Security Advisories from router vendors
Emulators - kick the tires on a routers web interface top
- Web interface for a Peplink Balance 710, a high end model with 7 Ethernet WAN ports and an AP controller. Peplink also has a live demo of the web interface to their MAX cellular routers.
- TRENDnet Product emulators. One example, the
- TP-LINK emulators
- Asus RT-AC66U
- DrayTek has online demos of their entire product line
- Linksys has a text based index of the routers available to demo. Some examples: the
WRT610N running firmware v2, the
WRT1200AC running firmware 220.127.116.11464 and the
EA8500 running firmware 18.104.22.168984
- Cisco Small Business Online Device Emulators
- MikroTik software, RouterOS, has multiple interfaces. One is Telnet, another is a Windows application, WinBox 3.0. A demo of the web UI is at demo.mt.lv. Its v6.38 as of Jan. 2017. You can also download an ISO for free, burn it to a CD, boot from the CD and run RouterOS for 24 hours.
- D-Link does not have one comprehensive list of their available emulators. To see if one is available for a particular router, search for the model number in tech support
section of the D-Link site. That said, some D-Link emulators are listed here
and others are here. Examples:
DIR 825 rev. B,
DIR 818 LW,
DIR 615 rev. C,
- There don't seem to be any Netgear emulators
- This list of Router UI Emulators has links to Asus, Belkin, Cisco, D-Link, DrayTek, Linksys, Mikrotik, Netgear, Peplink, TP-Link, TRENDnet, DD-WRT, Gargoyle, OpenWRT Luci and Tomato.
More stuff from me top
- Testing an AmpliFy mesh point as a Wi-Fi extender Initial setup mostly. August 7, 2017
- 7 mistakes Google made updating my Google Wifi router May 8, 2017
- Asus router warnings on privacy and security May 5, 2017
- How seven mesh routers deal with WPS April 28, 2017. Updated Aug 12, 2017 to note that AmpliFi now does WPS and can't turn it off.
- The Netgear router flaw post mortem -- plenty of blame to go around December 24, 2016
- Updates and more on the Netgear router vulnerability December 17, 2016
exploited Netgear router flaw discovered December 10, 2016
- Blame the ISPs rather than the routers December 3, 2016
- Getting started with the Ubiquiti AmpliFi mesh router November 23, 2016
- Another HNAP flaw in D-Link routers November 11, 2016
- Kim Komando offers flawed advice on router security October 8, 2016
- What the Ubiquiti AmpliFi mesh router is missing October 1, 2016
- A Defensive Computing term paper on privacy: VPNs, Tor and VPN routers September 18, 2016
- A router security cheat sheet
August 16, 2016
- TP-LINK lost control of two domains used to configure routers and Wi-Fi extenders July 4, 2016
- Router Security done wrong February 29, 2016
- Poor Wi-Fi security - my visit to the dentist
February 3, 2016
- To share or not to share - a look at Guest Wi-Fi networks December 13, 2015
- The D-Link DIR860L router - how secure can it get? November 20, 2015
- How secure can your router get? November 10, 2015
- Wi-Fi at DEF CON -
dealing with the worlds most dangerous network August 23, 2015
- A look at the security of Wi-Fi on a
plane August 6, 2015
- Linksys Smart WiFi makes a stupid Guest
network June 25, 2015. Guest networks are a great security feature, but (at least some) Linksys Smart Wi-Fi routers implement Guest networks poorly. They use a captive portal, for no obvious reason and do not offer over-the-air encryption (WEP, WPA or WPA2).
- In June 2015 I blogged twice about the NetUSB router flaw: What most people don't know about the NetUSB router flaw - Part 1 and The NetUSB router flaw Part 2 - Detection and Mitigation.
- Using a router to block a modem. This was a follow-up to a previous blog about how some modems can be attacked. February 23, 2015
- Wi-Fi security vs. government spies November 3, 2014
- A router firmware update goes bad (and, what to do about it) October 6, 2014
- I blogged, in September 2013, that Google knows nearly
every Wi-Fi password in the world. Soon thereafter, Leo Laporte discussed this on his radio show, The Tech
Guy. I would bet that Apple also knows your WiFi password, just my opinion.
- I spoke on Securing a Home Router
at the HOPE conference back in July 2014. A PDF of the presentation is available
at box.net (last updated Oct. 4, 2014). Audio is available
at x.hope.net (thanks to 2600). An article about my talk appeared in Toms Guide.
- I blogged on how to find the IP address of your home router
- I hope to review some routers ...
Self-updating Routers top
Since many router owners do not update the firmware, a router that self-updates is, almost always, a good thing. Not that it doesn't leave other problems, but one less is one less. This list is, no doubt, incomplete. And, the view that self-updating is always good is overly simplistic. The Security Checklist page has the details on what to look for. The Routers with Self Updating Firmware page has details on how some vendors compare to this checklist.
- Google Wifi and their previous OnHub line. Beware though, Google Wifi likes to reboot itself in the middle of the afternoon.
- The Eero mesh router system
- The Luma mesh router system. See their pledge.
- Both Synology routers are probably king of this hill. I say probably because I have not used them personally, but a demo indicated they update like Synology NAS
devices. The first was the RT1900ac. The second, released Dec. 2016, is the RT2600ac. Synology claims "SRM can automatically perform upgrades on a schedule for maximum convenience." Release notes for the RT1900ac and RT2600ac are reasonably detailed.
- The Linksys Velop mesh router system. See SNB review.
- Based on my reading, the Linksys EA7500, EA8500 and EA6900 can update their firmware automatically. So too can the Linksys WRT1900ACS according to page 67 of its manual. In addition, I am told by someone at Linksys that all of their "Smart-Wifi" branded routers can self-update. These devices usually have model numbers starting with EA or WRT.
- On the Plume mesh Wi-Fi router system, software updates are managed automatically for you.
- The Starry Station
- The Almond3 by Securify
- The Sense router from F-Secure claims to be "Always up-to-date" which implies that it self-updates.
- FRITZ!Box home routers, popular in Germany and Australia, can not only self-update but they (or the ISP or the manufacturer, its not clear) can send email notification of newly updated firmware.
