Tl;dr
Very new to home networking, but planning to get some hardware to run OPNsense bare metal to replace my ISP all-in-one.
Requirements: AES-NI support, Intel NICs, supports coreboot, can handle Wireguard both to connect out to my VPN provider and also to allow me to connect back to services at home
Nice to haves: 2.5+ Gbps NICs, resources to support an IPS like Snort or Suricata.
Questions:
- Are people still using cheap AliExpress hardware despite potential security risks?
- If so, do you reflash your firmware? Are you comfortable counting on a script like Flashli, or do you use something like SPI?
- Would you still reflash your firmware even from a more trusted vendor, like Protectli or Deciso?
- What is a reasonable amount to spend on reasonable router hardware?
Some Options I’ve Seen Recommended/Am Considering:
- Protectli Vault Pro VP2420-4 (but open to other Protectli suggestions)
- AliExpress N100/N305 machines (though of course with the aforementioned security concerns)
- Used Thinkcenter M720q (though not sure how the power efficiency compares)
Thanks so much to anyone who takes the time to post your thoughts, I’m extremely grateful!
Hi everyone,
Thanks so much again to those of you who left your thoughts on my thread a month or so ago. Progress on my NAS still continues at a glacial pace (mostly because I want ECC support and an iGPU that supports AV1 decoding on the same machine, but building around the W680 is a little pricey; in fact, might end up considering adding an A380 for AV1 support instead to open up some other options, but that’s a story for a different thread). But I am reaching out now because in the interim I’ve been trying to make progress on some more fundamental network infrastructure while I am figuring out plans for the bigger systems. Of course, even that turned into a bigger project than planned, which is why I am back to get some of your insights.
Just for folks who didn’t see my other thread, I am definitely a home networking noob generally, but am trying to build out my whole home network. In terms of the router hardware I am hoping to get, at minimum it would need AES-NI support and Intel NICs vs. Realtek, as well as support for coreboot for peace of mind (in an ideal world, even libreboot, but my understanding is basically no hardware released within a decade or more would allow that to run). At least 2.5 Gbps throughput would be nice, but not essential. Likely will be paired with a switch, so I’m also not overly concerned about port count (though maybe just for starting out 4 ports would be ideal and I can add in a PoE switch later).
In terms of planned use, I want to use Wireguard both to connect out to my VPN provider and also to allow me to connect back to services at home, as well as a few VLANs. Support for IPS like Snort or Suricata would be a plus, but it seems they can be resource intensive and I’m not currently thinking of them as a necessity.
A lot of resources I’ve seen suggested just grabbing a cheap machine off Amazon or AliExpress is the most cost-effective way to go, but it seems like there are some legitimate security concerns going that route. Are people still buying some of the cheaper AliExpress (e.g. Qotom, Topton, Cwwk) N100/N305 machines for their routers, even with concerns about backdoors (like Horse Shell in TP-Link firmware)? Are you reflashing firmware if you do so (and if you are, are you doing it through SPI vs. a script like Flashli)?
I’m the furthest thing from an expert, but just from a bit of poking around it seemed like if one wanted to reflash firmware in a 0 trust way, it looks like you’d need to either use SPI or JTAG vs. trying to do it through a script (and of course you’d need to take into account whether Boot Guard is enabled).
Would you reserve this treatment just for no-name router brands or would you reflash firmware the same way if you bought from a more trustworthy source like Protectli or even Deciso? Personally, my threat model (just trying to take back some privacy and control over my tech and not trying to stand single-handedly against the NSA) and current (low) skill level make me think I should just opt for a Protectli box that I know will work with coreboot (like the VP2420-4) and then move on with my life, but spending $300-$400 on a router seems like a lot (and perhaps I am robbing myself of the joy of having to figure out how SPI works).
