OpenWrt OS: How It Works, Challenges, Security Concerns and Alternatives

7  min read | 20/03/2023

Igal Zeifman
Igal Zeifman
Bruno Rossi
Bruno Rossi
OpenWrt OS: How It Works, Challenges, Security Concerns and Alternatives

What Is OpenWrt?

OpenWrt is a free and open-source operating system for embedded devices, from business and consumer network devices to IoT appliances. It is based on Linux and is designed to be lightweight and highly customizable, making it well-suited for devices with limited resources. The project was founded in 2004 and is licensed under the GPL license.

OpenWrt is often used in devices that require advanced networking capabilities, such as routers, access points, and network-attached storage devices, as it provides a wide range of features and tools for managing and optimizing network traffic. It includes support for various protocols, such as IPv4 and IPv6, as well as a number of security features, such as firewall and VPN support.

OpenWrt Features

Some of the main features of OpenWrt include:

  • Package management system: Allows users to easily install and manage a wide range of software applications on their devices. This includes a variety of tools and utilities, as well as a range of third-party software packages that can be used to extend the functionality of the device.
  • Networking capabilities: Provides a wide range of features and tools for managing and optimizing network traffic, including support for various networking protocols, to run the device as a router, wireless repeater, mesh node, file or print server.
  • Security features: Protects local devices and networks, such as firewall and VPN support.. Internally, OpenWrt can run internal services in isolated mode using chroot, namespaces and service resource limits.
  • OpenWrt Buildroot: A toolchain (set of scripts and tools) that allows developers to customize and build their own version of OpenWrt. It provides a convenient way to manage the build process and keep track of the changes made to the system.

System Administration in OpenWrt

As an embedded system, OpenWrt has its own tools and utilities to administer a system:

  • uci: OpenWrt’s command-line interface (CLI) utility enables the management of the main configuration parameters.
  • opkg: A lightweight package manager.
  • Luci: A web-based administration tool.

To provide a sense of how it works, here are a few examples of common tasks:

Setting up a network interface

uci set network.wan=interface
uci set network.wan.ifname='eth1'
uci set network.wan.proto='dhcp'
uci commit network
/etc/init.d/network restart

This will configure the interface “eth1” to use DHCP to obtain an IP address from the internet.

Setting up a firewall rule

uci set firewall.@rule[-1].src='wan'
uci set firewall.@rule[-1].proto='tcp'
uci set firewall.@rule[-1].dest_port='22'
uci set firewall.@rule[-1].target='ACCEPT'
uci commit firewall
/etc/init.d/firewall restart

This will create a firewall rule that allows incoming TCP connections on port 22 (SSH) from the WAN interface.

Setting up a wireless access point

uci set wireless.@wifi-iface[0].ssid='MyAccessPoint'
uci set wireless.@wifi-iface[0].encryption='psk2'
uci set wireless.@wifi-iface[0].key='mypassword'
uci commit wireless
wifi

This will create a wireless access point with the SSID “MyAccessPoint” and the password “mypassword”.

Installing a package

opkg update
opkg install package_name

OpenWrt Use Cases

Some common uses for OpenWrt include:

  • Router and access point : OpenWrt is often used as the operating system for routers and access points, as it provides a extended features and tools for managing and optimizing network traffic. It includes support for various networking protocols, including IPv6, VLAN, different WiFi modes, firewall and different VPN protocols.
  • Network-attached storage (NAS) : OpenWrt provides a convenient way to manage and access files from a variety of NAS different devices and can be easily configured to meet the specific needs of the user.
  • Embedded systems : OpenWrt is used on a wide range of embedded devices, such as Internet of Things (IoT) devices, smart TVs, connected sprinkler controllers, and other types of networking equipment. It is well-suited for embedded systems due to its lightweight design and customizability.
  • Virtual private network (VPN) servers: OpenWrt can be used to set up a VPN server, which allows users to securely connect to a private network over the internet. This can be useful for remote access to a network or for encrypting internet traffic.
  • Network traffic analysis: OpenWrt includes tools like tc that can be used to monitor and control traffic on the network, allowing users to set up rules and policies for managing traffic flow.
  • SSH tunneling: OpenWrt includes support for the Secure Shell (SSH) protocol, which can be used to securely connect to a device over a network. This can be useful for remotely accessing a device or for creating a secure connection between two devices. OpenWrt also includes tools such as autossh that can be used to set up an SSH tunnel, which allows users to securely forward traffic between two devices.
  • Guest network: OpenWrt includes support for creating a separate, isolated network for guest users. This can be useful for providing Internet access to guests while still keeping the main network secure. OpenWrt includes tools such as hostapd and dnsmasq that allow users to easily configure and manage the network.