- Avira Safe Things is router firmware. Its website says: "It will constantly be up to date. Avira SafeThings™ is self-updatable, and it always benefits from last-minute threat protection techniques from the SafeThings Protection Cloud."
- If you build your own router, as per this article The Ars guide to building a Linux router from scratch by Jim Salter (April 2016), then Ubuntu server can be configured to self-update.
- Expected to ship in Oct. 2016 the InvizBox Go is
a portable router that will offer both a single VPN service and TOR.
- The Turris Omnia is fully open source, both the hardware and software. As of Oct. 2017, it was available in Europe, but not in the U.S.
- Untangle, which is high end router software, can self-update
- According to this article the Motorola devices used by AT&T UVERSE automatically update whenever the AT&T management platform rolls out an upgrade.
Netgear Orbi router system was initially on this list. I have not used it and I didn't make a note of where I had read that it self-updates. It does not. In Nov. 2017, I reviewed the Orbi WiFi System User Manual dated March 2017. The manual is full of instructions for manually updating firmware and says nothing about automatic self updating.
Consumer Router Alternatives top
- My recommended router is the $200 Peplink/Pepwave Surf SOHO. Its a huge step up from consumer routers. See the vendors page. My only relationship with Peplink is as a customer.
- pfSense is recommended by many, but I have no personal experience with it. The software, based on FreeBSD, can be
downloaded for free and installed on an old computer as long as it has two Ethernet adapters. It is also sold as hardware appliance. The cheapest model, the
SG-2220 is $299 without Wi-Fi and with a single LAN side Ethernet port (so you have to add your own
switch. On the Oct. 20, 2015 episode of the Security Now podcast Steve Gibson, a pfSense user, described why he
likes it: there are lots of features, very flexible NAT translation including dynamic mapping, great flow control, and it includes both an OpenVPN client and server. He
used a box from SOEKRIS to build his. On a later podcast, Gibson also recommended pcengines.ch for buying hardware that supports pdSense. See also
should be running a pfSense firewall in InfoWorld Dec. 2014.
- MikroTik routers have been recommended by techies. I have no experience with them. They run a Linux system
called RouterOS which is available for free and runs on many computers. They offer a number of routers for under $100 but the majority of their line is high end. Their hardware is sold at routerboard.com. The $50 MicroTik RB750GR3 hEX Router was reviewed by Doug Reid at SmallNetBuilder September 25, 2017. He found it a very powerful, cheap router that may drive you crazy trying to configure it.
- Ubiquiti Networks normally deals with techies, but in May 2016 they announced a new line, AmpliFi, targeted at consumers. The
first AmpliFi product is a router
sold with two pre-matched Wi-Fi extenders (not a mesh). It is expected to ship in the summer of 2016. There will be three models, priced at $200, $300 and $350. No idea yet about router security but at least the company has a long history making router firmware. It will allow a single guest network with a maximum number of guests, each of which can be time limited. First look.
- Ubiquiti has a whole line of Edge Routers and the bottom-of-the-line model, the EdgeRouterX sells for only $50. It doesn't do Wi-Fi. The User Guide is online. Steve Gibson raved about it on his
Security Now podcast in July 2016. It can function as a PPTP VPN server and supports IPsec VPNs for site-to-site use. Setting up an OpenVPN server requires the command line.
- While I have no personal experience with it, many have also spoken highly of the Ubiquiti EdgeRouter Lite that sells for about $100. It has a console port and three Ethernet ports, none of
which are dedicated. It does not do WiFi. The user interface may be too difficult for anyone that is not a networking techie. Some have said that the documentation is almost non-existent. Doug Reid reviewed it in June 2017 for SmallNetBuilder.com and warned that: the GUI is still a work in progress, it is not plug and play, tech support is only available from a community forum and QoS kills the performance. On the upside, it is highly configurable, if you know what you're doing.
- DNSthingy is a service ($8/month as of July 2017) for controlling everything about DNS for devices on a LAN. Parental control on steroids, if you will, with adblocking thrown in too. For Asus routers, it is customized firmware with the addition of the DNSthingy service. Or, they will sell you a few Asus routers with their firmware pre-installed. For pfSense, it installs as a service. Or, they will sell you a pfSense box with their service pre-installed. clearOS is also supported. For their Asus firmware, my big question would be if they mirror Asus bug fixes into their firmware. Are they trustworthy? I have no experience with it, but their FAQ says "DNSthingy provides all of the security of a VPN connection" which is clearly not true. Their site offers no details about the company offering the service.
- I have no personal experience with DrayTek but they seem to be a
business class vendor that sells a number of routers for under $300. Their cheapest model seems to be the VigorFly 210 which I
saw sold in the US for $83 in May 2016.
- Cradlepoint makes business routers and they have a couple low end models priced around $200 or so. They seem to specialize
in 3G/4G Internet access. The specs of one router say it supports WiFi as WAN but
someone at Amazon said they do not support it.
I have been very successful with WiFi as WAN on my Pepwave Surf SOHO when my wired Internet access failed, so I consider it an important feature.
The cost of tech support is also a concern. I have no first-hand experience with this but people at Amazon have said that you have to pay for tech
support even with a new router (here and
The Cradlepoint website does not show the cost of tech support.
According to 3G Store its about $28/year for their
- OPNsense is a fork of pfSense based on FreeBSD.
- Security Router from Halon Security is based on OpenBSD, with the main differentiator being the single, revision-managed, clear-text configuration file with soft re-configuration and documented security architecture. It competes with Cisco IOS and Juniper Junos. Its free and runs from a USB flash drive or as a virtual machine.
- While I suggest stepping up from consumer routers, you can step too high. Examples of this would be either a device or software billed as UTM (Unified
Threat Management) or NGF (Next Generation Firewall). Sophos offer NGF both as a hardware device and a software download. For their explanation of
what it does see Firewall for dummies
- or, what do we mean by a next-generation firewall?. CheckPoint, Sonicwall, Fortinet and Watchguard offer UTM devices. Both UTM and NGF do a lot, require a techie to setup and maintain, are expensive to buy and require ongoing paid software maintenance.
