I can recommend building your own OpenBSD router. Installing OpenBSD is easy, and once you have it installed the base system contains everything you need to set up a router along with excellent documentation for everything. OpenBSD people also take security seriously, so if you stick with the base system, you'll be fine. That said, you'd be fine on Linux too, depending on the distribution; it's not like Linux-based systems are somehow fundamentally insecure.

I really can't stress enough how good the documentation is; in the Linux world I'm used to googling and wikis and whatnot because most man pages for the components of a distro are either nonexistent or incomplete, but with OpenBSD, you'll do fine with just man and apropos. It's considered a bug if the documentation is missing something.

OpenBSD is a fantastic OS for learning about all kinds of UNIX and networking stuff if you're not opposed to spending some time reading good quality documentation.

Any recommendations for hardware to run an OpenBSD router on? Support for ARM and MIPS devices seems pretty limited, leaving x86 stuff like Protectli or PC-Engines (which are both pretty expensive for what you get).

The price wasn't my primary concern; I got the APU because I wanted a system that's as close to fully open as you can get. Any x86 machine with decent NICs should work, however.

The non-x86 alternatives I don't have much experience in save for an Ubiquiti EdgeRouter Lite, which works fine, but is a bit of a pain to operate because there's no syspatch support.

If you just want a secure router at a low price, OpenWRT on a well-supported platform probably gets closest to that; I have an old TP-Link router in the closet somewhere that's over 10 years old now and could still run the latest version of OpenWRT.

NetBSD seems similar. You could try [1] https://www.invisible.ca/arm/ to get a feeling for what will be supported by the (soon to be?) next release from there.

I'm unaware of someone having put that together for OpenBSD, but think it should run on similar hardware. If so, then their Website is buggy for listing long obsolete devkits/boards only.

My current home OpenBSD gateway runs on one of the small Atom-based (Z3700-series maybe?) NUC-alikes (I forget who made it) I picked up 2 years ago. I think I spent less than US$200 on Amazon for it. Very low power and I doubt the CPU has ever hit 5% utilization. If you go this way, make sure you can load an alternative OS on it; apparently some of these things refuse to load anything but Windows 10.

PCEngines is the way to go from what I have seen.

I installed OpenBSD on an APU2C4 and it has been rock solid for the last year and a bit.

In terms of cost you will be hard pressed to find a x86 SOC with 4 I tel NICs and a serial port at a cheaper price.

I'd imagine its plenty enough for a home internet router, but it stings a bit to pay ~$150 for a system with a 2013 CPU (and a very low end one, at that).

OpenBSD will run fine in this role on sub-US$50 refurb Core 2 PC or a sub-$100 Atom box if power is an issue. Even a P2/P3 can keep up with anything but the highest end broadband.

security of OpenWRT vs Tomato? OpenWrt has a up-to-date Kernel. We try and be as safe as we can from first boot. We make you set your password to get up and running so no crappy passwords from the start. wifi is turnd off on boot so you don't get a unsafe wifi network with no security. The firewall is set up with a small rule set to be as safe as it can. The webinterface can be installed with https We have lots of packages to be even safer. BCP38, addblock, banip, dnscrypt, several proxy servers and dns over https.

I would not run Tomato? on a router in 2020 it runs with old Kernels and old packages.

Disclaimer: I am not a OpenWrt dev I just help out around the place like on Twitter forums PS if any one needs help pleas come to the forums we will help out as best as we can. Some people think that OpenWrt has devs that are not very tolerant. I can tell you that this is not true. there was a bug in LUCI the webinterface that made it hard to use with my screen reader I asked about it on irc and it was fixt in 3 hours.

I'm using DD-WRT at home. I understand that the embedded Linux that it runs can become more of a full featured version by adding and properly formatting a hard drive to the router. I haven't been able to do this yet and I think it would be great if there were an image available that could be written to the disk for this purpose.

I've been using straight OpenBSD as a router/FW for years. It has served well, has been particularly stable & easy to maintain and runs well on relatively modest hardware. A couple of notes:

- It's so much easier if you keep it simple as possible. If it's your router/FW, don't run your web server, file server, streaming media server, etc. on it. I mean, you can, but that's just a lot of things that can go wrong.

- PF, the firewall in OpenBSD, is usually configured via CLI + conf txt files. The syntax is shall we say terse, but it's well documented and there are lots of examples. Yes, I know there are some 'PF GUIs' out there; I've never tried them on OpenBSD and don't know anyone who has. If that's a deal-breaker, then maybe look at pfSense (FreeBSD based).

- Pay close attention to the hardware compatibility list; not all WLAN chipsets are well supported.

- Read the documentation. Seriously. The community is at best 'difficult'; if you drop into their world asking questions that are in the doco expect active hostility. And OpenBSD is not Linux despite the superficial similarities. Don't expect everything to work like it does on Linux.

> another commenter mentioned a TP-Link product.

That may have been me.

> Those devices are absolutely insecure to the core of their firmware for the time being.

Which is why you replace that firmware with OpenWRT, right?

I have a TP-Link device and am glad to see an alternative to the stock firmware since all of the consumer brands have been found to have gaping security issues over the years - at these price points and because consumers don't know/care about it, security is not a priority for most vendors.

All that said, I'm not sure how misconfigured TP-Link infrastructure would lead one to declare all their device firmware is bad.

I'm curious what attack surface typical "wifi-router" has?

From the internet, nothing should be exposed - or maybe OpenVPN port or ssh?

From outside, usually you would see WPA2-PSK network. I know there are some attacks on WPA2, but I don't know if they're practical. I also know that WPS (that PIN thing) is very insecure, but that is hopefully disabled on most networks.

From inside the network, things get more difficult, because the router has to have a lot of services exposed - DNS, DHCP, whatever the thing that supports UPnP is, the admin web interface, ssh, etc.

This makes me think, that unless the manufacturer sneaks in a backdoor, things should be relatively secure from outside (both internet and physically). Am I missing something?

TP-Link is not alone in this. Pretty much any consumer-grade network equipment is built down to a price, with zero budget remaining for the actual firmware.

If you can't use OpenWrt then buy enterprise-grade equipment. Personally I'm using a combination of a Mikrotik router at the edge and then consumer-grade powerline access points with OpenWrt (not strictly needed for security as they're behind the firewall already, this was more for functionality to support 802.11r for Wi-Fi).

Does Mikrotik still require the windows-only utility for configuration? I remember it was a thing.

They have a web UI and a CLI (SSH/Telnet/Serial). I've never used the "Winbox" UI though it is very much still a thing apparently.

Interesting idea. I briefly searched for Ansible + OpenBSD + router and found some interesting links. Need to look into it. I was thinking to do this with Linux but for this purpose, OpenBSD could be better? But it was very long ago I last used OpenBSD.

I was able to accomplish this with OpenBSD in 2016 by simply using the official docs. With Linux you'd be googling around for WireGuard, etc.

>I am trying to become somewhat ruthless in analyzing my dependencies when it comes to software

This strikes me as both very difficult and very wise, in the way that choosing to run Linux on your desktop was 20 years ago.