Thanks so much for your thoughts! I remain extremely grateful to have the opportunity to tap into all of your collective wisdom (and hopefully at least save myself a few lessons learned the hard way). As long as its not obnoxious, I am also happy to share my progress and learning as I go in case it can save some time for other folks just starting out. Thanks again!
You must log in or register to comment.
If you read this you will never trust anything again. If you aee not familiar with him that is Ken Thompson one of the father’s of Unix.
Thanks so much for sharing this! I think reading through it helps refocus the question I guess I should have asked, which is “Which vendors do people trust more in practice, recognizing that at some point recursive paranoia has to end unless one has the time and skill to try to build literally everything on their own?” And as a question of probabilities, it feels a bit more manageable to try to make a call and move on. I’m sort of thinking of this thread as a way for me to calibrate my current probability estimates with people who know more than I do and have likely thought about this question more than I have. But the reminder that there isn’t really going to be any certainty regardless of what I decide is well-taken.
Your welcome but that’s the point he was making even if you build everything on your own. The backdoor would be in the compiler. So even if you built /bin/login for example he would just inject it at compile time when compiling your code. But then you asked I will just compile the compiler but you have to compile it at some point and he can inject the code back into the compiler at that point.
Sorry, imprecise wording on my part, I meant build as in build/code from scratch, not build from source!
No worries , but i think I’m not being clear if you build it from scratch. how are you going you going to compile it ?
In the end you would build your compiler directly in assembler, so no compiling would be needed.
But if you run your compiler on compromised hardware it would still be possible to insert a backdoor in your programs without you knowing.
To mitigate this vector you would be required to build your own chips… with self developed and assembled machines all the way down starting at growing your own silicon crystals.No I think we’re aligned! I am not trying to say the “build literally everything” from scratch is a viable alternative. You could go all the way down the rabbit hole of building a compiler, your own programming language, a smelter to refine the metals you need to try to cobble together your own hardware. But of course that is not realistic, which was what I was trying to get at in my comment. Basically, given that it is not feasible to do everything by yourself, at some point it seems you have to decide to trust something to be a functional human and not devolve into solipsism. So the question I am asking is, what are your own evaluations of what is trustworthy? Do you trust coreboot more than AMI? Protectli versus Qotom? It seems to me that we have to make these sorts of evaluations, versus believing that because there is some risk to everything that those risks are all equal. Apologies if I am not being clear though.
Yeah that is his point he is trying to make at some point you just have to come to terms with that trust since you are right it’s not feasible to build your own hardware.
The key is defense in depth. Don’t trust anything more then you need to. Even if your router is compromised the hosts should be hardened, the traffic should be encrypted, etc
Thanks for this! It’s a good impetus for me to think a little more holistically about my network security versus overfocusing on the router. I’ll have to do some more reading on overall networking best practices.
Zero trust. Assume everything is compromised and mitigate the risk from each thing that is compromised.
ISP spying on you? VPN, encryption, spoof a metadata trail to throw off any potential correlation attacks.
Compromised modem? Air gap stuff, use wired LAN, some other stuff idk.
And so on. Just keep in mind that sometimes, your data just isn’t that valuable, and plan accordingly
At first I read the title as
How much pareidolia is too much?
And I was bracing for a fun thread, but then my brain caught up and now I’m disappointed.
Do you really need OPNsense? Buying a OpenWrt capable router would save your money, place and silence.
I went with mikrotik. It’s not too expensive, has way more features than I’ll ever need, and it’s rock solid. I used openwrt before that, which also did the job.
Keep in mind that OpenWRT isn’t really optimized for particular hardware. It is designed to run on anything which means it doesn’t have a lot of recovery options for bad updates and configurations. It isn’t terrible but if you interrupt power during a flash you can bork the system.
Openwrt One is the official hardware. It is optimized for it.
The hardware is built to have good compatibly with OpenWRT. That doesn’t mean it has the same brick resistance as something like OPNsense.
Software is software. I can reflash all day regardless if openwrt or opnsense.
