|Router Security||pcWRT Router||
Website by |
NOTE: Feb 7, 2022: This page is a work-in-progress and is not yet complete. The big omission is Parental Controls
|Table of Contents|
|Who,What,Why,Where||Initial Setup||Initial Wi-Fi Tweaks|
|ET Phone Home||Restricting Access to the Router||Firmware|
|Other Features||Web Interface||Random Observations|
WHO WHAT WHY WHERE
What is pcWRT and why should you care?
In November 2023, they introduced a new model, the PW-AX1800. The article below was written in January 2022 using their Newifi-D2, that has since been discontinued. The Newifi-D2 sold for $129 US, the PW-AX1800 sells for $149, and is available both at their website and on Amazon. The older model did Wi-Fi ac (aka WiFi 5), the newer one supports Wi-Fi ax (aka WiFi 6). Both models are dual band, the new one has 3 LAN ports and supports 4 SSIDs on each Wi-Fi frequency band. The new model has more computing horsepower and thus better VPN performance.
When pcWRT was first released in 2015, it was initially sold for its Parental Controls rather than security (the "pc" in the name is for Parental Control). That said, it has had many security features, such as VLANs and VPNs, added to it since then. The system is based on OpenWRT and the interface for many of the advanced features has been simplified. On the one hand, this makes advanced features available to a wider audience. On the other hand, it cuts down on some of the flexibility offered by the advanced features.
To me, security is not just about bug fixes and advanced features. Right off the bat, I liked the fact that you do not need to have an account with pcWRT to use the router. They offer an optional, free account that adds some features, but again, it is optional. You also do not need a mobile app, the router is configured with a web interface. I have verified that the router does not phone home to the company to spy on you.
The hardware is dual band Wi-Fi ac (aka Wi-Fi 5) with 4 gigabit LAN ports. It has 4 Wi-Fi antennas. In my testing, it never got warm, let alone hot.
Support for VPNs is excellent. As per this blog post, A router that talks three VPN protocols, pcWRT supports OpenVPN, IKEv2 and WireGuard, both as a server and a client. There is a whole section on VPNs below.
pcWRT comes with 5 pre-configured VLANs. Each VLAN can be assigned to one or more LAN ports and one or two wireless networks. You have full control over the inter-VLAN communication. A VPN connection can be assigned to one or more VLANs which means that one SSID can go through the VPN while another SSID does not. This is great.
The availability of WiFi networks can be scheduled.
The router lets you create a backup of the current configuration to a file. You can be emailed when new firmware is available. They maintain a history of firmware releases. If a new firmware release causes a problem, the router has a built-in function that will roll itself back to the prior release. The company has offered customers to send them their config file so that the company can try to re-create a problem.
Interesting blog from the company, How to use your router to block smart TV snooping talks about the VLAN feature and watching the domains a smart TV talks to, and then limiting the domains it is allowed to communicate with.
The website says nothing about who created the router, and there is no Contact Us page either. Communication is via a Forum and email. There is no manual, documentation is half in the blog on the website and half in the Forum on the website. One exception is this 5 page pcWRT Parental Control Router User's Guide. I have not yet used the Parental Control features. That said, you first define assorted profiles for the various devices on your network. Then you assign each device to a profile. One Parental Control feature is the ability to block YouTube videos that are not child-safe.
Another big selling point is ad blocking using the same technology as Pi-hole. To enable ad-blocking network-wide, just check "Enable Ad Block". You can enable it for some or all profiles. There is a white listing feature for the inevitable over-rides, such as when a website will not load without ads being displayed.
A number of DNS providers are pre-set, you can easily chose amongst them or specify anything of your choice. You have a lot of flexibility in controlling traffic: you can allow or block a URL, a subdomain, a domain, a certain port on a domain, a port, or a port for a specific protocol. More here: How to allow or block web sites on the router. Each profile can use different DNS servers and have a different black or white list of domains. You could define a profile for a child with a white list that only allows them access to a small number of approved domains. It can even block just a section of a website. They example they give is
It logs the blocked domains and also has a summary report of blockage.
For DNS, pcWRT supports secure DNS.
The pcWRT software is also supported on a handful of other routers such as the TP-Link Archer C7 (v2) and the Linksys WRT1900ACS. A LITE version of the pcWRT firmware, for use on other routers, is free; the full featured firmware, (referred to as pcWRT Premium) for use on other routers, sells for $49 with a 90 day money back guarantee. Download their firmware at pcwrt.com/downloads.
If a picture is worth a thousand words, then an online demo of the router firmware even more useful.
The maximum speed of the pcWRT router varies depending on the options being used. According to March 2022 Forum post the speed should be close to gigabit out of the box.
One option that will slow things down is "Enforce Access Control". If you find that this option makes a large speed difference, you can configure the router so that only some attached devices are subject to Access Control. As with every router that offers VPN client software, speed is reduced when connected to a VPN. Here too, you can limit the devices that go through the VPN (using the VLAN feature of pcWRT).
As to specifics, the Forum post says that the maximum speed will be about 100Mbps when connected to an IKEv2 or WireGuard VPN and about 50Mbps when connected to an OpenVPN server.
I ran two sets of speed tests. Both were done with a Chromebook running in Guest Mode to limit the software running on the device doing the testing. Guest Mode does not allow Android apps, so all tests were done using the Chrome browser.
The first set was done with pcWRT connected to a Pepwave Surf SOHO whose maximum speed is about 100Mbps. The pcWRT was not directly connected to the Internet, it was plugged into a LAN port on the Surf SOHO router. I was mostly interested in the speed difference between different types of VPNs. I tested using both fast.com and speed.cloudflare.com. An OpenVPN connection speed tested at 14 and 17 Mbps. Another OpenVPN connection, to a different VPN company, speed tested at 12 and 13 Mbps. A WireGuard connection tested at 89 and 104 Mbps. A little math shows that WireGuard was seven times faster than OpenVPN.
My second set of speed tests were done with pcWRT directly connected to a cable modem. Prior to testing pcWRT, I ran speed tests with the Chromebook directly connected to the modem and the speed was about 240Mbps. In pcWRT, Access Control and Bandwidth Monitoring were disabled for all tests. Initially, there was no VPN connection either. I tested using three websites: fast.com, speed.cloudflare.com and speedtest.net. With no VPN connection, the speeds were 220Mbps from Fast.com, 231 from Cloudflare and 234 from Speedtest.net. This confirmed what the Forum posting said, that with everything off, the router should be able to go as fast as the net connection.