- Darren Kitchen of Hak5 recommends making your own router using a spare PC and Untangle. You can buy a Firewall Appliance with Untangle pre-installed starting at $400. He also recommended Monowall (since discontinued) and Smoothwall. Smoothwall is also used at home by
Lee Hutchinson of Ars Technica.
- Jim Salter, writing for Ars Technica, argued in Jan. 2016 that you should build your own router, assuming you are very familiar with Linux and iptables. In April 2016, he followed this up: The Ars guide to building a Linux
router from scratch. In June 2016, he pointed out the limitations:
"... setting up your own router from a generic server distro isn't a project for everyone. It certainly isn't user-friendly, both during the build process and once it's finished ... it's definitely arcane, with absolutely no hand holding along the way. If you aren't already very experienced with Linux, you'll likely do a lot of puzzled head scratching (and maybe a little cursing). You won't get a super feature-rich build once you're done, either ... you won't have fancy quality of service features, usage graphs, or much of anything else...".
- SmallWall bills itself as a small and lean firewall. It is an outgrowth of m0n0wall, its based on FreeBSD and runs on low end
x86 hardware. You can download it for free (the ISO is only 23MB) or buy it pre-installed in a box for as low as $250. At that price, Wi-Fi is not included, but a supported Wi-Fi card can be
installed into the box.
- IPFire is an Open Source Linux Firewall available both as software only or as a hardware appliance.
IPFire was designed to be modular an flexible. The primary objective of IPFire is security. Updates are digitally signed and encrypted and can be automatically installed by Pakfire. Users are notified by mail of updates. IPFire is not based on any other Linux distribution, it is compiled from the sources of every included package.
- Just for the sake of completeness, I mention the BSD Router Project. BSDRP is only available as software. It is
a free open source router distribution based on FreeBSD with Quagga and Bird. The main goal of BSDRP is not firewalling but routing. If you are looking for
a firewall, or for sharing Internet access, the developers of BSDRP suggest m0n0wall or pfSense instead. BSDRP does not have a Web interface,
it is configured from a command line. BSDRP is not intended for home use.
- Article: Review:
5 open-source alternatives for routers/firewalls By Eric Geier Sept. 2016. A review of ClearOS, DD-WRT, pfSense, Untangle and ZeroShell.
- Another UTM version of Linux is ClearOS. The website says "ClearOS is an operating system for your Server, Network, and Gateway systems. It is designed for homes, small to medium businesses, and distributed environments. ClearOS is commonly known as the Next Generation Small Business Server, while including indispensable Gateway and Networking functionality." There is a free community edition, a rented home edition,
a rented Business edition and a virtual version. It is also available on hardware devices starting at $1,200 without WiFi.
- Slightly off topic are the Xclaim access points from Ruckus Wireless. I say off-topic because they are not
routers, just access points (they have a single Ethernet port). That said, if you need great WiFi, Ruckus should be on the short list. I have owned a Ruckus
router (don't think they make routers any more) and was impressed with its WiFi. Introduced in November 2014, Xclaim is a new product line for Ruckus.
It's their cheapest line. For $90 you get a single band N device, concurrent dual-band N is $200 (see a review).
Stepping up to ac WiFi (see a review)
costs $250. They are configured either via the cloud or a smartphone app, there is no web interface.
Third Party Firmware top
One way to avoid consumer router firmware is to install alternate, third-party firmware.
- myopenrouter.com is devoted to open source router firmware on Netgear devices. According to Jim Salter, writing in
Ars Technica in May 2017:
"Netgear directly runs myopenrouter.com, where they actually collaborate with open source developers who are adapting builds of open source firmware for installation on Netgear routers. This is extremely cool, not least because it means that you can install firmware from myopenrouter directly onto a supported Netgear router using the router's own Web-based interface. It's certainly possible to install DD-WRT or OpenWRT on a non-Netgear consumer router, but it's generally a giant pain in the ass and a good way to potentially brick your router. "
- In The Router rumble:
Ars DIY build faces better tests, tougher competition (Sept. 2016) Jim Salter wanted to test the x86 build of DD-WRT, but found that it hasn't had a stable release for 8 years, the last stable version wouldn't boot and the newest beta was mind-blowingly awful, both in terms of performance and
bugs. He also tested DD-WRT on a Netgear Nighthawk X6 where someone named Kong curates the builds. The Kong builds were good, the raw beta
builds were buggy as heck. The Kong builds also install easily and safely and did well in performance tests. But, Salter notes "you're depending on some semi-anonymous person named after a movie gorilla to keep up with vulnerabilities, comb the bugs out of your firmware, and resist the urge to sell you out to the NSA."
- How to Choose the Best Firmware to
Supercharge Your Wi-Fi Router offers an overview of available firmwares. By Alan Henry April 1, 2015. There are two approaches to using alternate firmware: install it yourself or buy a router with it pre-installed. The article notes that Buffalo sells routers with DD-WRT pre-installed. So to, some VPN providers
sell routers with open firmware and client software for their VPN.
- Note however, the title of the article above, it refers to supercharging a router, not making it more secure.
Craig Young of Tripwire, an expert on the subject, said in April 2015:
"... alternative open firmware ... is not necessarily ... any more secure or even more frequently updated than commercial router firmware. Back in 2012 I submitted a report to DD-WRT while testing a D-Link device running DD-WRT v24-sp2. The bug report is still open 2.5 years later. The advantages for an advanced user include the ability to have enterprise style features on consumer hardware as well as to fix bugs for themselves, remove unwanted services, and truly lock down the router. For the non-technical user however the benefits are far more limited and the difficulty to configure the system is far greater."
- In a December 2012 article at SmallNetBuilder, ASUSWRT-Merlin
Reviewed, Scott DeLeeuw wrote: "The dirty little secret of alternative firmware is that the open source drivers it must use aren't always the best. This is particularly true of wireless drivers, where chip manufacturers work closely with their customers to squash bugs and tweak performance ... DD-WRT and Tomato add a wealth of features, they usually introduce problems of their own along with potentially lower performance." For ASUS routers, he much preferred ASUSWRT-Merlin firmware by Eric Sauvageau.
