My home DD-WRT configuration for privacy, security, and performance. Documenting mostly so I can remember my preferred settings whenever I update/reset the router.
All settings are kept as default unless otherwise noted below. Sensitive information is annotated with "{REDACTED}".
- Connection Type:
Automatic Configuration - DHCP
- Ignore WAN DNS:
☑
- Router Name:
Area 51
- Hostname:
Area 51
- Domain Name:
Leave Blank
- MTU:
Auto
- Shortcut Forwarding Engine:
☑
- STP:
☐
- Local IP Address:
192.168.{REDACTED}.{REDACTED}
(Change your Local IP Address for Obscurity) - Gateway:
0.0.0.0
- Local DNS:
0.0.0.0
Route DNS to private network reserved IPs to ensure ISP's DNS servers are not used. Dnsmasq is used to configure preferred DNS servers.
- DHCP Type:
DHCP Server
- DHCP Server:
☑
- Start IP Address:
192.168.{REDACTED}.64
- Maximum DHCP Users:
64
- Static DNS 1:
10.0.0.0
- Static DNS 2:
10.0.0.1
- Static DNS 3:
10.0.0.2
- WINS:
0.0.0.0
- Use dnsmasq for DNS:
☑
- DHCP-Authoritative:
☑
- Recursive DNS Resolving (Unbound):
☐
- Forced DNS Redirection:
☑
- Forced DNS Redirection DoT:
☐
- Enable Client:
☑
- Time Zone:
US/Eastern
- Server IP / Name:
Leave Blank
- Update Interval:
3600 seconds
(Default: 3600, Range: 3600 - 604800)
- Enable IPv6:
☑
- Type:
DHCPv6 with Prefix Delegation
- Prefix Length:
64
- Static DNS 1:
{REDACTED}
- Static DNS 2:
{REDACTED}
- MTU:
1452
- No Release on Reconnect:
☐
- Custom Configuration:
☐
- Enable Daemon:
☐
- Enable Daemon:
☐
- Enable Service:
N/A (Haven't set this up yet)
- Clone WAN MAC:
☐
Tunnels is used for WireGuard Setup, If you need it for Mullvad VPN or IVPN then follow their guides.
TBD
Use guidance from here.
Since many streaming services (e.g., Netflix) block VPNs, assign a static lease to the TV so that it can bypass OpenVPN client via policy-based routing.
Static Leases
MAC Address | Hostname | IP Address | Client Lease Expiration |
---|---|---|---|
{REDACTED} | tv | 192.168.{REDACTED}.{REDACTED} |
- Enable dnsmasq:
☑
- Cache DNSSEC Data:
☑
- RFC4039 Rapid Commit Support:
☑
- Maximum Cached Entries:
1500
Additional Dnsmasq Options
address=/comcast.net/
domain-needed
log-async=5
neg-ttl=300
all-servers
no-resolv
no-negcache
bogus-priv
server={REDACTED}
server={REDACTED}
server={REDACTED}
server={REDACTED}
add-cpe-id={REDACTED}
local=/rover2155.local/
expand-hosts
dhcp-range=::1000,::FFFF,constructor:br0,ra-stateless,ra-names,12h
ra-param=br0,10,300
enable-ra
- Configure using the OpenVPN latest guidance from Mullvad VPN except for customizations below.
- Configure using the Wireguard on Mullvad VPN latest guidance from FlashRouters except for customizations below.
Additional Config
...
# Route DNS requests from dnsmasq through OpenVPN client.
route 1.1.1.3 255.255.255.255
route 1.0.0.3 255.255.255.255
Policy-Based Routing
Note: DON'T prefix with comment. In build 46446 and later you can disable PBR by placing a # as the first character in the PBR field, this functions as an on/off switch.
192.168.1.64/26
- SPI Firewall:
Enable
- Filter Proxy:
☑
- Filter Cookies:
☑
- Filter Java Applets:
☑
- Filter ActiveX:
☑
- Filter TOS/DSCP:
☑
- ARP Spoofing Protection:
☑
- Block Anonymous WAN Requests (ping):
☑
- Filter Multicast:
☑
- Filter WAN NAT Redirection:
☑
- Filter IDENT (Port 113):
☑
- Block WAN SNMP access:
☑
- Limit SSH Access:
☑
- Limit Telnet Access:
☑
- Limit PPTP Server Access:
☑
- Limit FTP Server Access:
☑
- Connection Warning Notifier:
(Add your email server for email notifications)
- Firewall Log:
☑
- Log Level: Medium
- Dropped:
☑
- Rejected:
☑
- Accepted:
☑
- IPSec Passthrough:
Disable
- PPTP Passthrough:
Disable
- L2TP Passthrough:
Disable
- Enable Schedule:
☑
- At a Set Time:
06:00 Sunday (Sunday is the perfect time because, It right before the new week starts and it's a church day.)
If WAN connectivity is lost (either VPN or ISP connection break), reboot the router. If it is an ISP issue, this likely will not help. If the VPN server I was connected to goes down, rebooting the router will re-connect to a new server.
- Enable Watchdog:
Enable
- Interval (in seconds):
60
- IP Addresses:
1.1.1.1
LAN_IP=`nvram get lan_ipaddr`
WAN_IF=`nvram get wan_iface`
# -I w/o specified rulenum => specify in reverse priority
# block non-VPN requests
iptables -I FORWARD -i br0 -o $WAN_IF -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD -i br0 -p tcp -o $WAN_IF -j REJECT --reject-with tcp-reset
iptables -I FORWARD -i br0 -p udp -o $WAN_IF -j REJECT --reject-with udp-reset
# allow TV to bypass VPN
iptables -I FORWARD -i br0 -s 192.168.1.63 -o $WAN_IF -j ACCEPT
# block non-VPN DNS requests
# TODO: https://github.com/collinbarrett/dd-wrt/issues/3
# iptables -I FORWARD -o $WAN_IF -p tcp --dport 53 -j REJECT --reject-with tcp-reset
# iptables -I FORWARD -o $WAN_IF -p udp --dport 53 -j REJECT --reject-with udp-reset
# iptables -I OUTPUT -o $WAN_IF -p tcp --dport 53 -j REJECT --reject-with tcp-reset
# iptables -I OUTPUT -o $WAN_IF -p udp --dport 53 -j REJECT --reject-with udp-reset
# redirect DNS requests to dnsmasq
iptables -t nat -I PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to $LAN_IP
iptables -t nat -I PREROUTING -i br0 -p udp --dport 53 -j DNAT --to $LAN_IP