🔐 Hardening OpenWrt

---

Published: Tue, Jul 08, 25

OpenWrt Hardening Tips

---

Overview

Learn how to harden OpenWrt for maximum privacy and security. This step-by-step guide walks you through securing access, encrypting DNS, firewall tweaks, and advanced privacy configurations for a safer network.

OpenWrt

OpenWrt System Configuration and Firewall Hardening Commands Explained

---

Configure uHTTPd to Listen on a Specific IP

root💀NullOrigin:~# uci set uhttpd.main.listen_http='192.168.66.6:80'
root💀NullOrigin:~# uci set uhttpd.main.listen_https='192.168.66.6:443'
root💀NullOrigin:~# uci commit uhttpd
root💀NullOrigin:~# /etc/init.d/uhttpd restart

---

Description

Limits the uHTTPd web server to listen only on a specific local IP address (192.168.66.6) for HTTP and HTTPS traffic.

Effect

Restricts LuCI/web interface access to the specific IP/interface, increasing security.

_______________________________________________________

Remove HTTP Listen Directive

root💀NullOrigin:~# uci -q delete uhttpd.main.listen_http
root💀NullOrigin:~# uci commit uhttpd
root💀NullOrigin:~# /etc/init.d/uhttpd restart

---

Description

Deletes the HTTP listen configuration to possibly disable unencrypted HTTP access.

Effect

HTTP access might be disabled, forcing HTTPS only.

_______________________________________________________

Add Firewall Rule to Block LuCI Access from WAN

root💀NullOrigin:~# uci add firewall rule
root💀NullOrigin:~# uci set firewall.@rule[-1].name='Block-LuCI-From-WAN'
root💀NullOrigin:~# uci set firewall.@rule[-1].src='wan'
root💀NullOrigin:~# uci set firewall.@rule[-1].dest_port='80 443'
root💀NullOrigin:~# uci set firewall.@rule[-1].proto='tcp'
root💀NullOrigin:~# uci set firewall.@rule[-1].target='REJECT'
root💀NullOrigin:~# uci commit firewall
root💀NullOrigin:~# /etc/init.d/firewall restart

---

Description

Blocks WAN (external) access to ports 80 and 443, which are typically used by LuCI (web UI).

Effect

Prevents remote access to the router’s web interface for security.

_______________________________________________________

Disable IPv6 on Interfaces

root💀NullOrigin:~# uci set network.lan.ipv6='0'
root💀NullOrigin:~# uci set network.wan.ipv6='0'
root💀NullOrigin:~# uci set network.wan6.disabled='1'
root💀NullOrigin:~# uci commit network
root💀NullOrigin:~# /etc/init.d/network restart

---

Description

Disables IPv6 support on LAN and WAN interfaces.

Effect

Prevents IPv6 traffic to avoid possible IPv6 attack vectors or misconfigurations.

_______________________________________________________

Disable IPv6 Features in DHCP and DNS

root💀NullOrigin:~# uci set dhcp.@dnsmasq[0].filter_aaaa='1'   # Blocks AAAA DNS requests
root💀NullOrigin:~# uci set dhcp.lan.dhcpv6='disabled'
root💀NullOrigin:~# uci set dhcp.lan.ra='disabled'
root💀NullOrigin:~# uci set dhcp.lan.ndp='disabled'
root💀NullOrigin:~# uci commit dhcp
root💀NullOrigin:~# /etc/init.d/dnsmasq restart

---

Description

Stops devices from receiving IPv6 addresses via DHCPv6, router advertisements, and disables Neighbor Discovery Protocol.

Effect

Further ensures IPv6 is fully disabled on the local network.

_______________________________________________________

Disable IPv6 in Firewall Defaults

root💀NullOrigin:~# uci set firewall.@defaults[0].disable_ipv6='1'
root💀NullOrigin:~# uci commit firewall
root💀NullOrigin:~# /etc/init.d/firewall restart

---

Description

Disables IPv6 support in the firewall’s default configuration

Effect

Prevents firewall from handling IPv6 packets.

_______________________________________________________

Add Firewall Rule to Drop All IPv6 Traffic

root💀NullOrigin:~# uci add firewall rule
root💀NullOrigin:~# uci set firewall.@rule[-1].name='Drop-IPv6'
root💀NullOrigin:~# uci set firewall.@rule[-1].family='ipv6'
root💀NullOrigin:~# uci set firewall.@rule[-1].target='DROP'
root💀NullOrigin:~# uci set firewall.@rule[-1].proto='all'
root💀NullOrigin:~# uci set firewall.@rule[-1].src='*'
root💀NullOrigin:~# uci commit firewall
root💀NullOrigin:~# /etc/init.d/firewall restart

---

Description

Drops all IPv6 packets regardless of source.

