My home DD-WRT configuration for privacy, security, and performance. Documenting mostly so I can remember my preferred settings whenever I update/reset the router.
All settings are kept as default unless otherwise noted below. Sensitive information is annotated with "{REDACTED}".
- Configure via ProtonVPN API per my blog.
- Ignore WAN DNS:
☑
Route DNS to private network reserved IPs to ensure ISP's DNS servers are not used. Dnsmasq is used to configure preferred DNS servers.
- Start IP Address: 192.168.1.64
- Maximum DHCP Users: 64
- Static DNS 1:
10.0.0.0 - Static DNS 2:
10.0.0.1 - Static DNS 3:
10.0.0.2 - Use DNSMasq for DNS:
☑ - DHCP-Authoritative:
☑ - Recursive DNS Resolving (Unbound):
☐ - Forced DNS Redirection:
☑
- Time Zone:
US/Central - Server IP/Name:
pool.ntp.org
TBD
Use guidance from here.
Since many streaming services (e.g., Netflix) block VPNs, assign a static lease to the TV so that it can bypass OpenVPN client via policy-based routing.
Static Leases
| MAC Address | Hostname | IP Address | Client Lease Expiration |
|---|---|---|---|
| {REDACTED} | tv | 192.168.1.63 |
- No DNS Rebind:
☑ - Query DNS in Strict Order:
☑ - Maximum Cached Entries:
10000
Additional Dnsmasq Options
# Block Comcast WPAD / DNS
address=/comcast.net/
# Block non-domain lookups.
domain-needed
# Override default synchronous logging which blocks subsequent requests.
log-async=5
# https://github.com/collinbarrett/dd-wrt/issues/1
neg-ttl=300
# Use fastest response from any upstream.
all-servers
# Use nextdns.io for DNS.
no-resolv
bogus-priv
server=45.90.30.0
server=45.90.28.0
add-cpe-id={REDACTED}
Configure using the latest guidance from ProtonVPN except for customizations below.
- Server IP/Name:
us.protonvpn.com - Port:
443
Additional Config
...
# Route DNS requests from dnsmasq through OpenVPN client.
route 45.90.30.0 255.255.255.255
route 45.90.28.0 255.255.255.255
Policy-Based Routing
Note: DON'T prefix with comment. In build 46446 and later you can disable PBR by placing a # as the first character in the PBR field, this functions as an on/off switch.
192.168.1.64/26
- SPI Firewall:
Enable
- Filter Proxy:
☑ - Filter Cookies:
☑ - Filter Java Applets:
☑ - Filter ActiveX:
☑ - Filter TOS/DSCP:
☑ - ARP Spoofing Protection:
☑
- Block Anonymous WAN Requests (ping):
☑ - Filter Multicast:
☑ - Filter WAN NAT Redirection:
☑ - Filter IDENT (Port 113):
☑ - Block WAN SNMP access:
☑
- Limit SSH Access:
☑ - Limit Telnet Access:
☑ - Limit PPTP Server Access:
☑ - Limit FTP Server Access:
☑
- IPSec Passthrough:
Disable - PPTP Passthrough:
Disable - L2TP Passthrough:
Disable
If WAN connectivity is lost (either VPN or ISP connection break), reboot the router. If it is an ISP issue, this likely will not help. If the VPN server I was connected to goes down, rebooting the router will re-connect to a new server.
- Enable Watchdog:
Enable - Interval (in seconds):
60 - IP Addresses:
1.1.1.1
# Start Entware.
# https://wiki.dd-wrt.com/wiki/index.php/Installing_Entware
sleep 25
/opt/etc/init.d/rc.unslung start
LAN_IP=`nvram get lan_ipaddr`
WAN_IF=`nvram get wan_iface`
# -I w/o specified rulenum => specify in reverse priority
# block non-VPN requests
iptables -I FORWARD -i br0 -o $WAN_IF -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD -i br0 -p tcp -o $WAN_IF -j REJECT --reject-with tcp-reset
iptables -I FORWARD -i br0 -p udp -o $WAN_IF -j REJECT --reject-with udp-reset
# allow TV to bypass VPN
iptables -I FORWARD -i br0 -s 192.168.1.63 -o $WAN_IF -j ACCEPT
# block non-VPN DNS requests
# TODO: https://github.com/collinbarrett/dd-wrt/issues/3
# iptables -I FORWARD -o $WAN_IF -p tcp --dport 53 -j REJECT --reject-with tcp-reset
# iptables -I FORWARD -o $WAN_IF -p udp --dport 53 -j REJECT --reject-with udp-reset
# iptables -I OUTPUT -o $WAN_IF -p tcp --dport 53 -j REJECT --reject-with tcp-reset
# iptables -I OUTPUT -o $WAN_IF -p udp --dport 53 -j REJECT --reject-with udp-reset
# redirect DNS requests to dnsmasq
iptables -t nat -I PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to $LAN_IP
iptables -t nat -I PREROUTING -i br0 -p udp --dport 53 -j DNAT --to $LAN_IP