|Router Security||Suggested secure routers||
Website by |
Configuring a router for security can only take you so far. You also need to chose the right router initially.
Many people use the device given them by their Internet Service Provider (ISP), which I think is the least secure option for a number of reasons. Understandably, many non-techies prefer this because they can call their ISP when things go wrong.
Slightly more secure, would be a consumer router, but that is not the best option either. To bolster this opinion, see the page on router bugs. It is not an exhaustive list of bugs, but it illustrates the poor state of software on consumer routers.
The most secure option is a business class device or perhaps a pro-sumer model.
Which router do I recommend? The Pepwave Surf SOHO router from Peplink. It is a low-end business class router, not geared to consumers. Its cost has been a fairly consistent $200 which is a bargain for a business grade router, especially one that does Wi-Fi. The user interface is, in my opinion, simpler than that of other business oriented routers. You can see for yourself, by kicking the tires of a much higher end Peplink router here. My description of the router, with its pros and cons is quite long. The Surf SOHO may not be a fit for you, but after reading about it, you should have no doubt if it meets your needs or not. My only relationship with Peplink is that of a customer.
My second choices would be OPNsense, pcWRT and DrayTek, with the proviso that I have not used any of them.
NOTE: Any router can only be made as secure as its included features allow. For a list of router security features see my Security Checklist.
NOTE:Buying a used router from a stranger (think eBay) can be dangerous, as the firmware may have been maliciously modified. To protect against that, download new firmware using a different router. If possible, switch the firmware entirely, that is, if it came with stock firmware, try switching to DD-WRT, OpenWRT or anything else. Asus owners can switch from Asus firmware to that offered by Merlin.
By "privacy" I am referring to a router not spying on you. In the old days, no routers spied on the network they governed. Now, this is getting harder and harder to find. It is now the rule, rather than the exception, that customers must have an account with the router manufacturer. If the router is in contact with a cloud service from the manufacturer, there is always the chance the someone from the manufacturer can get into the router. Plume is perhaps the ultimate example of monitoring your network and they are forming partnerships with ISPs.
Then too there is passive spying; many routers phone home with data about the activity on the LAN they control. The last router that I took a serious look at, the Synology RT2600ac was disgraceful in this respect. It phoned home to Synology all the time, there is no way to stop it and Synology can not be bothered documenting what data is being transferred or why. For details, in my Synology review see the section Spying On The Router. In March 2020, I confirmed my earlier tests that Peplink routers do not spy on you at all. You also do not need to have an account with Peplink to use their routers.
Cisco is perhaps the poster boy for Point 1, it seems as if new critical security flaws are found in Cisco router software every month. So many that I have given up even including them in the News page. And these are huge flaws, the type that let remote attackers take full control over vulnerable devices.
Initially, I did not include outbound firewall rules in this list. However, with the January 2020 release of the Cable Haunt vulnerability in Broadcom cable modems, it has become much more important. For my take on Cable Haunt see the Bugs page. In short, if a device on your LAN can access a vulnerable cable modem, then it can attack the modem. If the modem is part of a gateway (combination router/modem) that makes the danger even worse. In the US, we can not update the firmware on our cable modems, our ISP must do this. Since most ISPs are virtual monopolies, they have no motivation to bother with something that will cost them time and money and that few customers are aware of. So, this vulnerability is likely to remain with us for decades.
The only defense is blocking LAN side access to the modem (it is usually available at IP address 192.168.100.1). There are two ways to do this. The hard way is defining a custom route in the router, something many routers do not support. The easier way is to block IP address 192.168.100.1 with an outbound firewall rule. Again, many routers do not offer outbound firewall rules. The Pepwave Surf SOHO, that I recommend, does support outbound firewall rules and configuring it to block modem access looks like this. I blogged about this back in 2015: Talk to your modem and Using a router to block a modem.
Then too, consider the many stories about how apps are spying on us by sending data to huge number of third party marketing companies. Here is one such report from January 2020. The report lists some of the common tracker domains used by the apps they examined: ads.mopub.com, sdk-android.ad.smaato.net, googleads.g.doubleclick.net, api.pubnative.net, my.mobfox.com and more. The only way to block apps from spying on you, at least at home, is to have a router than can block domains like this. The Pepwave Surf SOHO can block all access to one sub-domain, by setting DNS to an invalid IP address, or, block web access to an entire domain (all sub-domains) with its Content Blocking feature. Or, both.
Some people only trust Open Source router firmware. For example, at PrivacyTools.io, they recommend OpenWrt, pfSense and LibreCMC. However, they offer no explanation for why these three systems are more secure than anything else. I do not think that all open source is good and all closed source is bad.
