a non-default one, ex.: 192.168.26.1, etc.
Don't connect the router to the internet, only after it says 'Connect the router to the internet'
========================================================================
https://downloads.openwrt.org/wget https://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/openwrt-15.05.1-ar71xx-generic-tl-wr1043nd-v1-squashfs-factory.binBut always use the newest, this URL could be old!
Upload using webgui
Modify the root password to something simple.telnet 192.168.1.1
Modify the password to a good one (63 char long, fully random), use a password manager (start SSH - Dropbear via webgui if needed):ssh root@192.168.1.1
Copy your SSH key from your secure desktop.scp ~/.ssh/id_rsa.pub root@192.168.1.1:/etc/dropbear/authorized_keysssh root@192.168.1.1
Modify the routers default IP.vi /etc/config/network
config interface 'lan'option ipaddr 'y.y.y.y'
Update hostnamevi /etc/config/system
config systemoption hostname 'NEW-HOSTNAME-HERE'
Reboot router.
Bad guys don't follow the RFC too.sed -i 's/REJECT/DROP/g' /etc/config/firewallModify the ACCEPT to DROP where you want to block, ex.:vi /etc/config/firewall
Allow-DHCPv6Allow-MLDAllow-ICMPv6-InputAllow-ICMPv6-Forward
Disable IPv6 if you are not using it.sysctl -a | grep -i ipv6 | grep -i disable | sed 's/ //g; s/0$/1/g' >> /etc/sysctl.conf
SSHD should only allow pubkey login, and should be only reachable from internal networks. Use a non default port for it.vi /etc/config/dropbear
config dropbearoption PasswordAuth 'off'option Port 'xxxxx'option Interface 'lan'
Only allow SSHD via iptablesvi /etc/firewall.user
/usr/sbin/iptables -I INPUT -p tcp --dport xxxxx -j ACCEPT/usr/sbin/iptables -P INPUT DROP
Download your hosts file for adblock functionscp hosts root@y.y.y.y:/etc/hosts
dnsmasq should only listen on internal networksvi /etc/dnsmasq.conf
listen-address=y.y.y.ybind-interfaces
uhttpd should only listen on internal networks and if not used, disable it.vi /etc/config/uhttpd
list listen_http 'y.y.y.y:80'#list listen_http '[::]:80'list listen_https 'y.y.y.y:443'#list listen_https '[::]:443'/etc/init.d/uhttpd disable
Update DNS IP's, whatever you want to use (for the custom scripts, if there are any on the router)rm /etc/resolv.confecho 'nameserver 1.1.1.1' > /etc/resolv.conf
Reboot the router, you should only see the following services listening only on the internal network, nothing else.netstat -tulpn | grep LISTENtcp 0 0 y.y.y.y:53 0.0.0.0:* LISTEN 1184/dnsmasqtcp 0 0 y.y.y.y:xxxxx 0.0.0.0:* LISTEN 920/dropbear
Connect the router to the internet, config it (temporary start uhttpd if needed for pppoe, date/time, etc. But don't forget to disable/stop uhttp!)
Install a few packages, but only if really needed. Remove unneeded.opkg updateopkg remove wpad-mini odhcpd odhcp6copkg install wpad git perl openssh-client
I needed elinks for a custom script, but it wasn't in OpenWrt 15.wget https://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/oldpackages/elinks_0.11.7-1_ar71xx.ipkscp -P xxxxx elinks_0.11.7-1_ar71xx.ipk root@y.y.y.y:/root/opkg install elinks_0.11.7-1_ar71xx.ipk
Power OFF the router, wait 5-10 seconds (so the capacitors can discharge too), power it ON.
Maybe for one time, reboot doesn't work because of the "odhcpd odhcp6c" remove. Try to power OFF then ON again if this happens.
Done, https://www.speedtest.net/
========================================================================
UPC Wi-Free CA (OpenWrt ~14 <= needs it): https://drive.google.com/file/d/0B5VtkM4DE9qwVld4TTYtcHo1WjQ/view?usp=sharing$ cksum LGI_Root_CA.cer1118461604 1494 LGI_Root_CA.cer$