Then I ran three sets of VPN tests, all using WireGuard.
The official documentation is here: Router Initial Setup. Finding these instructions was harder than it should have been. I got it from this PDF file that came with the router. The company calls this a User Guide. It is unlike any User Guide I have seen before. Be forewarned, much of the documentation on pcwrt.com is in the Forum. The rest is in the blog.
Setup if via a web interface, no mobile app needed. As with any router, setup can be done via either a Wi-Fi or Ethernet connection to the router. Ethernet is far better as the initial setup involves making Wi-Fi changes. If using Ethernet, plug into a yellow LAN port, not the blue WAN port.
If using Wi-Fi, the router creates two SSIDs the first time it is powered on: pcwrt and pcwrt-5g. The setup instructions do not mention the 5G network. These two SSIDs do not require a password, so it is safer to do the initial configuration with the router off-line, something I recommend for all new routers.
After connecting to the router, start a web browser and go to http://192.168.10.1. You may also be able to use http://pcwrt/, but this will fail if your web browser is using Secure DNS. It may also fail if you leave off the slash at the end.
The interface at this point has different sections with different tabs. Do not click on the tabs to go from one section to the next (lesson learned the hard way). Instead click on the green NEXT button.
The first thing to do is pick a router (not Wi-Fi) password. How long can it be? It doesn't say. The company told me they store the password as a hash (as everyone storing passwords should) so there is, technically, no limit on how big it can be. My advice on router passwords is here.
Next, you have to pick a Timezone. The company told me the timezone is used both for both Access Control and WiFi calendars.
Next up are the Wi-Fi network name(s) (SSID), the type of encryption and the Wi-Fi password(s). My advice regarding network names is here. My Wi-Fi password advice is here. It is not clear from the instructions, but the router lets you use the same SSID on both Wi-Fi frequency bands (2.4GHz and 5GHz). Or different, your choice. See Same SSID for 2.4 and 5ghz in the Forum. For encryption, chose WPA2-PSK. For the Cipher, choose CCMP (AES). You only enter the Wi-Fi password once and it is hidden by default. To make sure you typed what you intended to type, see the setup instructions (link above) for the secret handshake that makes the password visible. The Wi-Fi password may be called a key. "Key" means "password" in the nerd world. I am told that "key" will be replaced with "password" in the near future.
You can also disable one of the frequency bands, if desired. If you use two different SSIDs, they can share the same password. Guest networks are not configured initially.
The final step of the initial setup asks for an optional email address. If you provide one, the company says it will email you when there are updates to the firmware. I think that is a great way to handle updates. It is not clear if you omit an email address at this point, if you can provide one later.
After clicking the blue FINISH button, it took only a couple seconds until I saw the message that the initial setup was completed.
Before connecting the router to the Internet, I would change a few more things.
To log back in to the router you can use either HTTP or HTTPS (see Router Login). Each option uses the standard ports (80 and 443) which can not be changed.
I suggest reviewing the Wi-Fi settings first. They can be found at Settings -> Wireless. One thing that does not need to be reviewed is WPS. The router does not support it, which, for security, is a very good thing.
In my home, the router chose channel 9 on the 2.4GHz band. The only channels that should be used on this band are 1, 6 and 11. Figure out the least used channel in your area and set the router to always use that channel. Do not use the default of Auto for the channel. If necessary, make a guess and if performance is bad, go back and make another guess. In fairness, others routers do the same thing. Near me is a Netgear router using channel 8, a Linksys19160 using channel 9 and a TP-Link Archer C6 using channel 10.
The router made another poor choice on the 2.4GHz frequency band - the Channel Width was 40MHz. The Channel Width should always be 20MHz on this frequency band. The only exception is when there are no other detected Wi-Fi networks using the 2.4GHz band at all, which is pretty unlikely. Here too, other routers make the same mistake. A Wi-Fi scan in my living room found Eero, Arcadyan, TP-Link, Netgear and Arris routers also using 40Mhz wide channels on the 2.4GHz band.
On the 5GHz band, the router used an 80MHz wide channel. If you have no Wi-Fi anywhere near you, this is fine. If you live in an area with many Wi-Fi networks, you might be better off with 40MHz.
This is also where you can set the Transmission Power. In general a high power is fine, unless you have bad neighbors.
The Wi-Fi client isolation feature lets you prevent devices connected to the WiFi network from seeing each other.
The Wi-Fi calendar feature was a bit of a disappointment. For one thing, there is no documentation on the feature in the User Interface and I could not find any in the Forum. Turns out, it's here: Turn off WiFi router automatically at night (July 2018). The explanation leaves a lot to be desired. Note that the scheduling applies to Wi-Fi as a whole, you can not schedule individual SSIDs (Peplink can, by the way). There is an Extend time option when editing the Calendar/Schedule. This suspends the calendar/schedule for the amount of time selected. It does not change the existing calendar rules.
FYI: On the Status page, Wi-Fi on each frequency band is reported to be Master mode. That is normal.
A big question, for me, is whether a router is spying on me.
This starts with the issue of vendor accounts; many routers require you to have an account with the hardware manufacturer. pcWRT is great in this regard, you can use the router without an account. So, even if it spied on you, it does not know who you are.
The harder aspect of this is whether it is spying. This was the first thing I tested with the router. In my home, it was not directly connected to the Internet, instead the WAN port of the pcWRT router was connected to a LAN port of a Peplink router. Peplink supports all sorts of monitoring of attached client devices. I carefully watched every transmission leaving the pcWRT router for quite a while. It phones home when it is powered on for reasons the company explained. It checks the time of day using NTP frequently, as do millions of other devices. Other than that, nothing. It got a clean bill of health, and I watched it for a long time.
This, by the way, is the total opposite of my experience with a Synology router. Synology knows what you had for breakfast :-) On the other hand, Synology has a nice graph of CPU usage.
Update: The above is true while using the router, but configuring the router is different. I entered my email address into the router to be notified of new firmware. The router can notify you of other things too, which I had not yet gotten up to speed on. Thus, it sent an email to me with the information below.
Router configuration was updated.
