Hi there!
I have just joined the forum but I am a long time listener of the podcast. I think it is the best privacy podcast out there and I love the long and in-depth format! So thanks Simon 
But introductions asides, I am here to ask your advices on routers.
I recently decided to up my security game due to recent (unfortunate) events, and decided to start from upgrading my router.
I want to setup a router with the following characteristics:
- Uses less proprietary software as possible. Fully open source would be great, but I am not sure whether that’s possible.
- Allows Secure Boot. This is probably the most important thing for me. I think it is of paramount importance to have the guarantee that the router OS has not been tampered with. However from what I understood, most advanced router distros such as OPNSense / Pfsense do not provide Secure Boot.
- Allows me to segment my network in several virtual LANs, therefore compartmentalizing different groups of devices.
- Is powerful enough to run IDS/IPS and other advanced security features.
- 4 LAN ports ideally, but already 2 would probably be enough.
Do you have any ideas on what could satisfy most of these criteria? I know I am asking a lot ahah… As I said, secure boot is actually the most important thing for me (even though it doesn’t seem that much of a priority for software manufacturers, so maybe I am missing something?).
So far the best I have found are the Protectli products. But I am wondering if any of you knows / own something better.
I would also be willing to build my own router be just buying an “empty” mini-pc, however I don’t mind spending a couple bucks more for the convenience of something pre-made (if done in the right way).
Cheers!
Could look into any model OpenWRT supports as a good potential, first lead, imo.
There are A LOT of supported devices for openwrt. However I think that most of them do not have enough horsepower to run IPS/IDS and other advanced security features. However I do plan to use openwrt as an Access Point, connected to my OPNSense box.
The recommended HW specs to run OPNSense are:
Processor: 1.5 GHz multi core cpu
RAM: 8 GB
Storage: 120 GB SSD
Ref: Hardware sizing & setup — OPNsense documentation
Here are the best options I found that could fit the requirements:
- Protectli Vault V1410 - 4 Port Intel® N5105 - Protectli EU US, ~ 330 euros with 250 GB NVME SSD and 8GB ram included. Big plus here is that it comes pre-installed with coreboot and selected OS.
- VP2420 - 4x 2.5G Port Intel ® Celeron J6412 - Protectli EU, ~ 460 euros with similar specs to the previous one. The advantage here is more flexibility in eventually upgrading the hw, intel ME disabled and the possibility of having a hardware TPM on it (still in the process of figuring out whether having a TPM is worth it, as it enables Measured Boot but not Secure Boot. So it is not really clear to me how to make use of it. ref: coreboot Security Features – Protectli Knowledge Base)
- Getting a mini-pc off of Aliexpress, from brands like Topton, Qotom or Yanglin. Now these mini-pc offer similar specs at much lower prices (around 130 euros of savings). However it means either attempting to flash Coreboot on it (if even possible) OR risking to not have any firmware updates ever (Or at least that’s what I read online… but if I someone owns one and has a different experience please let me know). Moreover I would rather have as much open source firmware as possible, rather than a proprietary blob with potential vulnerabilities / backdoors in it.
- had a quick look at Fitlet and the price range is similar to Protectli, but the devices seem to have reduced focus on security (no mentions of coreboot and intel ME) and a more “industrial/rugged” vibe.
I am still pondering options but I am heavily leaning towards the Protectli Vault V1410. It seems like a very good device and I don’t mind paying some extra bucks for the added security and convenience of having Coreboot pre-installed. Moreover they seem to be a respectable and serious company (see replies of the CEO here), which deserves support.
1 Like