OpenWRT Setup Guide

What OpenWRT Actually Is

OpenWrt is a Linux distribution that replaces the manufacturer firmware on consumer routers. You get a real package manager (opkg), SSH access, and configuration that goes way beyond anything the stock web interface offers. It runs on a surprising number of devices, but you need to verify yours is supported before you do anything.

What stock firmware won't let you do that OpenWrt will:

• Run a WireGuard or OpenVPN server directly on the router
• Create VLANs to isolate IoT devices from your main network
• SQM — actual queue management that eliminates bufferbloat
• Install adblock, bandwidth monitoring, dynamic DNS, and dozens of other packages
• Keep getting security patches years after the manufacturer stops caring

Is Your Router Supported?

Go to the Table of Hardware on openwrt.org and search your exact model number. Not the product line — the specific model and hardware revision. My bricked TP-Link was a v1; the v2 of the same model needed a completely different image.

What to check on the device page:

• Support status — needs to say "Supported" for current releases, not just "WIP" or "partial"
• Flash size — 8MB minimum. 4MB devices technically work but you can barely install LuCI
• RAM — 64MB minimum, 128MB+ if you want to run adblock or VPN

Routers I've had good results with:

• Linksys WRT-series (3200ACM, 32X) — big flash, lots of RAM, well-documented
• TP-Link Archer series (verify your specific model and revision)
• GL.iNet travel routers — ship with OpenWrt pre-installed, good for testing

Installation Process

Warning: This can brick your router if done wrong. Have a backup router ready — even a cheap one you can swap in while you troubleshoot.

The flashing process itself is straightforward, but the ways it can go wrong are device-specific. Some routers need you to use the stock firmware's upgrade page. Others require TFTP. A few need you to interrupt the boot process over serial. The OpenWrt wiki page for your device will tell you which method applies. Do not skip reading it.

General Steps

1. Download the correct firmware from openwrt.org — use the "factory" image for first-time installs, not "sysupgrade"
2. Connect to the router over Ethernet (never flash over WiFi)
3. Log into the stock firmware admin page
4. Find the firmware upgrade section
5. Upload the OpenWrt image
6. Wait for the reboot — this can take 3-5 minutes, do not power cycle during this

Exact steps vary by manufacturer. Always check the device-specific page on the OpenWrt wiki.

First Login

Once it reboots, connect over Ethernet and SSH in:

ssh [email protected]

Or open http://192.168.1.1 in a browser for LuCI. There's no password set by default, which means anyone on the network has root access.

Set a root password immediately:

passwd

LuCI Web Interface

LuCI is the web UI for OpenWrt. Most things can be configured through it. LuCI is functional but ugly. If you're expecting OPNsense-level polish, lower your expectations. It looks like it was designed in 2008 because it was. But it works, and it exposes nearly every setting you'd otherwise have to edit via UCI on the command line.

Initial Setup

1. System → Administration: Set the password if you haven't already via SSH
2. Network → Interfaces: Configure the WAN interface (DHCP for most ISPs, PPPoE if your ISP requires it)
3. Network → Wireless: WiFi is disabled by default — enable it here and set your SSID and password
4. System → Software: Run "Update lists" before trying to install anything

Installing Packages

OpenWrt uses opkg, which works like apt but for your router. Package lists aren't persisted across reboots on devices with limited flash, so you need to run update first every time:

# Update package lists first
opkg update

# Install useful packages
opkg install luci-app-statistics # Bandwidth monitoring
opkg install luci-app-sqm # Smart Queue Management (reduces bufferbloat)
opkg install luci-app-ddns # Dynamic DNS

You can also install packages through LuCI under System → Software, but the CLI is faster.

VLANs for Network Segmentation

This is where OpenWrt really earns its keep. Stock firmware on a $60 router doesn't support VLANs at all. OpenWrt does.

Under Network → Interfaces → Devices:

1. Add a bridge-vlan device
2. Create a new interface for each VLAN
3. Assign each interface to its own firewall zone
4. Configure a separate DHCP range per interface

I run three VLANs at home: trusted devices, IoT junk (smart bulbs, cameras), and a guest network. The IoT VLAN can reach the internet but not my LAN. Took about 20 minutes to set up.

VPN Client/Server

WireGuard (Recommended)

opkg update
opkg install luci-proto-wireguard

Configure under Network → Interfaces → Add new interface. WireGuard is lightweight enough to run on even low-end routers without noticeable performance impact.

OpenVPN

opkg install luci-app-openvpn

Heavier on the CPU and more annoying to configure, but it works through restrictive firewalls where WireGuard's UDP traffic gets blocked.

Smart Queue Management (SQM)

SQM is the single biggest quality-of-life improvement you'll get from OpenWrt. If your video calls stutter when someone else starts a download, that's bufferbloat. SQM fixes it by managing the queue so no single flow can hog the pipe.

opkg install luci-app-sqm

Network → SQM QoS:

• Enable on the WAN interface
• Set download and upload to about 85-90% of your actual measured speed
• Queue discipline: cake (the default fq_codel works too, but cake is better)

Run dslreports.com/speedtest before and after. My bufferbloat went from a C rating to A+. The difference during video calls is night and day.

Firewall Basics

Network → Firewall. OpenWrt uses a zone-based firewall similar to what OPNsense and pfSense do:

• lan: Your internal network — traffic from here is allowed out to WAN by default
• wan: The internet side — inbound traffic is blocked unless you create explicit rules

Port forwarding lives under Firewall → Port Forwards. If you're running services you need reachable from outside, this is where you set it up.

Adblock

DNS-level ad blocking, right on the router:

opkg install luci-app-adblock

Configure under Services → Adblock.

It's not Pi-hole — no fancy dashboard, no per-client stats. But it blocks ads for every device on the network without running a separate Raspberry Pi. Good enough for most people.

Updates

Individual packages can be updated through opkg:

opkg update
opkg list-upgradable
opkg upgrade PACKAGE_NAME

Major version upgrades (like going from 23.05 to 24.x) require flashing a new sysupgrade image. Back up your config first — you'll need to restore it after the flash.

Backup Configuration

System → Backup / Flash Firmware → Generate archive.

Download this after every significant change. If you ever need to reflash or if something breaks, restoring from a backup is the difference between 5 minutes and an hour of reconfiguration.

If Things Go Wrong

Most OpenWrt-supported routers have a failsafe mode. The exact procedure varies by device (again, check the wiki), but the general pattern is:

1. Power off the router
2. Hold the reset button
3. Power on while still holding reset
4. Watch the LEDs — there's usually a specific blink pattern that means failsafe is active
5. Connect via Ethernet and browse to 192.168.1.1

From failsafe you can reflash firmware via TFTP or SSH. If failsafe doesn't work, some devices support serial console recovery — but that means opening the case and soldering headers. Worth knowing about, not worth panicking over.

Before you flash anything:

• Check the hardware table on openwrt.org. Search your exact model number and hardware revision. If it's not listed as "Supported," stop here.
• Read YOUR device's specific wiki page. Not the general install guide — the page for your exact router. The flash method, the recovery procedure, and the gotchas are all device-specific.
• Have a backup router ready. Even a terrible old one. If the flash goes sideways, you need internet access to look up recovery procedures.

Once it's running: VLANs, SQM (actually working QoS), WireGuard, ad blocking, guest networks — all on a $60 router. The stock firmware couldn't do half of this.