01/15/2022 07:54:23 PM: Changed system notification settings
01/15/2022 07:54:44 PM: Disabled SSH access
Is this phoning home? Yes and no. Peplink routers can also send email, but they have to be configured with the technical details of an email account (SMTP server name and a valid userid and password on that server). The email from the router is sent through the SMTP (email sending) server you provide. Peplink does not see the email. In contrast, this email came from pcWRT (from a Digital Ocean server through Gmail) and was much easier to configure (no need to know the techie details of an SMTP server). Again, this is an optional feature. If nothing else, it is a reason to make sure the router knows your timezone.
Like every router, access requires knowing a password. However, most routers require both a userid/password, pcWRT only requires a password. Many other routers have extra restrictions that block devices even when the password is known. The only extra restriction offered by pcWRT is the name of a connected device. You configure this at Settings -> System -> checkbox for "Restrict router access". To me, the missing feature here is that access can not be restricted by VLAN.Note that router access only goes by name, not by MAC address. With the fairly new MAC address randomization feature in a few operating systems, a single device can have multiple MAC addresses. And, for decades. a laptop computer would have one MAC address for Wi-Fi and a different MAC for Ethernet. It does not matter if a given device has been seen with multiple MAC addresses, pcWRT only keys off the name.
Like other routers, connected devices have a default name detected by pcWRT. You can change that name (click on it on the Status page) to something that makes more sense to you. Router access is keyed off the name regardless of whether it is the default name or one you set. Multiple devices can be given router access. If you have two devices that you want to have access to the router, you could give them the same name (not a good idea, just illustrating a point). If you rename a device that has access to the router, and the new name is not in the allowed list, then the device will lose router access.
A minor problem is with remote access, without going through the pcWRT website (poking a hole in the router firewall). A remotely logged in user does not appear in the list of connected devices. So, no device name. So, restricting router access blocks this type of remote access. I have not yet tested remote access through the pcWRT website.
The firmware version is displayed in a tiny font in the bottom right corner of every page of the admin website. This writeup was done using firmware version 2.47 initially. The Release Notes for the assorted firmware updates are posted in the Announcements forum. The last documented firmware release is 2.46, there is nothing about 2.47. Turns out that there is a comment on the 2.46 release that says 2.47 includes just one bug fix.
The router does not self-update. If you want, pcWRT will email you about the availability of an update, but the router will never update itself. I mention this because at Settings -> System, in the Flash New Firmware section, there is an "Auto update" radio button that is on by default. This is misleading. Even with it on, you need to click the "Check for Updates" button to update the firmware.
If there is an available update, you then need to click another button (Proceed) to download it from pcWRT. When I upgraded from 2.4.7 to 2.4.8, the notice that there was an available update, linked to the release notes for the new firmware and reminded me to make a backup of the current configuration settings after installing the new firmware. Great.
If you are running the latest firmware, it tells you the prior version, and ... offers to rollback to the prior version! This is great. By comparison, a Synology NAS never allows you to fall back to older firmware.
When I upgraded to version v2.5.2, I noticed a nice thing about the process. While many routers offer some type of status display about the firmware update, this display it typically cut off at the knees when the router restarts to activate the new firmware. Peplink routers, for example, never display an installation status greater than 75% complete before the router re-boots and leaves the status display unchanged, seemingly forever. pcWRT said it was installing the new firmware and, after a while, took me back to the router login screen. No confusion as to where things stand. Nice touch.
With a manual update, you download the firmware and then point the router to the file on your computer that you have downloaded. The advantage to Manual Mode is that you can install any version of the firmware. The company says you can even switch to plain OpenWRT.
The company said they run an integrity check on the downloaded firmware before installing it.
For an introduction to the concept of VLANs, see the VLAN page on this site. From a security point of view, VLANs (Virtual LANs) are a great feature and quite rare in a router that costs as little as pcWRT. They are virtually non-existent in any router targeted at consumers.
That said, the implementation of VLANs in pcWRT has been greatly simplified when compared to a professional level router such as those from Peplink. This simplification has its pros/cons.
On the one hand, pcWRT comes with five pre-existing VLANs. A higher end router would ship with none and require the router administrator to create and define their desired VLANs. But, a high end router will support more than just five. For many people, however, five should be sufficient. A high end router lets you name each VLAN which can be quite useful. With pcWRT the VLAN names are fixed: LAN, Guest, X1, X2 and X3. It is up to you to remember which one has the security cameras in it.
Every VLAN lives in its own subnet. To simplify things, pcWRT does not let you chose the subnet for the five pre-existing VLANs. The two VLANs that I tested initially used 10.159.156.x and 10.159.159.x, but I am told these are not fixed. Along with this, pcWRT does not let you chose the subnet mask for the VLANs, they all use 255.255.255.0 which means each VLAN can have, at most 255 devices. Another restriction is DHCP, you can not chose the DHCP range for a VLAN with pcWRT. And, the IP address of the router in each VLAN is always dot 1 (for example, 10.159.159.1). With a high end router, you can change this. Also, DHCP and DNS in each VLAN is fixed and set at the router itself.
Even when hiding and simplifying these details is the right thing to do, I think pcWRT goes too far, as it does not even display this information in the web interface of the router. Some of it you can figure out on your own, other info above I only know because the company was kind enough to tell me.
For each of the five VLANs, you can (optionally) create one 2.4GHz SSID and one 5GHz SSID. Thus, the pcWRT router can create a maximum of 10 wireless networks.
Each LAN port can be assigned to one of the VLANs. By default, they are assigned to the LAN. Whether LAN is technically a VLAN or not, seems unimportant. It differs from the others, however, in that you can change both the subnet and IP address of the router in that subnet. It's easy to do.
For maximum security, every VLAN should be totally isolated from the others. There are many ways to define this isolation, it is not a simple ON/OFF thing. With pcWRT the isolation is not total.
For example, the company says that all connected devices have access to the router on TCP ports 80 and 443 so that ad blocking can be paused when it is suspected of causing a problem. All other ports are blocked (except 53 for DNS). I can certainly see the need for this, as any system that blocks ads will eventually cause something to break. On the other hand, Guest, X1, X2 and X3 devices can login to the router, if they know the password. They can access the router both by its LAN IP address (192.168.10.1 by default) and by its VLAN IP address (10.159.159.1 for example). It would be more secure if we could block Guest devices from ever seeing the web interface of the router. That said, there are controls that govern which devices can login to the router, even if they know the password.
On a professional class router, a VLAN can consist of one or more Ethernet LAN ports and one or more wireless networks (SSID). With pcWRT, a single VLAN is limited to one 2.4GHz SSID and one 5GHz SSID. Probably not a big limitation. As you see in the screen show below, assigning a LAN port to a VLAN is trivially easy and multiple LAN ports can be assigned to the same VLAN. By default, all LAN ports are in the LAN VLAN.