- Tomato was replacement firmware for the Linksys WRT54G/GL/GS, Buffalo WHR-G54S/WHR-HP-G54 and other
Broadcom-based routers. The last release was in June 2010. See WikiPedia.
- Tomato by Shibby is from Michal Rupental
- AdvancedTomato adds a new user interface to Tomato by Shibby. It supports 26 routers as of Feb. 2016.
- OpenWRT is a Linux distribution for embedded devices such as routers. It offers a writable filesystem with package management.
- In May 2016, the LEDE project formed as a spin-off of OpenWRT. It too, is an embedded Linux distribution that makes it easy to build and customize software for wireless routers. LEDE stands for Linux Embedded Development Environment. See Router hackers reach for the fork: LEDE splits from
TOR and VPN Client Routers top
- InvizBox is a Tor router based on OpenWRT that was released in March 2015 for $39. As of January 2016, it costs $49. This was a first generation product that used Ethernet for Internet access. The second generation, called InvizBox Go will do both VPN and TOR. Both models are open source.
See InvizBox review: Tor anonymity in a box by Daniel Aleksandersen, originally published Feb. 2016, last updated May 2017. As of Aug. 14, 2016, the newer model is not yet available, so its listed below in the Coming Soon, Maybe section.
- The original Anonabox was a Tor router. Its security was shown to be an inexcusable disgrace in April 2015. See
Anonabox Recalls 350 'Privacy' Routers for Security Flaws and Anonabox Analysis. According to the Ars article below, it has no user interface at
all, you can never change the password and you can not update the firmware. As of April 2015, it sold for $99.
Anonabox or InvizBox, which Tor router better anonymizes online life? Ars Technica April 8, 2015.
I would rule out the first Anonabox as per the articles linked to above. Take this as a review of InvizBox.
- April 2016: There are now four models of Anonabox. The high end model is the Anonabox Pro and it sells for $100 on Amazon. It uses 2.4GHz Wi-Fi for both input
and output (5GHz is not supported). It also has a WAN Ethernet port and a single LAN Ethernet port. It runs, or is based, on OpenWRT (not clear). It can be
powered from a USB port, its not clear if it has an internal battery. The included VPN service is HideMyAss which has been shown, multiple times, to do logging.
(almost) anonymous on the Internet with Anonabox by Roger A. Grimes April 19, 2016. The initial setup described here is very insecure, which is troubling for a
device selling security. In addition to being a TOR client, you can also set yourself up as a TOR exit node or even run your own .onion website.
Review: Anonabox Pro Tor And VPN Router Review by Josh Norem. April 29, 2016. He tested the top of the line Pro model. "...all of the issues we've seen brought up in other reviews have been fixed or addressed in the most current form of the Anonabox." The VPN service is free for 30 days. Can use it as a secondary router by plugging an ethernet cable into a LAN port on your router and the WAN port on the Anonabox. Then, use the LAN port on Anonabox for a computer. Anonabox also does WiFi N. The instructions may not be completely clear to users with minimal networking experience. Local administration is HTTP. A single click connects to TOR. User interface is for techies. Tech support is good.
- The Tiny Hardware Firewall was endorsed by Leo Laporte,
a.k.a. The Tech Guy. There are three models, sold by the vendor for $30 or $35. The smallest model has no Ethernet ports (its too small), the other two models have an Ethernet WAN port and an Ethernet LAN port. A big limitation is that it works with only one VPN provider, HotSpotVPN. Purchases come with one year of VPN service. Expect to pay about $91 for the second year of service. Laporte warns that it can take 5 minutes to boot up. He also claims that it can engage both the VPN and TOR at the same time. These are low end devices, Ethernet is 100Mbps, WiFi is G and N.
VPN Client Routers top
When most consumers encounter a VPN router, they are dealing with a router that can function as a VPN server. Much more interesting, to me, are the very few routers that can function as VPN clients. That is, the software necessary to connect to a VPN server, is built into the firmware. Very few routers, running the software they shipped with, can function as a VPN client. However, alternate firmware, such as DD-WRT and Tomato, do include VPN client software. Complicating things, however, are the multiple types of VPN. The most popular seem to be OpenVPN, L2TP/IPsec and PPTP with PPTP being the worst option as it is the least secure. HowToGeek wrote about this in
- Both Synology routers can function as VPN clients for PPTP, OpenVPN and L2TP/IPsec. You would never know it from their miserable documentation though. It only mentions a VPN client for WebVPN, Synology SSL VPN, and SSTP and its not clear if that's referring to the router being the server or the client.
- Running Asus firmware, many Asus routers can function as a VPN client. Asus supports the three most popular VPN flavors: PPTP, L2TP and OpenVPN.
- FlashRouters.com sells many standard consumer routers that have been flashed to run either DD-WRT or Tomato. You pay a premium for this service. They have documentation on configuring their routers to work with many VPN providers such as HideMyAss, IPVanish, PureVPN, VyprVPN and PrivateInternetAccess and the offer "3 months of basic Internet and VPN setup support from our knowledgeable staff" for free. They support all of three popular types of VPNs and non-techies can provide their VPN provider username and password and the router should be ready to use out of the box.
- RouterSource.com is much like FlashRouters in that they offer consumer routers flashed to run DD-WRT. In addition, they offer
their own router firmware called SABAI OS which was derived from Tomato. They claim SABAI is simple enough for non-techies (I have never used it). Both of their firmwares support PPTP and OpenVPN, they do not seem to support L2TP/IPsec. Their free tech support is for one year. They have a working relationship with 15 VPN providers and 11 others are known to be compatible with their routers.
- ThinkPenguin sells TPE-R1100 Wireless-N Mini VPN Router for $49 as of July 2016. It has a single LAN side Ethernet port and the Wi-Fi tops out at N. It runs LibreCMC which is based on the Linux-libre kernel and a stripped down version of OpenWRT without the non-free bits.
- Easy VPN Router sells two TP-Link routers flashed with OpenWRT and configured to work with Private Internet Access. As of April 2017, the TP-Link N300 is $60 and the TP-Link AC1750 is $150. Plans are to support another VPN provider in the future.
