Hi. I use an Archer C7 v5, always updated on the latest OpenWRT patches and packages.
My router has some limitations, and I’m considering an upgrade.
Security is my main concern. Are GLiNet devices patched/secured reasonably fast?
Not that I expect a state-sponsored attack on my rural home, but I like to abide by good security practices.
Thanks.
GL iNet routers are normally running older versions of OpenWrt. My AR750S-EXT which is still under support is running:
OpenWrt 19.07.8, r11364-ef56c85848
I flashed an old TL-W902AC with 22.03 last week. My Brume2 & Slate AX run 21.02. They’re very convenient if you are new to this sort of thing and I’m grateful to GLiNET for helping spark an interest, but eventually you learn how vulnerable IoT is & want to move on. They are not “OpenWRT” - endless routers run forks but don’t engage in the false advertising. If they offered a means of running true OpenWRT, or arranged an NDA for their devs to make them available then that would be fine but I am moving to a Pi CM4 to avoid the unreliability.
Older model can use upstream OpenWrt if you like. Newer model upstreaming process needs some time. On the other hand, we’re following OpenWrt upstream. Important security bug fixes will be ported.
This is something I would like to see on the ATX1800 also. Emergency security updates should be released immediately and other security updates periodically. My MangoV2 has only had 2 updates made available through the GL.iNet web interface in the whole time I’ve owned it, but equally my home ISP router has received 0
You should really consider adding 0 new features until the stability & security of all non-EOL devices is assured, & the pace at which that’s maintained. If you offered stock then at least we have the ability to try and fix things ourselves, but currently that’s not possible.I haven’t been able to access Luci Interfaces whatsoever as I’m prompted with the nftables conversion, which breaks both the Slate AX & Brume2.
They’re all running 1.32.2 Tailscale that I’ve just realised is not only before the patch preventing expired keys to be used for tunneling if their server were to go down, but much worse. The DNS rebinding exploit from 4 months ago??? And this is in the latest beta update from a couple of weeks ago?? I’m guessing this is in the nightly build still? Totally unacceptable, and I’m clueless as to what will break if I update it myself.
That is worrying. What would you say to be the latest model which can be considered as secure?
In GLiNETs defence, most of the exploits involved there are Windows related which is why I hadn’t realised before. Exceptions being the more recent key expiry CVE - unlikely to be ever be an issue outside of maybe enterprise use with former employees potentially still having access in certain circumstances.
The November PeerAPI DNS rebinding one however affects all platforms.
Security Bulletins · Tailscale
Looks like Openwrt has the patched 132.3 which is safe. [OpenWrt Wiki] package: tailscale. If you’re thinking of buying GLiNET products… I don’t mean to be so harsh - I really want to like them. Your ISP router won’t guarantee security, and you’ll miss out on the extra features. I would just rather less features & have them be better maintained. As that isn’t always the case I’d get a stock OpenWrt compatible device as hansome suggested, that way at least you have the option if you change your mind. With my Slate & Brume’s closed-source drivers I can’t do anything except return them - an option I’m not sure exists.
[OpenWrt Wiki] Table of Hardware
I know nothing will guarantee security but a router that receives periodic updates is surely more secure than one which doesn’t?
Is there any particular device you can recommend? And does OpenWrt have a web interface like gl inet does? I only own a tablet so can’t flash things and do command line terminal stuff
Edit: I’ve just checked here and this stuff seems unbelievably complicated so I’ve got no choice other than gl inet as they’re the only VPN router with a simple GUI. I’ll have to accept outdated security. My plan for purchasing changes every time I come on here so its probably best to just prepare for disappointment and buy whatever haha
As with many products, be prepared to be disappointed. I own several GL iNet routers, and although all are still supported, not one of them has received a released version of 4.x firmware, and they all are using OpenWrt 19.07 as the base firmware, which was declared End-of-Support in April 2022 and is no longer maintained or actively supported by OpenWRT. @alzhao in a post in early 2021 said that the 4.x firmware would be available by mid-2021, which I am still waiting for a released version for any of the routers I own. Since 19.07 is no longer actively supported, it is very hard to know if there are any current exploits in the firmware. Randomly, I have to reboot my travel routers, as they lock up from time to time.
Hardware wise, I have modified almost all my routers by adding a drop of epoxy to the micro-USB connector, as these connectors are known to shear off from normal use. This connector is only held to the circuit board with a small solder pad. Looking at both Amazon reviews and posts to this forum, people have had these connectors break while on travel, which should not happen on a device sold for travel.
My AR300M routers that I use as VPN servers have had to be modified, as I needed to support multiple VPN protocols, which is not a feature in pre 4.x firmware. This took hours of custom script writing and some interesting manual installation of some OpenWRT packages, but I now have small VPN servers running multiple VPN protocols on multiple ports, that reboot themselves daily, and have been very stable.
My general rule is not to purchase any GL iNet products that have not been on the market for at least a year, and to only purchase products that have a released version of OpenWRT (not just a snapshot version). Products that have a released version of OpenWRT just seem to work better for me.
Do I use their products, yes. Why? Because so far, I have not found anything better, but my newest product from them is an AR750S-EXT, and this probably will not change for some time.