VLANs were initially created for performance, not for isolating groups of devices. Thus, VLANs are allowed to communicate with each other. Below is a screen shot of the way pcWRT lets you configure which VLANs can communicate with other VLANs. Its a checkerboard (my term). This is perhaps where you will most feel the pcWRT limitation that you can not change the name of the pre-defined VLANs.
In the checkerboard below, devices on the LAN VLAN, can also see devices on the GUEST VLAN (first row, second column). However, devices on the GUEST VLAN can not see devices in the LAN VLAN (second row, first column). The GUEST, X1, X2 and X2 VLANs can not communicate with any other VLANs. To repeat myself (from above), all devices on all VLANs can see the router itself, regardless of how the checkerboard is configured.
The VPN support is one of the major selling points of pcWRT. It supports three types of VPN server and three types of VPN client: WireGuard, OpenVPN and IPsec.
As for the VPN servers: The ports for IPsec are fixed (UDP 500 and 4500) but WireGuard and OpenVPN can run on any port you prefer. Interesting tidbit: The company tells me that the UDP ports opened for a WireGuard or OpenVPN server are not detectable by port scans. WireGuard will only respond when an incoming message is encrypted with the right key. Similarly, OpenVPN will drop an incoming UDP packet that does not have the right HMAC signature.
FYI: The Complete Guide to Setting up a WireGuard® VPN Server at Home with pcWRT by pcwrt January 2021. One interesting point in this article is that two pcWRT routers can use WireGuard to form a site to site VPN. Pretty advanced stuff for a consumer-targeted router.
FYI: VPN services compatible with the pcWRT router (July 2020). Not included in the list is ovpn.com which works with the OpenVPN and WireGuard clients in pcWRT.
As for the VPN clients: One common feature for all three are small colored dots that indicate the state of the connection. Green means a connection has been established. Yellow means that a connection is in progress. Sometimes, when connections have failed on me, they stay Yellow forever. You will have to get a feel for how long any type of VPN stays yellow before checking the log for errors. WireGuard is quick to make a connection, OpenVPN and IKEv2 are slow. Finally, Red means the connection has failed or that you manually stopped it.
Every VPN connection reduces the speed of the Internet connection. Sometimes the speed reduction is trivial, sometimes not. For more on this see the section on SPEED in the Who,What,Why,Where section above.
The big advantage of WireGuard is that it requires much less computing horsepower, so VPN connections will be faster than they would be with OpenVPN. Another advantage is that it can be configured to use any UDP port making it hard to block.
A downside is that not many VPN companies support a WireGuard client running on a router. Mullvad supports it, but only from OpenWRT and the setup and configuration is long, ugly and complicated. On the other hand, there are WireGuard configuration files and since the software is new and not yet fractured, it is likely that WireGuard from pcWRT will work with any VPN provider that creates a WireGuard config file, not just those that specifically support WireGuard from routers.
Initially, I tested with Sweden-based VPN provider OVPN and the setup was very easy. OVPN customers can generate WireGuard config files at the ovpn.com website. It was a very simple thing to import these config files into pcWRT (APPS tab -> WireGuard button -> ADD button). Then, I tested with Windscribe, which also generates WireGuard configuration files (look in the Download section of their website). Both tests worked great.
Below are sample WireGuard configuration files from OVPN and from Windscribe. You do not need to know, or even see, any of this, I just found it interesting that they differ in a number of ways.
|A sample OVPN WireGuard config file|
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Address = 172.x.x.x/32, xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/128
DNS = 126.96.36.199, 188.8.131.52
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = some.thing.ovpn.com:9929
|A sample Windscribe WireGuard config file|
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Address = 100.x.x.x/32
DNS = 10.x.x.x
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
AllowedIPs = 0.0.0.0/0
Endpoint = some.thing.whiskergalaxy.com:443
PresharedKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Where they Agree: The Endpoint is the name and the UDP port number of the WireGuard VPN server. Windscribe gives you a choice of about five different ports when you generate the config file. The AllowedIPs of all zeros means that all data will be sent through the VPN tunnel. For Windscribe this is IPv4 only, OVPN includes IPv6.
Where they disagree: Address is your IP address on the internal network of the VPN provider. Windscribe uses an IP v4 address that starts with 100, a somewhat obscure bogon group of IPs. OVPN uses an IP address starts with 172, a standard internal-use-only group. OVPN uses two IP address, one is IPV4, the other is IPv6. I don't know if we are better off, or not, with the additional IPv6 address. Personally, I want nothing to do with IPv6. I asked OVPN about this and they said, that I could remove the two references to IPv6.
DNS is the DNS server(s) used for the VPN tunnel. Windscribe provides a single DNS server whose internal IP address starts with 10 dot. OVPN is the opposite, they provide two DNS server addresses and they provide public, not private IP addresses. Certainly having two DNS servers is better than one. In addition, the two DNS server IP addresses are very different, so bonus points to OVPN for that (more resistant to routing failures). I don't know the pros/cons of specifying this with an internal vs. a public IP address.
Finally, Windscribe includes a PresharedKey that OVPN does not use. This provides a second layer of data encryption. I don't know if this is considered overkill. I also don't know if the computing horsepower for this second layer of encryption is trivial or significant. I asked the company and they said "The pre-shared key should not have any significant impact on the connection itself, only if the router is really underpowered but in that case, it's not so much the pre-shared key that would cause slowdowns but just using the VPN in general."
In the past, I have seen VPN companies that used the same key (not a WireGuard key) for all their customers. I asked Windscribe if the WireGuard pre-shared key was the same for all their customers or if it is unique to each customer. They said it is unique to each user. Great.
In the Windscribe example above, the VPN server name ends with whiskergalaxy.com, not with windscribe.com. They verified to me that they own the whiskergalaxy.com domain. I had to ask because the Registrant name is redacted on Whois. Why they use it, I don't know. It seems sloppy.
IVPN is particularly interesting for WireGuard from a router because of their multi-hop feature which works with both OpenVPN and WireGuard. While many VPN providers offer the multi-hop feature, IVPN has a nifty way of modifying the WireGuard configuration file that lets you specify both the entry and exit servers. Thus, you do not need software from IVPN to use their multi-hop. The only restriction is that the first/entry and second/exit servers must be in different countries. If this interests you, you can test it for yourself, for a week, for $2 US. I have not tried it.
