This is the configuration for our Linksys WRT3200ACM WiFi router.
We replaced the Linksys firmware with LEDE firmware. LEDE is the main-line OpenWRT fork.
The WRT3200ACM is well-supported, as the model is specifically sold as "Open Source Ready", supporting OpenWRT and DD-WRT. It's also got a powerful 1.8 GHz dual-core CPU and a very healthy amount of flash (256 MB) and RAM (512 MB).
We installed LEDE 17.01.4. Since we were going from the system firmware, we downloaded the IMG-format image.
The firmware came with HTTP interfaces and SSH enabled. I believe it reset to use a 192.168.1.0/24 network with the router itself at the 192.168.1.1 address.
We did the initial configuration via the web UI.
First, we set the admin password, as prompted.
We then set SSH to only be available on the LAN, so any random hacker on the Internet couldn't try to get in:
Then we change our network address. There's just too much on 192.168.0.0/16, especially the 0, 1, and 100 networks; we prefer to use something from the larger 10.0.0.0/8 address space.
We like to use OpenDNS as our upstream DNS resolver.
We found that the "rebind protection" caused some problems when VPNed into a client, where they had a public DNS address that resolved to a private IP address. So we had to add their domain to the Domain whitelist field.
Finally, we configured the WiFi.
The rest of the configuration was done primarily via SSH.
# Set some variables that we'll use later in this script. export GITHUB_USER='booch' export PREFERRED_SHELL='bash' # Must be bash, zsh, tcsh, mksh, or ash. # Update the list of packages. opkg update # Upgrade any packages that have updates. opkg upgrade $(opkg list-upgradable | awk '{print $1}') # Install our preferred shell, and set it as the login shell. opkg install $PREFERRED_SHELL sed -i -e "/^root:/ s|/bin/ash|/bin/${PREFERRED_SHELL}|" /etc/passwd exec $PREFERRED_SHELL # Install OpenSSL and everything it needs. opkg install ca-certificates ca-bundle libopenssl openssl-util libustream-openssl # Restart the HTTP server. It should pick up the OpenSSL, enabling HTTPS and HTTP redirecting to HTTPS. /etc/init.d/uhttpd restart # Set up SSH public keys, so we don't need to type the root password every time. wget "https://github.com/${GITHUB_USER}.keys" -O /etc/dropbear/authorized_keys # Install ad blocking via DNS (and its HTTP UI). opkg install adblock luci-app-adblock # Set up whitelist for ad blocking. cat > /etc/adblock/adblock.whitelist <<WHITELIST ## Google googleadservices.com google-analytics.com ## URL Shorteners ow.ly bit.ly # Work-related newrelic.com highcharts.com # Games zynga.com app.adjust.com mopub.com crashlytics.com zyngasupport.helpshift.com zyngawithfriends.com WHITELIST # Enable all the blocklist sources. sed -i -e "s/option enabled '0'/option enabled '1'/" /etc/config/adblock # Reload the ad blocker. /etc/init.d/adblock restart # Ensure the adblock blocklists are updated every day. grep -sq 'adblock reload' /etc/crontabs/root || cat >> /etc/crontabs/root <<CRONTAB_ADBLOCK 47 03 * * * /etc/init.d/adblock reload CRONTAB_ADBLOCK # Install the *real* Less, instead of using the one in BusyBox, which has no search feature. opkg install less # Install Vim, and reset the aliases. opkg install vim source /etc/profile # Install GNU findutils. opkg install --force-overwrite findutils-find findutils-locate findutils-xargs # Install GNU diffutils. opkg install diffutils