Secure defaults are needed because most routers are owned by people with no understanding of networking and these people should be secure by default. UPnP is an excellent example, it is insecure and enabled by default on every consumer router. WPS should be disabled by default, or better yet, not even available. Wi-Fi encryption should default to WPA2-AES. Etc. etc.
On a related point, if you need to open a port, perhaps to allow for remote control, a router than can limit access to said port by source IP address is almost a necessity.
I wrote the below having not used a pcWRT router. See updates at the end of this topic.
The pcWRT router was initially sold for its Parental Controls rather than security. That said, it has had many security features added since it was first released back in 2015. The system is based on OpenWrt and there is an online demo of the router interface.
Right off the bat, I like the fact that you do not need to have an account with pcWRT to use the router. You also do not need a mobile app, the router is configured with a web interface.
There is currently (January 2022) a single model that sells for $129. An older model with less horsepower has been discontinued. It has dual band Wifi AC (aka Wi-Fi 5) with 4 GB Ethernet LAN ports. The software is also supported on a handful of other routers such as the TP-Link Archer C7 (v2) and the Linksys WRT1900ACS. A LITE version of the firmware for use on other routers is free, the full featured firmware, (referred to as pcWRT Premium) for use on other routers, sells for $49 with a 90 day money back guarantee.
pcWRT can create four Wi-Fi networks and there is an option to "Enable WiFi client isolation" which prevents wireless devices on an ssid from communicating with each other which should be a great defense against many insecure IoT devices. The availability of WiFi networks can be scheduled. Privacy is great, no account is needed with the vendor and they say the router does not phone home at all. Support for VPNs is excellent. As per this blog post, A router that talks three VPN protocols, pcWRT supports OpenVPN, IKEv2 and WireGuard, both as a server and a client. It can even configure multiple VLANs and send different VLANs through different VPN connections (or no VPN). Just amazing.
It also does ad blocking using the same technology as Pi-hole. To enable ad-blocking network-wide, just check "Enable Ad Block". You can enable it for some or all profiles. There is a white listing feature for the inevitable over-rides, such as when a website will not load without ads being displayed.
A number of DNS providers are pre-set, you can easily chose amongst them or specify anything of your choice. You have a lot of flexibility in controlling traffic: you can allow or block a URL, a subdomain, a domain, a certain port on a domain, a port, or a port for a specific protocol. More here: How to allow or block web sites on the router. Devices using the router can be assigned to profiles and each profile can use different DNS servers and have a custom black or white list of domains. It seems that you could define a profile for a child with a white list that only allows them access to a small number of approved domains. It can even block just a section of one website. They example they give is
It logs the blocked domains and also has a summary report of blockage.
The router lets you create a backup of the current configuration to a file. You can either be emailed when new firmware is available or the pcWRT can automatically update itself. Interesting blog from the company, How to use your router to block smart TV snooping talks aboutthe VLAN feature and watching the domains a smart TV talks to and then limiting the domains it is allowed to communicate with. The routers offer their own, free DDNS service that provides you with a hostname on the pcwrt.net domain.
Like many other routers, it can block Pings from the WAN side. It also has a stealth mode and I am not clear what that is/does.
The website says nothing about who created the router, and there is no Contact Us page either. All communication is via a Forum. Documentation is mostly in the blog on the website. There is also a 5 page pcWRT Parental Control Router User's Guide. One Parental Control feature is the ability to block YouTube videos that are not child-safe. They have good release notes and a history of firmware releases.
Update: November 2021. I am starting to test a pcWRT router. So far, I have verified that it does not phone home to the router manufacturer. Firmware updating is very flexible, there are two flavors of manual updates and it supports automatic updating too. For those of us that prefer manual updating, you can subscribe to their firmware updates mailing list and the company will email you when an update is available.
Another company to consider is GL.iNet. I have not used their products, but they are cheap and the company has a focus on security.
Their routers run OpenWRT and include an OpenVPN client, a WireGuard client, Tor and encrypted DNS from either Cloudflare or NextDNS. The Slate (GL-AR750S-Ext) was released in 2019 and sells for about $55 (as of Feb. 2021). The Beryl (GL-MT1300) is newer and sells for about $70. They have many other models too.
GL.iNet routers, on Android, are configured with the GL.iNet app. The app was analyzed by Exodus on Feb 13, 2020 (app version 1.0.17) and found to contain no trackers. Also, it only requested 3 Android permissions. As of March 2021, the latest version of the app is 1.0.23, released January 2021.
At these prices, we can't expect great speeds or for the routers to handle too many attached devices. As for VPN speeds, when running the OpenVPN client, the company says to expect about 20Mbps with each model. When running the WireGuard client, expect roughly 70Mbps with the Slate and 90Mbps with the Beryl. Rather than your main router, they may be a better fit for a secondary router.