Effect

Fully blocks IPv6 traffic on the device for security or simplicity

_______________________________________________________

Disable IPv6 Modules

root💀NullOrigin:~# # Create a sysctl config file:
root💀NullOrigin:~# echo "net.ipv6.conf.all.disable_ipv6 = 1" > /etc/sysctl.d/disable-ipv6.conf
root💀NullOrigin:~# echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.d/disable-ipv6.conf
root💀NullOrigin:~# echo "net.ipv6.conf.lo.disable_ipv6 = 1" >> /etc/sysctl.d/disable-ipv6.conf
root💀NullOrigin:~# 
root💀NullOrigin:~# # Apply the changes immediately:
root💀NullOrigin:~# sysctl -p /etc/sysctl.d/disable-ipv6.conf
root💀NullOrigin:~# netstat -lpn | grep :::       # Look for any IPv6 listeners

---

Description

This disables IPv6 support at the kernel level for all interfaces, including lo (loopback), ensuring that no IPv6 functionality is exposed — even if some services or configs attempt to re-enable it.

Effect

To prevent IPv6 modules from loading (if your system supports it)

_______________________________________________________

TTY Login on Console

root💀NullOrigin:~# uci set system.@system[0].ttylogin="1" 
root💀NullOrigin:~# uci commit system
root💀NullOrigin:~# service system restart

---

Description

Ensures that a login prompt appears on the device’s serial or physical console (TTY). This setting is enabled by default on OpenWrt, and the system’s inittab already points to /usr/libexec/login.sh, which enforces password-based login if a password is set for the root account.

Effect

With a root password set, console access requires authentication. If the root account has no password, the login prompt will allow immediate access — so ensure a password is set

_______________________________________________________

Firewall Rules for SSH Access on Port 666

root💀NullOrigin:~# uci add firewall rule
root💀NullOrigin:~# uci set firewall.@rule[-1].name='Allow-SSH-LAN'
root💀NullOrigin:~# uci set firewall.@rule[-1].src='lan'
root💀NullOrigin:~# uci set firewall.@rule[-1].dest_port='666'
root💀NullOrigin:~# uci set firewall.@rule[-1].proto='tcp'
root💀NullOrigin:~# uci set firewall.@rule[-1].target='ACCEPT'
root💀NullOrigin:~# 
root💀NullOrigin:~# uci add firewall rule
root💀NullOrigin:~# uci set firewall.@rule[-1].name='Deny-SSH-WAN'
root💀NullOrigin:~# uci set firewall.@rule[-1].src='wan'
root💀NullOrigin:~# uci set firewall.@rule[-1].dest_port='666'
root💀NullOrigin:~# uci set firewall.@rule[-1].proto='tcp'
root💀NullOrigin:~# uci set firewall.@rule[-1].target='REJECT'
root💀NullOrigin:~# 
root💀NullOrigin:~# uci commit firewall
root💀NullOrigin:~# /etc/init.d/firewall restart

---

Description

Allows SSH connections only on LAN interface at port 666, while rejecting any SSH attempts on WAN

Effect

Restricts SSH access to internal network and non-standard port for better security.

_______________________________________________________

Enable SYN Flood Protection

root💀NullOrigin:~# uci set firewall.@defaults[0].syn_flood='1'
root💀NullOrigin:~# uci commit firewall
root💀NullOrigin:~# /etc/init.d/firewall restart

---

Description

Enables protection against SYN flood Denial-of-Service attacks.

Effect

Helps mitigate some types of DoS attacks.

_______________________________________________________

Allow LuCI Access from Specific LAN IP Addresses Only

root💀NullOrigin:~# uci add firewall rule
root💀NullOrigin:~# uci set firewall.@rule[-1].name='Allow-LuCI-From-MyIP'
root💀NullOrigin:~# uci set firewall.@rule[-1].src='lan'
root💀NullOrigin:~# uci set firewall.@rule[-1].src_ip='192.168.6.66'
root💀NullOrigin:~# uci set firewall.@rule[-1].dest_port='443'
root💀NullOrigin:~# uci set firewall.@rule[-1].proto='tcp'
root💀NullOrigin:~# uci set firewall.@rule[-1].target='ACCEPT'
root💀NullOrigin:~#
root💀NullOrigin:~# uci add firewall rule
root💀NullOrigin:~# uci set firewall.@rule[-1].name='Allow-LuCI-From-MyIP'
root💀NullOrigin:~# uci set firewall.@rule[-1].src='lan'
root💀NullOrigin:~# uci set firewall.@rule[-1].src_ip='192.168.66.107'
root💀NullOrigin:~# uci set firewall.@rule[-1].dest_port='443'
root💀NullOrigin:~# uci set firewall.@rule[-1].proto='tcp'
root💀NullOrigin:~# uci set firewall.@rule[-1].target='ACCEPT'
root💀NullOrigin:~#
root💀NullOrigin:~# uci add firewall rule
root💀NullOrigin:~# uci set firewall.@rule[-1].name='Drop-LuCI-From-Other-LAN'
root💀NullOrigin:~# uci set firewall.@rule[-1].src='lan'
root💀NullOrigin:~# uci set firewall.@rule[-1].dest_port='443'
root💀NullOrigin:~# uci set firewall.@rule[-1].proto='tcp'
root💀NullOrigin:~# uci set firewall.@rule[-1].target='REJECT'
root💀NullOrigin:~# uci commit firewall
root💀NullOrigin:~# /etc/init.d/firewall restart

---

Description

Only allows HTTPS LuCI access from specified LAN IP addresses, rejects all others.