- The OVPNbox is a VPN router from VPN provider OVPN.se. It is based on pfSense, runs FreeBSD and has a single LAN port. As of April 2017, they only ship to Europe.
- According to the vendor specs, the Synology RT1900ac Router
can function as as a VPN client for PPTP, OpenVPN and L2TP/IPSec. In a Feb. 2016 review, Lester Chan reported that it worked fine with VyprVPN.
- ExpressVPN offers tutorials on configuring their VPN service to work with many routers such as: Asus
OpenVPN, D-Link L2TP, FlashRouters DD-WRT, FlashRouters Tomato, DD-WRT OpenVPN, Tomato OpenVPN, Sabai OpenVPN and more. They also offer their own routers and an app that can be installed on some routers.
A Oct. 2016 review of a Linksys router with ExpressVPN pre-installed
noted that you can disable the VPN per device but individual devices cannot use different servers.
- VPN provider Witopia sells a CloakBox VPN Router that works with their service.
- VPN provider BlackVPN also sells routers that work with their service.
- VPN provider TorGurad also sells DD-WRT routers pre-configured to work with their service.
- VPN provider StrongVPN sells routers that work with their service.
- VPN provider VyperVPN has their own app that can be installed on routers running Tomato.
- VPN provider Hide My Ass! has instructions for configuring many routers to work with their service.
TOR Routers top
A word of warning about running Tor on a router from Matt Casperson: "Tor is only as secure as those applications whose data it is transferring, and one of the benefits of the Tor bundle is a browser that has disabled a number of plugins that are known to leak identifiable information."
- Asus routers, running the Merlin firmware can connect to Tor. According to Matt Casperson, they can route some connected devices through Tor while ignoring others.
- Onion Pi is a Raspberry Pi-based TOR router that sells for about $70. You have to install TOR yourself.
- Article: How to Anonymize Your Browsing with a Tor-Powered Raspberry Pi Hotspot by Thorin Klosowski March 2017. First you turn a Raspberry Pi running Raspbian into a Wi-Fi hotspot, then you install Tor on it so all the traffic that goes through the Pi is anonymized.
- Privacy On Top is based on OpenWRT and from a company called Open Netware. It creates two Wi-Fi networks, one of which goes through Tor. It can be purchased pre-installed on a handful of routers.
- The Personal Onion Router To Assure Liberty (PORTAL) is a build it yourself TOR router. It is not a hardware product that you can buy, rather, it is software that needs to be installed on a limited number of supported routers. See A portable router that
conceals your Internet traffic at Ars Technica Aug. 2014. An updated product release was expected at the end of April 2015 but as of
the end of May 2015, there has been no sign of it.
- The PogoPlug Safeplug is also a TOR router. Consumer Reports liked it, but a more trustworthy source (which I have lost track of) said the security it uses stinks.
- The Cloak router was to be a cheap router with two networks: one that is normal and one that sends all traffic through the TOR network. It will run a modified version of OpenWrt. This could be a great solution, but the website (as of May 26, 2015) says nothing about whether it is now available or when it may become available. Update Oct 22, 2015: the website has not been updated in months, it seems the project has been abandoned.
Just Released Routers top
Hot off the router presses.
- F-Secure is working on a product called Sense but their website explanation of what the product does is miserable.
It does every good thing you could imagine, curing Cancer and world peace included. Eventually, they called it a secure router and app. In fairness, here is their lead: "Secure your smart home with one device, now and in the future. Sense creates a secure network for all of your connected devices to monitor and protect them through one simple interface. With privacy and security both at home and on the go, you have the freedom to unleash your smart lifestyle." Beats me what the product does. Here's more: "Sense creates a secured Wi-Fi network in your home. Traffic in the network is analyzed by Sense with the help of F-Secure security cloud, where threat definitions are updated in real time. The cloud leverages next generation security features such as machine learning and behavior based threat analysis to give you corporate-level security in your own home, and block attacks before they even happen. Sense also blocks unwanted tracking attempts ..."
Eventually they got clearer: "F-Secure SENSE is the combination of a smart security router, an advanced security app and industry-leading cloud
protection." Sense does not use a VPN or Tor but they plan to integrate their VPN service in the future. There is no web interface. As of Aug. 2017 it does not support a Guest network, but that is planned. It does include software for Windows and Macs. See the Quick Guide PDF and their Twitter account
As of Nov. 2015 they were taking pre-orders with an estimated ship date of Spring 2016.
As of Oct 2016, they were still taking pre-orders for 200 Euros, which includes a one-year subscription but there was no estimated ship date.
As of May 2017 it was available in Denmark, Finland, France, Germany,
Ireland, Netherlands, Norway, Sweden and United Kingdom.
As of July 2017, it was available in the US for $199 which includes the first year of an ongoing subscription that will cost $119 after the first year. The router is said to be usable without the subscription.
Your Questions On F-Secure SENSE, Answered Videos from F-Secure. No author, undated.
Reddit AMA August 2017
- The Turris Omnia router is fully open source, both the hardware and software. The OS is called TurrisOS and its based on OpenWRT. It is from CZ.NIC, a non-profit organization that runs the .CZ top level domain of the Czech Republic. It will self-update its firmware and includes NAS and assorted server apps. It is said to analyze the data traffic and identify suspicious data flows. It then alerts the home office of a possible attack. Data from other Turris routers is collected to asses the security status of the detected traffic. If its something bad, updates are sent to all the routers. It is also multi-WAN. Read more here and here. Shipments were initially expected to start in April 2016. Then, the expected ship date was Oct. 2016 and then it was Dec. 2016. By May 2017 it was for sale in roughly 25 countries, including Germany, Ireland, Greece, Austria, Switzerland, Spain, Belgium, Denmark, France, Finland, Italy, Poland, and England. In June 2017 the company said they were working on FCC certification for the US. Their guess is that the Omnia router will go on sale in the US in the Fall of 2017. The hardware needs to be slightly modified.