Thanks for getting back to me. I’m thinking of getting the AX1800 Flint, would you say it has been around for long enough to receive continual updates? My MangoV2 is still on 3.215
I mean… this is a much more complicated question, even if you don’t necessarily realize it. Some layers:
Actual GL.iNet software - i.e., all of the stuff that GL.iNet has written themselves and the security defaults / bugs / what not thereof. None of this has been audited, as far as I’m aware, and there have been certain… issues… that might cause a reasonable person to question the general security defaults that are in place.
OS-level patches in stock firmware. Few if any GL.iNet devices are updated with the latest greatest OpenWrt under the hood - and most aren’t even up-to-date on the latest builds of packages within their own firmware group. On one hand this sounds bad, but in reality it’s kind of par for the course for a lot of router setups. Remember that in the enterprise space taking down a router is a really big deal - you don’t want to do it unless you really have to. One of my biggest criticisms of a distribution like OPNsense is that they actually issue updates too frequently. I don’t want to have to reboot my stuff every two weeks to apply updates, especially if I’ve done a decent job of securing the rest of the stack. If there’s something critical, sure… but…
Running stock OpenWrt. In some cases you can run stock OpenWrt on a GL.iNet router, and then you can just update to your hearts content. If you want to. But there are costs associated with that, and it doesn’t necessarily improve your security posture.
Do you actually have everything else locked down like you’re supposed to, which kind of doesn’t have anything to do with GL.iNet’s devices proper? Certainly running stock firmware is one of those things that opens up a lot of additional attack vectors.
If you’re really serious about security, an OpenWrt product is … maybe not what you ought to be looking at in general. If you are looking at an OpenWrt product and you’re really serious, I would recommend building your own firmware, from stock, and only including what you absolutely need, then making sure you’ve got a good environment set up to maintain all of that.
But honestly, I think that’s a bridge too far for most people. Make sensible security choices and do your best. Some choices are better than others, but in the consumer router space you’re probably not going to find somebody who is superior to everyone else (though you’ll find lots of choices who are inferior to the good players).
As OpenWRT has not released firmware for the AX1800, its too early for me to buy one. The only new GL iNet router to even have an OpenWRT snapshot build looks like the GL-A1300.
Thanks all for the replies.
I trust the stock OpenWRT on my Archer C7 V5 to be much safer than most consumer routers, given their constant updates and open source nature with lots of participants, and I don’t have suspicions that warrant compiling my own firmware from code.
It seems like GLiNet routers seem ideal for travel, but not what I’m looking for home security.
What would be worth looking at?
So what do you plan to use?
pfSense and OPNsense would both be better choices, IMO. Even something from Ubiquiti would probably be better and certainly more polished than relying on stock OpenWrt builds.
Basically you can make OpenWrt work in a semi-secure way, but it requires a lot of upkeep on your own time (building, updating, etc.). There’s not a single team that’s really charged with overall experience and/or product, so what you get is kind of what you get.
I’m not sure if doom and gloom are all that productive in today’s technology environment.
Instead of router OS’s, we could substitute desktop OS’s and ask how secure is Ubuntu.
Ubuntu is always updated and has a thriving community. And… Its not even close to zero bugs.
I do giggle somewhat at the personal security convo’s, but a quick glance at bleeping computers show how well many very well funded security teams are holding up in the same environment (ie. on Internet 1.0).
If we were to change the conversation to smartphones directly connected to the Internet (LTE, 5G NR, etc) with no form of security and with an always on connection, we could laugh at that glaring oversight in security, since you may in-fact connect that to your internal LAN over wifi and bypass any/all firewall security from you router.
I agree with the input that less is more and lean has always been cool. The more you learn about the Internet, the more a population of 5.5 billion people is not very smart digital hygiene with always-on-connections.
I enjoyed the Internet in the 90’s when the “whole population” online was under 20 million worldwide. Fast-forward to 2023 with over 5 billion users worldwide and the difference is more than obvious.
There is more chatter of Internet 2.0, 3.0, 4.0, etc, but a population rebalance already seems like an obvious innovation. 2023 may be that year Internet 1.0 and all of its baggage gets left behind.
I’m sure network appliance vendors like GL.Inet will continue to thrive with all of the new innovation on the horizon.
I’ve just checked Amazon and you can’t get a pfsense or opnsense router for under £200 so I’ll have to stick with the gl inet bodges.
Thrive and produce good products are two different things though, most companies think having a wider range of products shows evidence of thriving whereas in reality they make more and more devices with no care toward maintaining them or even ensuring quality of performance. I wish I was young enough to have enjoyed the freedom of 90s internet, my earliest spectrum of digital time was the early 2000s with MSN messenger and Limewire lol.
We didn’t have disposable hardware and abandoned devices until 2008’ish with the advent of smartphones.
Being introduced to technology in that kind of environment was nothing like the information superhighway. I still see that fad as technology pollution, now that Internet 1.0 has billions of outdated devices that did not exist prior to 2008 and will never see another update again, ensuring a polluted environment for everyone connected to it.
Internet 2.0 is already a breath of fresh air as far as technology pollution is concerned.