You are totally missing the point. OpenWRT doesn’t have a dual partition layout. If you bork the system do to a power loss or bad image you need a rescue cable or drive. I use a lot of OpenWRT but that is something to keep in mind.
Ah I was not aware of that. Guess never cared because I have all the tools to reflash/reinstall ready to go with off-site config backups. But isnt this why you should have HA If it’s that critical? Guess more recovery options the better.
If I am relying on it, I buy from brands I trust. No brand is going to be perfect but some are clearly going to be lower risk than randoms from aliexpress. Its as much to do with reliability, achievable duty cycle (rather than promises of duty cycle), support (especially how easy it is to get a replacement under warranty), how long they will push firmware updates for, than just security trustworthiness.
Pretty much any device is going to have a vulnerability or potential for a back door at some point but the company being transparent about the issue and fixing it promptly is worth a lot. Its the same reason I would have a Google or (premium) Samsung phone, I trust that they will support the phone for the time period they say they will, something I would not do with say Oneplus based on my past experience of them.
I buy electronics from aliexpress all the time, but nothing I rely on day to day like a router, simply because I am shit out of luck getting it replaced quickly if it goes wrong, even if I want to get a replacement. I have a cheap mikrotik hex I keep as a backup of a backup (my APs are my primary backup for my router), and this is fine for a week or so but I would not want to be out a month or more with it.
I guess you could plan in proper redundancy as I have, or may be you can afford a an outage, so may be you don’t need that. If I cannot work, I cannot earn, so I have backup internet, routers, wifi etc. planned into my install.
I think what someone else wrote about defense is depth is the real key here. I have my network divided into separate VLANs that are firewalled off from each other, so one for IoT, one for cameras, one for my TVs and other screens, one for my devices. This means if something is compromised they still have to get across the network and it simplifies my firewall rules as I am applying them to subnets rather than individual devices in a self maintained group. It makes it easier to say block external DNS queries and redirect to my pihole for my IoT and TVs but not my personal devices as I would have a good reason to go external.
May be you do not have a lot of devices, I realize I am nearer the upper end of a home network with over 50 active devices and it will be over kill if you only have a laptop and a phone on your network.
If it gets in the way of you being able to do things, it’s too much.
From your requirements, coreboot is probably the most limiting factor, so I would start there.
Thanks for this! Agree that coreboot is definitely the requirement that, if dropped, would open up the most other options. So far it sounds like folks are mostly willing to have some faith in stock firmware, which is great as a sanity check for me. Appreciate your response!
Im using CN hardwares for my opnsense router. Are you from US? For me (not US/CN citizens), hardware from both countries have potential security risks.
Yes, I’m US-based, and you make a great point that it’s not as though US brands are inherently trustworthy either. That’s why I’m leaning towards an open source (or as open source as possible) firmware, with the understanding that we’re stuck with some proprietary blobs at the moment. I suppose I am thinking about it more from a harm reduction lens versus trying to find a bullet-proof solution.
Right now all we can do is reduce dependencies on proprietary blobs.
It’s extremely difficult, if not impossible, to buy hardware without proprietary blobs here.
(But if you don’t mind my asking, what machine did you end up with from CN? How did you approach firmware?)
Firmware wise? Both are on stock firmware.
Im using hunsn 1u as primary router, i bought it almost two years ago (late apr23). It is running opnsense on proxmox. I initially had problems with opnsense crashing every day. It is stable now ever since i unchecked the memory ballooning option.
Backup is anyrevo mini pc with same count of LAN ports. If i want to make significant changes i do the changes here.
Thanks so much! I’d seen Hunsn mentioned in a few places as well, so glad to hear that it’s working well (and thanks especially for the memory ballooning tip, I’ll try to remember that when I inevitably run into issues later).
@libretech hardware is Intel. Think micropc from China. Software is Debian.
Thanks for sharing! Did you end up staying with the stock firmware?