- The Portal router is hard to classify. Its main claim to fame is improved use of the 5GHz frequency band. By adding new hardware and software, the router will offer additional channels in the 5GHz band, which should come in very handy in areas with many Wi-Fi networks. I mention it here because this new device was also touted as having some interesting security features: intrusion detection (not explained anywhere yet), 2 factor authentication for the web GUI, and a new take on Guest network security. Later documentation on the security is incomprehensible to me:
-- Portal combines the security and privacy capabilities of iOS or Android devices with those of WiFi
-- Portal protects your family’s privacy with things like continual intrusion detection, geo-fencing and ID obfuscation
-- Cloud-based authentication provides Portal users with improved security, including dynamic, adaptive guest virtual access.
-- It creates virtual networks for individual guest users
Too soon to tell if this is miserable documentation or if they are selling snake oil. As of Oct 14, 2016, the page on their website that is supposed to explain how it works is non-existent. The firmware for this router is very new, from their website it seems that the
ability to create a Guest Network was rolled out Oct 1, 2016. The firmware is based on OpenWRT and setup is done via a mobile app and bluetooth. Any early review appears to be a press release in disguise. It says the router is pretty and that it creates a mesh network, despite being a single device. Now thats a trick! Photos show that the LAN ports don't have LED lights, which I take as a bad sign. The antennas are internal (to make it pretty). It was expected to ship in late summer 2016 but actually shipped in early Oct. 2016. As of Oct 14, 2016, it cost $200 at the only available outlet, Amazon.com, which said it usually ships in 1 to 2 months. portalwifi.com
- Most of the press around Luma has to do with its mesh network, but, the company is also touting security. They claim to constantly monitor "for viruses that try to infiltrate your network". Another
security claim is: "Luma alerts on unknown devices that attempt to join your network and can be configured to block them". No details however are provided. It should also have parental control that can monitor network devices in "real time" and set per-user Internet use limits and content level policies. Finally, it claims to: "identify if there are devices onyour network with weak passwords and can alert you if it detects that a computer is infected with malicious software". We'll see. There is no web interface, just a smartphone app (iOS, Android). As of March 13, 2016 it was scheduled to ship in Spring 2016. It actually shipped around July 2016. As of Aug. 2016 a set of three is $350 and a single one is $150. The SNB review at the end of July 2016 said the price for a three-pack was $400. Early reviews say its not fully baked. When doing initial setup from a smartphone app, they require location services to be enabled on the phone. Not good. If the router is off-line
it can not be configured. As of late July 2016 the router does not report its own firmware release number. WPS is not supported. The only supported WiFi encryption is WPA2-AES PSK.
- NetSequre (formerly Genie) is a router from Open Netware focused on security. For example, it creates two WiFi networks, one for adults and one for children. It also offers phishing and malware site protection, Online Child Safety, ad blocking and anti-tracking. And, it self-updates. Initially, it was a single WiFi N router sold in India. Now, the firmware is available for over 200 routers including models from TP-Link, D-Link, Netgear, Linksys, Belkin, Asus and more. There are two versions, one for low end hardware with fewer features and one for faster hardware with more features. Downloading and installing the firmware is free. The yearly cost of ownership is $18/year and $23/year with a free trial of 3 months.
Coming soon. Maybe. top
A number of security devices are planned. Some are routers, others sit between your router and modem and yet others can plug into a router. These upcoming security devices are getting some press attention. See These Devices Are Trying To Secure The Internet of (Hackable) Things by Lorenzo Franceschi-Biccheirai (Jan. 8, 2016 at Motherboard). This list is in no particular sequence.
- A device called Dojo plugs into your router and watches your network for security
issues. There is a companion smartphone app, of course. Dojo is a rock/pebble looking thing that glows different colors to indicate current status. Pre-orders started Nov. 2015 for $99 with a year of service. The estimated price then was $199 with a year of service. The first devices were expected in March 2016. As of May 8, 2016 there was no expected ship date. In August 2016, Dojo Labs was purchased by BullGuard.
On Oct 15, 2016, Amazon.com said it was unavailable. By May 2017, that page had disappeared, replaced with this one. In January 2017 it was
reported that Dojo would be available in the US in mid-April 2017.
On May 31, 2017 Wired did a puff piece about it saying it went on sale that day for $200 (including the first year of service). Amazon, however, said it ships in 1 to 2 months. The ongoing charge, after the first year, will be $99/year. On June 1, 2017, TechCrunch wrote: "All traffic on a home network has to be routed via the Dojo for it to be able to see what's going on ... and perform its anomaly detection function ... You'll also need to be comfortable providing a third party company with data stream visibility of your home network."
- The Flter router plans on offering Tor, its own VPN service and VPN client software for use with any VPN provider. It is a
Kickstarter project that was launched in February 2017 and is expected to be released in June 2017. It will also block malicious ads. Its VPN client wil support OpenVPN, OpenConnect and L2TP/IPsec. Fltr is a 4-person company founded in 2015.
- Expected to ship in Jan. 2017, initially, the Betterspot router was supposed to support Tor and a single VPN provider. It is from a Canadian VPN provider, Betternet. It is designed to be a second router, that is, to plug into a LAN port on an existing router. It will only work with their VPN as it uses a proprietary protocol. The VPN service is $5/month or $30/year. The box is $100. They claim it will self-update. A prototype was reviewed Sept. 19, 2016 by Simon Hill of Digital Trends. It can only be configured with an iOS app, but Android and web interface are planned. Note that the Betternet VPN service was dinged for miserable security in January 2017. See
here. As of early August 2017, it had moved from KickStarter to IndieGoGo and the expected ship date was August
- The InvizBox Go router will offer both TOR and VPN. Initially it will be limited to one unspecified
VPN service, but plans are to open it up later to other OpenVPN based services (no IPSec). The only input and output seems to be WiFi, no Ethernet. The software is open source. It is portable and runs on an internal battery, its not clear how its recharged or if it can be powered by
electricity. It promises to block a known list of ad providers, but what list is not specified. It will self-update its firmware. Its not clear which
WiFi frequency band(s) are supported, either for input or output.
As of Jan. 2016 it was $99 with a year of VPN service and was expected to ship Feb. 2016.
As of April 19, 2016, the price was $139 with 12 months of VPN service and it was to ship in April 2016.