As for a log, there really isn't one. The router feature to display the log show mostly just the configuration parameters. The extra things are bandwidth totals for data coming and going, how long ago the last handshake occurred and the persistent keepalive interval.
My testing revealed another good thing about WireGuard running on pcWRT - the VPN tunnel did not break. Because pcWRT was connected to another router, and not directly connected to the Internet, the other router (from Peplink) was able to audit outgoing requests from pcWRT. After the WireGuard VPN tunnel was created, the Peplink router watched for any data leaving the pcWRT router that did not go through the VPN tunnel. WireGuard was the only VPN being used at the time and it was assigned to the LAN, GUEST and X1 VLANs, which were the only VLANs in use at the time. As with many devices, the one allowed exception was NTP requests that the router itself makes so that it knows the current time of day. I watched for multiple days, and no data left the router without going through the WireGuard VPN tunnel. In contrast, similar testing with the IKEv2 client had very different results. For the record, the WireGuard server was run by OVPN. I have never seen any VPN review even touch on this issue.
When the Internet connection was functional the WireGuard VPN tunnel remained connected over the span of many days. However, when the Internet connection failed, due to a problem with the ISP, the WireGuard connection did not restart itself. I had to log in to the pcWRT router, stop the VPN connection and start it again.
The instructions for configuring an OpenVPN client connection to a server are poor: How to set up an OpenVPN client connection on the pcWRT router (Dec 2019). Despite that, the process is simple and fairly standard. The first step, with any VPN provider, is to download OpenVPN configuration files (.ovpn files). Look to generate/download files customized for routers, assuming the VPN provider supports access from a router. Then, in pcWRT, do: Apps -> OpenVPN button -> ADD button -> and point the router at an ovpn configuration file. You can name the connection anything, but a name like "ProtonVPN Spain" would be a great name for a ProtonVPN connection to Spain.
Next, you need a userid/password provided by your VPN company. Both ProtonVPN and Windscribe have multiple userids/passwords, so be sure to use the right one.
ProtonVPN calls the credentials needed here the "OpenVPN/IKEv2 credentials" and you can find them at their website using: Account -> OpenVPN/IKEv2 username. Interestingly, by changing the ProtonVPN userid, you can enable/disable their ad blocking service. A nifty hack from the company for people who are not using their software. At the Windscribe website, the same page that generates the OpenVPN config files also displays the necessary userid/password. Note that Windscribe used to ask you what cipher you wanted to use before creating a config file, now it asks for the release of OpenVPN that your client software is running. For pcWRT, the company said to select "2.4.6 or newer".
One advantage of OpenVPN is that can be configured to run on any UDP or TCP port, making it hard to block.
One drawback to pcWRT is the log display for the OpenVPN client - it is limited to 8 lines of text. I am no expert on this, but an OpenVPN connection generates a fairly long log file and being limited to the most recent 8 lines makes it all but impossible to debug any problem that might arise. Specifically, I saw a number of errors like the one below: (184.108.40.206 is the VPN server IP address)
TLS Error: local/remote TLS keys are out of sync: [AF_INET]220.127.116.11:443 
Is this important? What exactly does it mean? Any VPN provider would need access to the full log to answer these questions, but it is not available with pcWRT.
That said, when shown some samples of these errors Windscribe provided me a slightly modified .ovpn config file that had a different server name and a change to the ncp-ciphers.
The first step in configuring IKEV2 is setting up an Authorization Configuration. Whatever it is, its not needed with WireGuard or OpenVPN. One of the parameters in an Auth Config is the VPN Type. The default is IKEv2 RSA and the company told me that you can leave it at the default. Another parameter is the IPsec Certificate File Type and the default is PEM. According to the company, this default is for connecting to commercial VPN providers such as ProtonVPN and NordVPN. The other type of Certificate, PKCS12, is only used when connecting to another pcWRT which is configured to be an IKEv2 server.
I tried to make an IKEv2 connection to ProtonVPN and it did not go well.
The first problem was the ProtonVPN server name. Where do you get server names from ProtonVPN? You don't (I complained to them about this ....). They use names like CA#4 and NL#44 but there are at least two formulas for converting this shorthand to the actual server name that is required when configuring an IKEV2 connection. Then too, which ProtonVPN servers support IKEV2? They don't say. Their huge list of servers says nothing about IKEV2 (I complained about this too...). In multiple places, their documentationsays that server names "can be found in the Downloads category in your account, under Server Configs section." This is not true. There is no Server Configs section. The only configs are "OpenVPN configuration files". There is, in fact, no mention of IKEV2 anywhere in the Downloads section of their website. Their introduction to IKEv2 (What is IKEv2/IPSec?) does not say what ports it uses and makes no mention of TCP or UDP. It's as if this was a homework assigned for a child in third grade. And, no mention that IKEv2 can be used from a router. In their instructions for configuring IKEv2 on Windows, they say that their free servers do not support IKEV2. Yet, in tests run by pcWRT, and in the example in the pcWRT blog, a free server did make an IKEv2 connection. Very disappointed with ProtonVPN.
When I tried connecting to two different ProtonVPN servers (ca-38.protonvpn.com and us-fl-46.protonvpn.com), both attempts failed. The connection attempt to the Canadian server caused the router to make multiple UDP requests from/to port 500 to IP address 18.104.22.168.
These failures, pointed up a problem with pcWRT: just as with OpenVPN, the router only shows a small part of the log file, making it much harder to debug a connection problem.
Next, I tried to connect to 22.214.171.124, the IP address of one of their free servers. It worked. I had a UDP connection/socket from port 4500 on the pcWRT router to port 4500 on the ProtonVPN server. However, after a few minutes the connection terminated on its own. A detailed trace showed that the router, in the same second, made two outbound UDP requests, one to/from port 500 and the other to/from port 4500.
Then, I tried IP address 126.96.36.199 which is a Canadian server that I got from using their Windows app. This failed. But, enough of the log is displayed so that I may have detected a pattern. When the router tries to send data to and from UDP port 500, it fails. When it uses UDP port 4500, it works. At first, this made no sense because there is no configuration option for the port number. It turns out I was the proverbial blind man with the elephant because I did not have access to the full log file.