OpenWrt Alternatives

 

dd_wrt_logo_162

OpenWrt vs. DD-WRT

DD-WRT and OpenWrt are both open-source operating systems for embedded devices, but there are a number of differences between the two:

  • Origins: DD-WRT was originally developed as a third-party firmware for Linksys routers, while OpenWrt was developed as a general-purpose operating system for embedded devices.
  • Supported devices: DD-WRT is primarily intended for use on routers and is supported on a limited number of devices. OpenWrt, on the other hand, is designed to be used on a wide range of embedded and IoT devices, from routers, access points, and network-attached storage devices to irrigation controllers.
  • Customization: Both DD-WRT and OpenWrt are highly customizable, but OpenWrt is generally considered to be more flexible and configurable, with a larger range of available packages and features.
  • User interface: DD-WRT includes a web-based interface and standard Linux commands for configuration and management. OpenWrt also includes its own CLI utility
    Development model: DD-WRT is developed and maintained by a commercial company, while OpenWrt is developed and maintained by a community of volunteers.

 

PfSense_logo

OpenWrt vs. pfSense

pfSense is a free and open-source firewall and router platform based on the FreeBSD operating system. Here are some of the main differences between OpenWrt and pfSense:

  • Purpose: OpenWrt is a general-purpose operating system for embedded devices, while pfSense is specifically designed as a firewall and router platform.
  • Supported devices: OpenWrt is designed to be used on a wide range of embedded devices, including routers, access points, and network-attached storage devices. pfSense, on the other hand, is primarily intended for use on firewall and router devices.
  • Features: Both OpenWrt and pfSense include a range of networking and security features, but pfSense is generally considered to be more comprehensive and feature-rich, with a focus on providing advanced firewall and routing capabilities.
  • User interface: pfSense includes a web-based interface and standard Linux commands for configuration and management. OpenWrt also includes its own command-line interface utility.
  • Development model: OpenWrt is developed and maintained by a community of volunteers, while pfSense is developed and maintained by a commercial company.

 

Opnsense-logo

OpenWrt vs. OPNsense

OPNsense and OpenWrt are both open-source operating systems that are designed to run on networking devices such as routers. However, there are some key differences between the two:

  • Customization: OpenWrt is a general-purpose operating system that is designed to be flexible and customizable. It provides full control over the network, but requires effort to configure and maintain devices. OPNsense is a security-focused operating system that is easier to use and manage but less customizable.
  • Architecture and design: OpenWrt is based on the Linux kernel and uses a package-based system, which allows users to easily install and manage the software on their devices. OPNsense, on the other hand, is based on FreeBSD and uses a plugin-based architecture, which allows users to easily extend the functionality of the operating system.

OpenWrt Challenges

OpenWrt is a go-to option for many IoT device manufacturers. And yet, using it also presents several challenges, particularly regarding security and observability. These include:

  • Software Supply Chain Security: Most applications developed for OpenWrt take advantage of some (in some cases many) 3rd-party software libraries. Commonly using them for Bluetooth connectivity, communication, encryption, and other basic functions. Such OS/3rd-party tools help accelerate development and provide a lot of value. On the other hand, from the security point-of-view, these also represent a soft spot, with Gartner predicting that 45% of all organizations will experience a supply chain attack by 2025.
  • Cost of Security Patching: The above-mentioned dependence on 3rd-party components and new security issues discovered post-deployment require constant firmware updates. However, deploying these could be difficult and costly – especially for large geo-distributed fleets or intermediately connected devices. Depending on the size of the fleet, and the rate of updates, the direct and indirect costs of patching could easily blow up into millions of dollars per year while also acting as a constant source of disruption for the product team(s).
  • “Black Box” Effect: Lack of live remote visibility is a common issue for most IoT devices, and OpenWrt is no exception. The core of this issue maps back to the absence of built-in and flexible monitoring options and – most importantly – the lack of specialized end-to-end solutions that would close the gap. As a result, many devices become “black boxes” almost as soon as they are shipped out. This makes it harder, and often completely impossible, to detect emerging issues or remote troubleshoot problems proactively. This also hinders the ability to collect business metrics from the device, information about usage, activity, and performance that would inform future design choices and help drive business growth.

Free OpenWrt Security with Sternum

Sternum is a full-stack IoT platform offering a wide range of security and observability solutions for RTOS and Linux systems, including OpenWrt. These include:
Agentless Runtime Protection: Patented EIV™ (embedded integrity verification) technology embeds into the firmware to deterministically prevent all code and memory attack attempts, with less than 3% overhead.

  • Continuous Monitoring: Cloud platform uses a proprietary Observability SDK to collect and display granular device-level data and macro fleet trends, offering ready access to live and historical data, AI-powered anomaly detection, log management, remote debugging tools, and more.
  • Threat Detection: XDR-like threat intelligence, triaging data from mitigated attacks with device-level telemetry and AI insights to alert about ongoing assaults, logical vulnerabilities (brute force, DDoS, etc.), emerging threats, malicious behavior, security blindspots, and suspicious activities.

As a special offer for OpenWrt users, our platform offers a free OpenWrt security license that allows you to connect up to 3 devices and use Sternum for free, with no time limit or any other strings attached.

For more information, check out this video below to see how you can:

1. Deploy Sternum on your OpenWrt device within just a few minutes.
2. Use our included Attack Simulation kit to test EIV against some security threats.

 

JUMP TO SECTION

Enter data to download case study

By submitting this form, you agree to our Privacy Policy.