As of May 8, 2016 it was expected to ship in May 2016.
As of Aug. 14, 2016 the price was $109 with a full year of the still-mystery VPN service and it was expected to ship in early July 2016. More than month after the latest ship date passed, they had still not updated the expected ship date.
As of Sept 16, 2017 they are selling both a Tor-only Invizbox for $49 and an Invizbox Go which does both VPN and Tor. The Go model is $139 with one year of VPN service from IP Vanish. The Go seems to be Wi-Fi only and battery powered. Techie documentation on both is very scant.
There is a Kickstarter for the third generation, called InvizBox 2 and InvizBox 2 Pro, that ends Oct 17, 2017. Estimated delivery is April 2018. This generation works by being plugged into an existing router via Ethernet.
- German made eBlocker offers ad blocking and tracker blocking. Quoting their website: "eBlocker is a smart device that anonymizes your online behavior. It blocks all ads, stops all trackers, hides your IP - and lets you surf truly anonymously - on ALL your devices.". It is not clear how they hide your public IP address. They mention TOR in their FAQ, but the description makes no sense to me. Initially it only worked with HTTP websites, now it also supports HTTPS, which may be a bad thing, I could not find a detailed explanation of how they intercept TLS. Rather than putting eBlocker in front of your router, you plug it into a LAN port. This means it must be doing ARP spoofing on your LAN to pretend to be your router. There are two versions of the product, Pro and Family. Pro is the simpler version; the Family version supports parental controls and different users, each with their own profile. This requires each person to logon to the eBlocker using a personal PIN. It self-updates its list of bad stuff daily. It started as a Kickstarter project. In Jan. 2016, the product was estimated to ship in the second quarter of 2016. In Aug. 2016 the Pro version without Wi-Fi was available for $179 and the Family version was $199. Wi-Fi enabled versions of each were expected at the end of Aug. 2016. It came to the U.S. in 2017 and may now only protect Wi-Fi devices (not clear). As of July 2017, the Pro is $219, the Family is $249. After a year, updates are $59/year for Pro, $99/year for Family. You can also download the software for free and install it on a Raspberry Pi or Banana Pi.
- ArmorVPN is a Kickstarter project that ends Sept 20, 2017. It is both a VPN and Tor box that sits between a modem and router. There are two Ethernet ports but it is also portable, an internal battery is claimed to last 8 hours. You can buy it without any VPN service, or it has deals with TorGuard and PureVPN. Any OpenVPN VPN provider should be compatible. Some configuration can be done with a touchscreen. It is expected to cost $70 with an estimated ship date of Jan. 2018. The software that runs on this device is planned to be released as open source once a patent is secured on the hardware. See This VPN box makes privacy and security a doddle from Sept 8, 2017.
- Another company front-ending your router is ITUS Networks. In August 2014 they were planning on releasing a product
called iGuardian by Feb. 2015. Now (Nov. 2015) there is no more iGuardian. The idea was to run Snort an Intrusion Prevention System (IPS) on top of OpenWRT. It too, did every good thing in the world, protecting against: viruses, phishing scams, malicious websites, Java, browser, and file exploits. It would also block drive-by-downloads, watering-hole attacks, botnets, data-theft, remote access Trojans, and key-loggers. And, if a computer on the LAN tried to contact a known bad server, that too would be blocked. The current product line has 4 devices, only the WiFi Shield is shipping (as of Nov. 29, 2015). There is no date for when the Shield Pro will ship. The Shield Mobile is coming soon. The ITUS Pro is scheduled for release in early 2016.
- Keezel is a portable VPN device. The output is a secure WiFi network that your devices talk to. The input is another WiFi network, perhaps
a public one, perhaps your home WiFi. The device makes a VPN connection over the input WiFi network, giving attached devices access to the VPN. There is no Ethernet port but they claim you can use a USB-to-Ethernet adapter. It is powered either by its internal battery or a USB port. Keezel says they use three different VPN providers but they refuse to identify them. They claim their VPN usage is more secure than normal because their mystery VPN providers don't know the identity of Keezel customers. In turn, since Keezel does not run the VPN, they state that they can't spy on their users. Original design was WiFi G, now it also does WiFi N on the 5 GHz band. For $99 you have to use your own VPN. With one year of VPN service, it costs $129, for two years $169. Shipping was initially scheduled for March 2016. As of April 2016, it had been pushed back to June 2016. As of Sept 1, 2016, an article said October 2016 but their website said Sept. 2016. As of Oct 15, 2016, the
estimated ship date on their website was Sept. 2016.
- On Aug. 1, 2017, Karma Mobility announced a new product, Karma Black, that they say will provide "anonymous browsing through Tor, an integrated VPN, black listing, and ad blocking." The announcement said nothing else; nothing on pricing or which VPNs it will support. Availability is planned for September 2017.
- Gryphon is a 17-employee startup in San Diego working on "Safe, Secured, and Fast WiFi for Whole House". Routers are said to offer parental controls, Intrusion Detection via machine learning and Whole House Malware Protection in partnership with Kaspersky. It claims to block DDoS attacks and monitor IoT devices for unusual network traffic. It also claims to prevent users from clicking on websites with malware and to scan network traffic with antivirus tools. Its mesh too. They have been on IndieGoGo, Kickstarter and Backerkit. Bloomberg wrote about them in Nov. 2016.
Shipping was initially planned for June 2017. As of early August 2017, shipping was expected in October 2017.
Default Router Passwords top
Other Router Security Advice top
This topic was moved on January 1, 2018 to the new Other Router Security Advice page.
Adding a router to a gateway top
Add-on Security Devices top
Many devices are sold that claim to add security to an existing network. This section was added Sept. 26, 2017 and is incomplete, to say the least.
The Fingbox does every good thing in the world. Plug it into your router, and get security. Typical marketing. I could not find any technical discussion of what the thing does, just stuff pitched at non techies. Fingbox costs $129 as of Dec. 2017. It first became available in October 2017.