According to ProtonVPN, IKEv2 uses UDP port 500 for an initial key exchange and then uses UDP port 4500 for subsequent data transmission. The down side to this is that IKEv2 is easier to block than other VPN protocols. The upside, is that I now understand the failures better. When I see failed transmissions to UDP port 500, I know that the server does not support IKEv2. When I see the good connection on port 4500, it means the initial handshake on port 500 has completed and scrolled out of the small part of the log that pcWRT displays. A different type of buffer overflow.
ProtonVPN has a number of instructions on their website for manually configuring IKEv2 with different operating systems (Android and iOS for example). These instructions use us-nj-01.protonvpn.com as the server name. So, I tried that too. This failed for a new reason, the router was unable to translate the name us-nj-01.protonvpn.com into an IP address. I tried to ping it on a couple computers and they had the same problem. Even a computer connected to ProtonVPN could not resolve the name.
If there were a Olympic competition for useless documentation, ProtonVPN would be on the medal stand. Waiting to hear back from their tech support ...
Which servers at ProtonVPN support IKEv2?
You can not tell from their Windows app as it does not offer IKEv2, it is limited to OpenVPN and WireGuard. However, their iOS app does offer IKEv2 and I used to connect to 188.8.131.52 in France. Sort of. As sometimes happens with a VPN connection, the entry and exit servers were different. You would not know this at first as the public IP address is the same as the IP address shown in the iOS app. But, a review of the log showed that the public IP address was the exit server and that 184.108.40.206 was the entry server. A technical explanation for this is beyond me. I tried both IP addresses with pcWRT. The entry IP address worked, the exit/public IP address did not. Finally.
Then, I confirmed this with an IKEv2 connection from the iOS app to Spain. In this case the public/exit IP address was 220.127.116.11 while the entry IP address was 18.104.22.168. As with France, I could make an IKEv2 connection to the entry IP address using pcWRT, but not to the public one. And, so I did.
Then, after making the IKEV2 connection to 22.214.171.124, I audited it. That is, I looked for any outbound connections from the pcWRT router that were not going through the existing VPN tunnel to UDP port 4500. During the course of two days, I found four cases where the router made an outbound request to UDP port 500 of the IKEV2 server (126.96.36.199). I can only guess that the VPN tunnel was being re-established. Do existing VPN tunnels normally get re-created? I don't know. It could be a bug. Again, with only a trivial portion of the log available, there is no way to be sure. Not sure I want to bother with ProtonVPN tech support again.
As to server names with IKEv2, I am still confused after multiple emails with ProtonVPN tech support. They explained that "...all of our servers support the IKEv2 protocol (along with the OpenVPN and the WireGuard protocols), and these ports are open on all of the servers." Not my experience. They pointed out that customers should use an entry IP address not an exit one. What the difference is, they did not say. Quoting: I "... should be using the entry IP address (or the server's hostname) that is stated within the configuration file, and use a specific suffix for the specific exit that you intend on using." I'm totally lost. They don't have IKEv2 config files. No wonder this is not documented anywhere. And, assuming you can figure out a server name, you have to append "+b:1 suffix to your OpenVPN username when connecting. " I give up.
Next, I tried IKEv2 using Windscribe as per these instructions from pcWRT. It worked the first time.
The first step involved downloading two plain text files (Certificates from Lets Encrypt) and combining them into a single file named lets-encrypt-chain.pem. Unlike ProtonVPN, Windscribe does generate configuration information for IKEv2 on their website. You do not need to download a file, the information is displayed on a web page from where you can copy/paste it. Also unlike ProtonVPN, the IKEv2 server names are quite simple. For example fr.windscribe.com is France and es.windscribe.com is Spain. Windscribe also generates a userid/password for you to use with IKEv2.
On the pcWRT router, you first upload the .pem file you created, then you enter the IKEv2 server name, userid and password. Fairly simple. There was an error
[IKE] peer didn't accept DH group MODP_2048, it requested MODP_1024
but the connection was established.
However, when I went to audit the connection, I noticed that pcWRT had create two sockets/threads/connections. Both were to and from UDP port 4500. Both were to Windscribe servers. Beats me what is going on. Never saw that with ProtonVPN. Eventually one died. I may be done testing IKEv2.
I saved the best for last. You get to assign a VPN connection to one or more VLANs.
This is an optional feature that can be ignored. That is, pcWRT can function in the same simplistic manner as other VPN client routers, where all the connected devices use the VPN connection initiated by the router. However, assigning the VPN connection to one or more VLANs, means that you can have one or more SSIDs that use the VPN and one or more that do not. Likewise, you can have some Ethernet LAN ports that use the VPN and some that do not. As noted above, pcWRT ships with five pre-configured VLANs (LAN, Guest, X1, X2 and X3 - yes miserable names).
And ... still more. In my testing, I was able to create an OpenVPN connection assigned to one VLAN and then create a WireGuard connection and assign that to a different VLAN. Thus, I had one SSID that did not use a VLAN, another SSID using the OpenVPN connection and a third SSID using the WireGuard connection. Wow! When I asked the company about it, they said that you can actually have three concurrent VPN connections, one of each type.
And ... even more VPN flexibility. Each VPN connection, regardless of how many VLANs it is assigned to, also offers Split Tunneling. The default behavior is what you would expect, all data goes through the VPN. Split Tunneling lets you make exceptions to this rule. Exceptions can be either an IP address or a domain name. The list of exceptions can either be the list of things that do go through the VPN or the list of things that do not go through the VPN. Your choice. One use for this would be to insure that a handful of websites always use the VPN while the rest do not. Or, if there are some websites that fail when accessed from a VPN, you could put them into an exclude list while everything else uses the VPN.
Exactly how you specify this is not explained on the VPN web pages, but the company explained it to me. If you specify a domain to block, it is done generically, which is what I think most people will prefer. Specifically, if you block "abc.com" it blocks anything that ends with abc.com. That is, it would block def.abc.com and x.y.z.abc.com. IP addresses also offer generic blocking, where it referred to as blocking a network or blocking a subnet. If you specify a full IPv4 address (188.8.131.52 for example), that is all that gets blocked. But you can also block anything that starts with 1.2.3 by specifying 184.108.40.206/24. This is a very standard (CIDR) notation in networking.
Concerned that a VPN connection from a router is missing a kill switch? Don't be. This pcWRT blog says that the router blocks the Internet connection when the VPN connection goes down.
There is also an always-on feature for each VPN. Look for the auto-start checkbox. Only one VPN of each type can be flagged as auto-started. It is not clear if this only applies when the router is booted or if it also means the connection will be restarted, should it fail.