I have no hands-on experience using routers from DrayTek, but the company seems to be similar to Peplink, in that their products are clearly a step up from common consumer drek. That they care about security was shown by their publishing a 24-page router security best practices paper. Not only do they support WPA2 Enterprise, but most DrayTek routers have a built-in RADIUS server which makes implementing WPA2 Enterprise simple and realistic for consumers and small businesses. See a list of the features on their routers. As they say, they don't do entry level. They offer single WAN, dual WAN and multi-WAN models, just like Peplink.
This July 2018 article calls the Vigor 2862Lac router a perfect router for SMBs. SmallNetBuilder.com has reviewed DrayTek routers, but the most recent review was back in 2011. You can judge the user interface for yourself, DrayTek offers online emulators for all their routers.
DrayTek offers many different router models, finding the right one for you is not simple. According to their website, their cheapest routers are the Vigor 2133 series. Routers are only sold through partners, not directly by the company, and their US partners do not have much for sale. A sampling of US resellers, done in Feb. 2020, found these low end models for sale: Vigor-2760n for $130, 2133ac for $170, Vigor2926ac for $296 and a Vigor2926 for $200.
I do not know how long DrayTek supports the software in their routers, but someone who bought a new Vigor 2860 in 2013 wrote to tell me that it is still getting bug fixes in June 2020. You can judge how long firmware support is provided at their Downloads and Resources page. This person also reports that firmware updates are free.
As for tech support, this same person reports that it is free and in their words "fairly responsive and helpful" However, I do not know how long they provide tech support for.
As for the company itself, this experienced DrayTek owner confirms that they are much like Peplink, writing: "Draytek Vigor routers are business-grade routers, and as such have vastly more capability than the average consumer needs or would even understand, and so the configuration is a matter of selecting just those few items you need from a considerable array of options ... they are regarded as one of the more secure routers available (in the UK, at least)..."
In September 2020, Turris released a new device, the Turris Shield. As I write this, very little is known about it, there are no reviews of the Shield and even the documentation page on the Turris website is skimpy. It is sold as a firewall rather than a router and is meant to sit between the modem and the router. People who have a single Internet device (a combination modem and router), can place the Shield behind it, rather than in front. This, however, will only protect Ethernet devices as the Shield does not do Wi-Fi. If nothing else, the Shield deserves a look because it is made in the Czech Republic rather than China.
On the upside, the software (TurrisOS based on OpenWRT) is open source and Turris says it self-updates, both the OS itself and updates to defend against new attacks. I am confused about the term "attack". Any router purchased at retail should have a firewall with no open WAN side ports and thus defend the LAN behind it. So the purpose of the Shield firewall is unclear to me. The Shield is described as a "unique firewall" and a "unique security system" but there is no explanation of what makes it unique. Turris says it respond to threats within seconds, but it is not clear to me what types of threats it is responding to or how it is responding.
Turris says that it can be used by non-technical of people, that all you need to do is pick a password and the device does everything else on its own. Too good to be true? Time will tell. It is administered via a web interface.
The Shield can be both an OpenVPN server and client. VPN servers in routers serve two purposes. One allows you to login to the device when you are traveling and use it as a free VPN to avoid paying for a commercial service such as ProtonVPN, Mullvad or TunnelBear. The available documentation does not say it can do this. The other purpose is to provide access to files and devices on the LAN when you are traveling. I would expect this to be blocked by any router as the router firewall would see this as an unsolicited incoming connection. Using the Shield as a VPN client puts all your eggs in one basket and gives you no flexibility. Individual devices can not be excluded from the VPN tunnel and if there is a problem with the VPN connection, all your devices are knocked off-line. If the VPN is slow, all your devices are slow. My personal preference is for a VPN box that connects to the LAN side of a router rather than the WAN side.
Some missing information: what is its maximum throughput with and without a VPN? Does it support inbound or outbound firewall rules? If it does support rules then not mentioning this is negligent documentation. If it does not support firewall rules, then, again, just what does it do?
As of early September 2020, the Shield was available for purchase in Germany, Great Britain, Spain, France, Italy and the Czech Republic. Alza was selling it for 104 British pounds, which was roughly equal to $138 US dollars.
The Firewalla Gold router first shipped to customers in November 2020. It costs $438 (as of October 2021) and does not do Wi-Fi. It is listed here as an FYI, I have no experience with it. The first two generations of Firewalla (Gold is their third) were add-on devices that plugged into a LAN port of your router. The Gold model can function that way too, but it is included here because it can also be a stand-alone router. There is more information on the two older devices (Red and Blue) on the Resources page.
Firewalla Gold is based on Ubuntu Linux and offers full access to the operating system via SSH. A mobile app is required to configure it. There is a (very?) limited web interface. You can install your own "packages" including Pi Hole for ad/tracker blocking.