Effect

Strict control of who can access the router’s web UI locally

_______________________________________________________

Disable and Remove UPnP

root💀NullOrigin:~# /etc/init.d/miniupnpd stop
root💀NullOrigin:~# /etc/init.d/miniupnpd disable
root💀NullOrigin:~# opkg remove miniupnpd luci-app-upnp

---

Description

Stops, disables, and removes Universal Plug and Play service and its LuCI interface.

Effect

Eliminates UPnP vulnerabilities that could open ports automatically.

_______________________________________________________

Tune uHTTPd Max Requests and Connections

root💀NullOrigin:~# uci set uhttpd.main.max_requests='10'
root💀NullOrigin:~# uci set uhttpd.main.max_connections='20'
root💀NullOrigin:~# uci commit uhttpd
root💀NullOrigin:~# /etc/init.d/uhttpd restart

---

Description

Limits the maximum HTTP requests per connection and maximum simultaneous connections.

Effect

Helps mitigate DoS by limiting server resource usage.

_______________________________________________________

Drop Invalid Packets Firewall Rule [WARNING]

root💀NullOrigin:~# uci add firewall rule
root💀NullOrigin:~# uci set firewall.@rule[-1].name='Drop Invalid Packets'
root💀NullOrigin:~# uci set firewall.@rule[-1].src='*'
root💀NullOrigin:~# uci set firewall.@rule[-1].proto='all'
root💀NullOrigin:~# uci set firewall.@rule[-1].extra='-m conntrack --ctstate INVALID'
root💀NullOrigin:~# uci set firewall.@rule[-1].target='DROP'
root💀NullOrigin:~# uci commit firewall
root💀NullOrigin:~# /etc/init.d/firewall restart

---

Description

Drops all invalid network packets detected by connection tracking.

Effect

Prevents malformed or suspicious packets from passing through.

NOTE: You may lock yourself out even with white listing practices

_______________________________________________________

Drop Invalid Packets from WAN Only

root💀NullOrigin:~# uci add firewall rule
root💀NullOrigin:~# uci set firewall.@rule[-1].name='Drop Invalid from WAN Only'
root💀NullOrigin:~# uci set firewall.@rule[-1].src='wan'
root💀NullOrigin:~# uci set firewall.@rule[-1].proto='all'
root💀NullOrigin:~# uci set firewall.@rule[-1].extra='-m conntrack --ctstate INVALID'
root💀NullOrigin:~# uci set firewall.@rule[-1].target='DROP'
root💀NullOrigin:~# uci commit firewall
root💀NullOrigin:~# /etc/init.d/firewall restart

---

Description

This rule targets only invalid connection states on the WAN interface, dropping suspicious packets without affecting internal (LAN) services like LuCI.

Effect

Prevents malformed or spoofed packets from entering via WAN without impacting local services, unlike global rules which may cause issues on LAN.

_______________________________________________________

Encrypted DNS via DNSCrypt-Proxy (Recommended)

root💀NullOrigin:~# opkg update
root💀NullOrigin:~# opkg install dnscrypt-proxy2
root💀NullOrigin:~# 
root💀NullOrigin:~# uci set dhcp.@dnsmasq[0].noresolv='1'
root💀NullOrigin:~# uci set dhcp.@dnsmasq[0].server='127.0.0.1#5053'
root💀NullOrigin:~# uci commit dhcp
root💀NullOrigin:~# /etc/init.d/dnsmasq restart
root💀NullOrigin:~# /etc/init.d/dnscrypt-proxy restart
root💀NullOrigin:~# /etc/init.d/dnscrypt-proxy enable
root💀NullOrigin:~# # Verification
root💀NullOrigin:~# dig +short openwrt.org @127.0.0.1 -p 5053

---

Description

Installs and configures DNSCrypt-Proxy v2, allowing DNS queries to be sent over encrypted channels. Offers provider customization, IP filtering, and anonymization.

Effect

Prevents DNS leaks and improves privacy by replacing system DNS resolution with secure queries to trusted upstream servers over encrypted channels.

_______________________________________________________

Encrypted DNS via DoH (HTTPS DNS Proxy)

 
root💀NullOrigin:~# opkg update
root💀NullOrigin:~# opkg install https-dns-proxy luci-app-https-dns-proxy</span>

---

Description

Installs https-dns-proxy and its LuCI frontend, enabling DNS-over-HTTPS (DoH) with Cloudflare or Quad9 as resolvers.

Effect

Automatically encrypts DNS queries using HTTPS, protecting against DNS spoofing and surveillance without requiring manual config of upstream resolvers.