Another interesting VPN point: while connected to an SSID that was using a VPN, I had no problem making another VPN connection on an Android device. In effect, that tunnels one VPN through another.
One VPN annoyance is that the main page, the Status page, does not show any information at all about VPNs.
As noted earlier, on a 110Mbps Internet connection my OpenVPN speeds were about 15Mbps. A WireGuard connection tested at 89 and 104 Mbps. A little math shows that WireGuard was seven times faster than OpenVPN.
The combination of a truncated log file and CPU overhead makes OpenVPN a poor choice on the pcWRT router.
There are multiple approaches for remotely accessing a router with a web interface (that is, no mobile app).
A very common approach, is to open a port in the firewall and let anyone on the Internet connect to the router. One upside of this approach is that hardware vendor is not involved, so they can not spy on you. A downside is that when you poke a hole in the firewall, you never know who is going to walk through it. Peplink offers this mode but they also let you limit the source IP address(es) than can connect to the router, a very important security feature.
Another problem with this approach is remotely addressing the router. Even if you make a note of the public IP address ahead of time, most consumers do not have a constant public IP address. The work-around for this is Dynamic DNS (DDNS) which is a service that the router must support. DDNS assigns a fixed name to the router and when the router detects that it has a new public IP address, it updates the DDNS service to point the fixed name to the new IP address. There are companies, such as No-IP, that offer DDNS service. Some are free, some are not.
pcWRT offers their own, free DDNS service that provides you with a name in the pcwrt.net domain. To use it, do Settings -> System and turn on the checkbox for "Enable DDNS with pcwrt.net". This makes a new "DDNS Name" field visible. It defaults to a random name (something like 123xy.pcwrt.net) but you can pick your own name, as long as no one else is using it. Chances are michael.pcwrt.net has been taken. For more, see their Dynamic DNS Explained blog. DDNS is also an important issue when running a VPN server on the router. For that, see The Complete Guide to Setting up a WireGuard® VPN Server at Home with pcWRT.
pcWRT offers this classic mode of remote control but it is not obvious in the user interface (there is no dedicated section for this). To use this approach, you need to port forward (Settings -> Network) a TCP port to the LAN side IP address of the router (which defaults to 192.168.10.1). To be clear, pcWRT supports five VLANs and the router is assigned a different local IP address in each VLAN (each VLAN gets its own subnet). You need to forward to the port to the router IP address in the LAN VLAN. One nice thing about pcWRT is that you can forward any port. For HTTPS pick an external TCP port and forward it to internal port 443. For HTTP, pick an external TCP port and forward it to internal port 80. On the downside, pcWRT does not let you limit the source IP addresses that are allowed to connect to the router using this approach.
NOTE: this port forwarding did not work in firmware version 2.4.7 due to a bug that was fixed in version 2.4.8 (released in January 2022).
- - - - - - - - - -
Another approach is for the remote router administrator to connect to the website of the hardware vendor, which, in turn, talks to the router. Cloud Management is perhaps the best term for this scheme. The advantage to this approach is that all the ports on the router firewall remain closed. My experience with this approach has been that the router phones home to the hardware vendor and keeps a constant connection.
Peplink calls their cloud management system InControl2. Linksys calls their system Linksys Cloud. TP-Link calls theirs Omada Cloud. pcWRT uses the term Remote Management (Settings -> Cloud). It is an optional feature that is disabled out-of-the-box.
The setup process is poorly explained, what follows is the procedure that worked for me.
pcWRT has a single userid/password for their customers and it is used both for Remote Management of a router, for the Forum on their website and for the Login feature on their website. You can Register here. You have to login to the pcwrt.com website, before you can see, let alone invoke, the Remote Management feature there. After registering at pcwrt.com, go to the Manage tab to see your Remote Management Key. The final step is to enable Remote Management in the router, which you do at Settings -> Cloud. Here you enter your userid, the Remote Management Key (it worked for me with the dashes included), turn on a checkbox for remote management and pick a "Router Display Name" The remote management system can work with multiple pcWRT routers, the Display Name is how you distinguish one from another. You do not need to enter your pcWRT password, just your userid.
NOTE: There is also a Bind port field that can be ignored when the pcWRT router is directly connected to the Internet.
This only comes into play when the pcWRT router is an inner or secondary router.
Finally, go back to the pcwrt.com website, login and click the Manage link at the top.
The remote interface on pcwrt.com is pretty much a clone of the local interface, but a few Settings (Cloud and Internet) and Apps (all the VPNs) are not available. The available apps are Access Control, Bandwidth Monitor, Dynamic DNS and UPnP. The available settings are Wireless, System and Network.
When remotely controlled, the pcWRT router calls out to the cloud system using TCP on port 443 (HTTPS). When Remote Management is enabled, but not in use, the router will send periodic heartbeats to the cloud system to keep the connection active. The heartbeats are UDP requests to port 38082. One is sent every 2 or 3 minutes, and they do not go through any active VPN connections. The heartbeats use very little bandwidth. I checked a few hours and the amount of data sent and received varied from a total of 24KB to 50KB per hour.
To disable Remote Management, log in to the router, do Settings -> Cloud and turn off the "Enable Remote Management" checkbox. I verified that doing so, stops the heartbeat data transmissions.
The router has many features, and I have not yet tried them all. That said, here is what I know so far.
BANDWIDTH MONITORING: Enable this at Apps -> Bandwidth Monitor. It is off by default.
The initial report shows total download and upload amounts for the last 2 hours. Other reporting intervals are the last 4 hours, 8 hours, 12 hours or 24 hours. There are no weekly or monthly roll-ups, 24 hours is as far back as the bandwidth reports go.
Within each reporting interval, there is a bar chart by hour that include all devices. Next to this is a pie chart for upload usage and another for download usage. These pie charts make it very easy to pinpoint the device(s) that used the most bandwidth in the reporting interval. There is also a link for each connected device that will show a bandwidth usage bar chart, just for that one device.
DNS: Not only does pcWRT support Secure DNS (DoH/DoT) it also works with NextDNS and even supports individual NextDNS profiles (which requires you to have a NextDNS account). NextDNS profiles/configurations can be assigned to individual pcWRT Access Control profiles. See the pcWRT blog: Set Up Multiple NextDNS Configurations for Encrypted DNS on the pcWRT Router. Rather than configuring individual devices to use certain NextDNS profiles/configurations, this can be configured on the router.