It connects via Ethernet to a LAN port of a router. For it to babysit all the devices connected to the router, it has to be futzing with ARP and making itself the default gateway. If you use VLANs, you need one for each VLAN. Some routers block some features. It collects data about your network activity and sends it to Fing. So, people who want security get more surveillance. See the User Guide version 1.4, Fing app v6.4.x from November 24, 2017. Features: block kids from using the Internet during dinner time, notify you of new devices on your network, block any device from accessing the Internet, it detects any nearby WiFi device, even those not on your network (is Billie home yet?), bandwidth analysis, Wi-Fi signal strength analysis, test Wi-Fi and wired speeds, detect KRACK attacks and evil twin networks, report on open ports.
Perhaps the first such device was the Bitdender box, a home network security appliance. David Strom reviewed it in June 2015: Bitdefender Box Review: Pandora Had Fewer Problems. At the time it cost $199 to purchase and $99/year to own. In August 2017, it was reviewed by Doug Reid at SmallNetBuilder.com. The box has two 100Mbps Ethernet ports and 2.4GHz Wi-Fi and includes a Bitdefender software subscription. However, it only inspects outbound traffic and is hard to install. It needs to be the DHCP server for the LAN and it sets itself as the default gateway, even when working with an existing router.
Outbound connections are checked by the Bitdefender cloud. If a URL is considered malicious, it is blocked and a message appears in the mobile app. The thing also scans
the LAN for devices with security flaws. The box does not detect DoS attacks either incoming or outgoing. At the time, it sold for $130.
Like Dojo, the Cujo also sits between your router and modem (logically or physically) and offers security protection (but no privacy protection). It is billed as a smart firewall. The original plan was for it to offer firewall, anti-malware, antivirus, deep-packet inspection and machine learning protection. Only some of these features were in the first release. Steve Gibson pointed out in July 2016 that it can run in either Gateway mode or Bridge mode. The new mode lets it plug into a LAN port of your router. So, how does it then intercept LAN traffic? It does an ARP spoofing attack on your LAN. Quoting the company "We send packet header data (but not full packets) to our cloud to analyze device behavior, compare your traffic to commercial threat intelligence feeds, and to make sure that unauthorized IP's do not connect to your network." And, this: "CUJO analyzes your local network traffic data locally and in real time. It then sends statistics on that data to the cloud for further analysis ... we don't send the contents of those packets to the cloud. If a threat or suspicious activity is detected, CUJO will tell the cloud what it has blocked so you can receive a notification on your mobile app to confirm it." The pre-order price was $99 and the first models were expected to ship in March 2016. As of April 19, 2016, the expected ship date was end of May 2016. The devices actually shipped in July 2016 for $99 with 6 months of service included. Afterwards, service is $9/month. SmallNetBuilder first reviewed it in Sept 2016, then again June 2017. See CUJO Smart Internet Firewall - Second Look by Doug Reid. In the cloud CUJO keeps tracks of bad IP address. It is also aware of normal device behavior.
Add-on Security via Router Firmware top
In January 2018, Netgear announced a forthcoming security subscription service for their routers called Armor. Basically, it is Bitdefender antivirus running in the router. There will be a 90 day free trial, thereafter it will cost $70/year. Sometime in the first quarter of 2018 it will be available for the Nighthawk AC2300. When it will become available for other Netgear routers is not known. The number of features is long, perhaps too long. My favorite feature is that it dings the router administrator when a new device joins the network and lets the admin block the new device. It also claims to block viruses, spyware, spam, phishing and bad websites. Netgear claims it will scan your LAN and report on connected devices with vulnerabilities and weak passwords. We'll see. The subscription lets you install Bitdefender security software on your Android, iOS, Windows, and Mac devices. Your network can be remotely managed at armor.netgear.com. As I write this, no one has kicked the tires on it, all this info comes from a press release. Note that a similar service from Trend Micro and used inside Asus routers had been found to spy on you.
Owners of the Eero mesh router system can pay an extra $10/month for added security called Eero Plus. They have partnered with a few companies to offer assorted security features. From Zscaler they get a database of threats to protect you from malicious websites with viruses, phishing scams, and more.
It claims to block everything bad: ransomware, malware, viruses and ads. It also watches out for unknown or suspicious domains. It lets you download Malwarebytes on up to 3 devices. It can control what your kids can access. They partnered with the 1Password password manager. Paying for the service gets you VIP tech support from Eero. Finally, it lets you install the encrypt.me VPN (formerly known as Cloak) on your devices (it does not run in the router). Eero Plus costs $99/year the same price as the VPN service by itself (assuming unlimited bandwidth).
Press release: D-Link Wi-Fi Router Powered by McAfee Will Automatically Protect Connected Home Devices January 8, 2018. The D-Link AC2600 router is expected to be released in the second half of 2018 at an unknown price. It will feature security by the McAfee Secure Home Platform that will monitor the network for malicious activity, whatever that means. It will also monitors the network activity of individual devices for threats such as visits to malicious sites. It will notify you when a device on your network does not have antivirus software installed. It will have parental controls that can restrict activities by device, including the types of websites visited and times of day that Internet access is allowed. Parents can monitor their kids' online activities.
Some Asus routers include security software from Trend Micro. I wrote Asus router warnings on privacy and security on May 5, 2017. This was based on Review: ASUSWRT router firmware by Daniel Aleksandersen (created in May 2017, last updated: Nov. 2017). It focuses on the data leakage to Trend Micro by their software running in Asus routers.
Securifi's Almond Routers Get Subscription-based IoT Device Security Service by Ganesh T S at AnandTech Jan 4, 2017. A subscription-based cybersecurity thing for routers that focuses more on traffic rather than viruses. It claims to report on connected devices with ports open to the Internet (nothing new here) and/or weak login credentials. Also claims to analyze the traffic pattern of connected devices to ensure that popular IoT devices are communicating only with their vendors' servers. It should detect devices whose traffic pattern is indicative of being a botnet member. I can also monitor the websites browsed by selected devices (parents watching kids). My favorite feature: notifications when a new device joins your network. An issue with all these systems is data leakage and the article says: "It must be noted that some of the above captured data is stored in Securifi's servers because they need to send push notifications to the user's smartphone even if it is away from the primary network." After a free trial, price will be from $4 to $10/month.
Assorted Resources top