Features: It supports VLANs for network segmentation. It can be both an OpenVPN client and an OpenVPN server and supports site-to-site VPN connections (as does the Pepwave Surf SOHO). WireGuard support is planned (as of April 2021). It supports multiple Ethernet WAN connections, though I am not sure if it load balances or only offers fail-over. It supports GEO-IP filtering which lets you block entire countries. It does ad blocking and can notify you of a spike in bandwidth usage. It does encrypted DNS using DNS over HTTPS (DoH). It runs vulnerability scans and automatically blocks malicious web sites. It does Intrusion Prevention and when that fails, it does Intrusion Detection. It is not clear if it offers outbound firewall rules. It does offer Parental Controls. There are no ongoing subscription fees.
My concerns: The software and hardware are both new, so bugs are likely. How quickly does the company respond? Only time can tell. It is not clear what, if any data, the device sends to the company. Also, you have to have an account with Firewalla to use the thing, which is a privacy risk. And, it is not clear if you are at all dependent on a cloud service of theirs. The device has a console port. Why? They don't say. The speed is a concern. They promote it as having 3Gbps speed which I am sure is not true. I suspect they are adding up the speed from three gigabit Ethernet ports. Fudging the numbers like this does not promote trust. Still, it is likely to support Internet speeds around 900Mbps.
Wi-Fi is perhaps my biggest concern; the company goes out of its way to avoid any mention of Wi-Fi in promoting the thing. Why? One issue is that any Access Point that you add to it has its own user interface which means that owners of the Firewalla Gold have to learn to deal with both it and the AP. Then too, there is the chance that devices connected to the AP may not be individually governable by Firewalla. The user manual is a mish-mash of all three Firewall devices. They do not offer a manual dedicated to the Gold model. There is also a FAQ.
In September 2020, Kevin C. Tofel liked it. He points out that it can run Docker containers, can block devices from the network at the touch of a button and can block social networking apps. It also notifies when a new device joins the network. He says it can show minute details of network traffic but does not explain this in detail.
Dong Ngo reviewed it in Jan. 2021 and said " ... it's best used as a souped-up version of the Firewalla Blue Plus ... you should consider it an add-on firewall / online-protection device of an existing network, rather than a router that hosts a network of its own, where it makes things a bit too complicated for home users.". Full review: Firewalla Gold Review: An Expensive but Totally-a-Keeper Add-on Firewall.
Vilfo is a router ($400 US) offered by VPN provider OVPN. Vilfo OS is their router firmware without their hardware. It should run on any computer with an x64 based motherboard and a minimum of 1 GB RAM, 4 GB hard disk and 2 Ethernet ports.
Like pcWRT, the firmware is not free. There are two plans: $100/year and $60/year (roughly). This may well be the price of security, tech support and ongoing software development, pfSense not withstanding. Unlike pcWRT, the focus is not fully on security. The big bragging point is that it can concurrently connect to multiple VPN servers from multiple VPN providers. Then, you assign devices on your network to each VPN connection, or, to not use any VPN. I saw nothing about Wireguard, so I would assume it only supports OpenVPN.
As of January 2022, it does not support VLANs, but the feature is planned for the more expensive plan. There do not seem to be outbound firewall rules. It offers notifications, both by email and pushed to a mobile device. There is an Event log and it is big on bandwidth usage reporting as you might expect from a VPN company. It offers parental controls, but they are limited to setting times when devices can get online. You can force a website to only be accessed through a VPN, however, this is not done in the router, it is a feature of their browser extension. See their documentation for more.
These routers are being marketed as secure. Are they really? Time will tell.
September 10, 2021: Okyo™ Garde: Enterprise-Grade Cybersecurity With Consumer Simplicity by Palo Alto Networks. They claim their new Okyo product offers unparalleled protection from malware, ransomware, phishing attacks and more, yet with consumer simplicity. You don't pay once, you pay every year, between $350 and $450 for the year. If you stop paying, is the router useless? They don't say. They also say that it is mesh-enabled, but all the pictures show a single device. The cost for extra devices to make a mesh network is none of your business. The router is controlled by a mobile app and is expected to start shipping in Fall 2021.
September 13, 2021: Fortinet, Linksys joint venture aims to bring enterprise security to home offices by ZDNet. The hardware is a pair of Linksys Velop routers. The product is aimed at large companies, not consumers or small businesses. As such, there are no prices. The selling point is exactly the same as for the Okyo (above): "This is the first-ever enterprise solution for remote and hybrid workers to have secure access to corporate and personal networks at home. The system comes with top cybersecurity features to protect your organization and a comprehensive solution for hardware, software, and services your employees need." To me, consumer routers and security are like oil and water, they don't mix. It is planned to be released later in 2021 in US. Website: Linksys HomeWRK.