The router supports access via SSH. If you do not use this, and most people will not, turn it off at Settings -> System. I am not sure what the default setting is.
I do not have much experience with the OpenWRT user interface, but from what I have seen, I hate it. It is both ugly as sin (no colors, all white/gray) and more confusing than necessary. The confusion stems from assorted poor design choices such as the lack of easily discernible section headings, the use of nerd terminology and not always making it clear which items form a group. pcWRT is based on OpenWRT, so it inherits much of the ugly. As noted above, there is an online demo so you an judge for yourself.
The web interface has a hidden danger - it might throw away your changes without telling you. If you make a settings change on one page and then go to another page without first saving the change, your setting(s) is lost. This is the sort of thing that separates the men from the boys, the professionals from the amateurs. It is, frankly, disgraceful programming. Another aspect of this, is that the green SAVE buttons are always green, even when there is nothing to save. If the user interface is this shamefully amateurish, it makes me wonder how professionally coded is the stuff that is not visible.
Half the configuration options are in a Settings section and another half are in an Apps section. I could care less about the difference between these sections and would have preferred all the controls in one place.
The user interface is very responsive. That said, while some settings take only a second to save, others require the router to reboot and that takes a while. You are not warned about the ones that require a reboot.
There is no CPU usage/busy monitor, something Asus and Peplink have. Instead it reports a "Load Average" on the Status page which only Unix techies will understand.
In Settings -> Wireless there is a highlighted message that the "Wireless network is enabled" (or disabled). This message is miserably worded. It is not a wireless network (SSID) that is enabled or disabled, it is a radio frequency band, specifically, the one currently being displayed. pcWRT does not allow you to enable/disable individual SSIDs.
After creating an SSID for either the Guest or X1 or X2 or X2 VLANs, I wanted to delete it (there is no such thing as disabling an SSID) and could not figure out how. It turns out there is an X next to the SSID name (Settings -> Wireless -> WiFi Networks). I thought it was a smudge on my screen.
The user interface does not show the MAC address for an SSID.
CONNECTED DEVICES: For all connected devices, the Status page shows the Host name (computer/device name), IP address and MAC address. Clicking on the hostname lets you change it. For wireless devices, it also shows the SSID and the signal strength. Signal strength is great to know. For Ethernet devices, it just says "wired". What is not shown is current bandwidth usage (nowhere does pcWRT report current bandwidth usage) and the VLAN that a device belongs to. For Ethernet devices you would have to figure out the VLAN on your own, based on the IP address. For Wi-Fi devices you might want to include the VLAN name in the SSID to make this easier.
When logged in remotely, the web interface sometimes hangs at "Applying updates...." and never returns. No big deal, as a simple refresh of the browser page is all that is needed to get you back in. The company has confirmed that this only happens when logged in remotely. Really not important.
The Logout button is on every page in the same place, which is good.
I tested the WAN port with nmap and found no open ports. In my experience, this is par for the course with routers purchased at retail.
For a router that is selling security, there are some insecure default values. When creating a new SSID, for example, the encryption defaults to NONE. It should default to the most secure available option which is WPA2 PSK. Also, when showing the available options for Wi-Fi encryption, WPA2 PSK is not flagged as the recommended option.
The router does not get warm at all. The blue LED lights on the top are very dim, even in a dark room you will hardly notice them.
You can backup the current system configuration to a file (Settings -> System) and, of course, restore a previous backup. The backup file has a name like backup-YOURHOSTNAME-yyyy-mm-dd.tar.gz where YOURHOSTNAME is from Settings -> System. After you update the firmware, the system reminds you to make a new backup of the configuration. If you are emailed about the release of new firmware, the email message also reminds you to make a configuration backup. When restoring from a backup, there is an option to only restore "access control configuration". A brief look at the Forum on pcwrt.com shows that customers with problems can email pcWRT their backup config file and the company will use it in debugging the problem. Great.
Watching it boot: when first powered on, the blue LED light is solid, then for a bit, it blinks, then it goes back to solid. When the Wi-Fi light(s) go on (solid), it seems to be fully booted.
It does not support WPA2 Enterprise. That said, very few consumer routers do. It also does not support the newest encryption standard, WPA3. And, it still supports an old standard, WPA, which I could do without as it is not very secure. That said, WPA2 PSK, which every router supports, and is the most common flavor, is secure enough as long as the password is over 15 characters long. For more on the various flavors of Wi-Fi over-the air encryption, see the WiFi Encryption page at RouterSecurity.org.
The router has no log files. You can't, for example, see every time a device connects and disconnects from the router.
The default subnet is 192.168.10.x. The router is 192.168.10.1 and DHCP ranges from 100 to 250. Change this in Settings -> Networks
When handing out IP address via DHCP, it seems to do so randomly, which is good.
The router supports UPnP but unlike all consumer routers, it is OFF by default, which is better for security.
A Wi-Fi scanner app on an Android device identified the manufacturer of the router (based on the MAC address) as Lenovo. That said, this only applied to the LAN VLAN where the MAC address starts with 20:76:93. On other VLANs (Guest, X1, X2, X3) a Wi-Fi scanner found that the MAC address started with 22:76:93 which is not in the official Master File.
When upgrading to a new router from the same company, the vendor may not allow a configuration backup from the old model to be restored to the new model. That is certainly the case with Peplink when changing models. When restoring a config backup with pcWRT there is a checkbox for "access control configuration only" designed for just this case. The company told me that restoring a backup from their old TORONTO-N model to the newer Newifi-D2 would break the router. To minimize the pain, this option lets a customer restore just the Access Control part of the config backup.
RESET: Just as important as the initial setup is being able to undo everything and start again. To that end, the router has a RESET button on the back, next to the power connector. With the router powered on and fully booted, press and hold the the RESET button for 10 seconds. Then let go. In a few seconds, all the LED lights will flash once, then the router will reboot. Do not disconnect the power. While booting, the blue power LED blinks. The best way to know that it has finished booting is by scanning for the two Wi-Fi networks (SSIDs) that it creates when it has not been configured: pcwrt and pcwrt-5g.
At pcwrt.com there is a website login and a forum login. They are the same thing.
- - - - - - - - - - -
NOTE: I am not affiliated with pcWRT in any way. I just like what they are doing.
They offer a 30 day risk-free trial.
Their blog is one way you can judge the company. I find it useful.