I’ve been asked a few times now for my recommended DD-WRT settings, or at least my good-enough settings. I think that’s a great idea, so I’ll walk through how I configure a DD-WRT router. Follow these steps and I can almost guarantee you’ll have the most secure network on your block.
For the purposes of this tutorial, I am going to assume you are configuring DD-WRT as your primary router.
Who am I?
I was a security-minded sysadmin for about a decade, and since 2009 I’ve been securing computers and networks for a living. Over the years I’ve worked with a lot of very talented people.
If I learned one thing from those guys, it’s that securing wi-fi isn’t all that difficult, except all too few people bother. You can do it in 5-10 minutes, and of course I recommend that you do.
Yes, believe it or not, there’s an important security-related setting right there on the first tab when you log into your router.
Change the network
Most routers get infected by jumping off a web browser, and that malware assumes your router lives at 192.168.0.1 or 192.168.1.1. So if you move to a less common network range, the malware never gets a chance to accomplish anything. Instead, it sits on your system, doing no harm, until you close your browser or reboot. For an extra point, put your router somewhere other than .1 or .254. In the image above, I have the router set to 192.168.5.4.
Since detecting router malware is next to impossible, you need to do these simple things to prevent it.
I also recommend changing your local DNS to something other than the router itself and something other than your ISP’s DNS. Finding one to use is another post. In your DHCP settings on the same screen about two sections down, under DNS, specify three fast, reliable servers from three different companies. One of them can be the same as what you use for local DNS.
You’ll spend more time in this tab than you will anywhere else.
Resist the temptation to get cute, and don’t put anything personally identifiable in as your SID. Set it to a meaningless number, like the time of day, or the house number of a house you used to live in.
Disabling SSID broadcast really does nothing to improve your security–if anything, it makes it worse–and it makes it harder for you to put devices on your network, so leave it enabled. The SSID is still in your network packets even if you disable broadcast, so if you disable broadcast, all you’re really doing is signalling to a drive-by hacker that you’re trying to hide, and instead you end up calling unnecessary attention to yourself.
Enable WPA2-Personal with AES
If you want acceptable security, WPA2-Personal with AES is the only setting you can use. If you want acceptable performance, WPA2-Personal with AES is the only thing you can use because the newer wireless standards (anything faster than 54 megabits) requires it.
Weaker encryption is easier to break. Disable TKIP, which is there for backward compatibility with WPA. Don’t use anything less than WPA2 if you care about security.
WPA2 has lasted since 2004. Neither of its predecessors lasted more than six years because they were both hopelessly broken, relics of a far more innocent time.
As for AES, its details are guaranteed to put you to sleep, so suffice it to say that there may or may not be better cryptography out there, but for this application, it’s the best option we have.
I elaborate a bit more on why you should use WPA2 with AES here.
WPA Shared key
This is your wireless password. It can be up to 63 characters long. Make it no less than 12. Be careful when choosing it to make it something you can type on a mobile device, but use a mix of upper and lowercase letters, numbers and symbols.
If this is too short and too simple, someone can easily get on your network, or simply sit back and decrypt your network traffic without getting on. In the latter case, you’ll never know it’s happening.
Remember two things: The stronger your key, the stronger your encryption will be. And you don’t have to type the shared key very often.
This piece is literally the cornerstone of your security. Use a strong shared key and your network will be obsolete and replaced with something else before someone else can break into it. Use a weak one, and it might take less than a day to break in.
What about WPS?
Many builds of DD-WRT don’t even implement WPS, which automatically makes it more secure than most other routers out there. There’s no need to disable what isn’t there, which is nice. On DD-WRT builds that did have it, it was disabled by default.
Enable the SPI firewall, of course. I think the firewalls on routers are vastly overrated but they are far better than nothing. If you’re interested in exploring DD-WRT’s firewall capabilities further, that’s a separate post.
Regarding the rest of the settings on this tab, there aren’t many of the filters you’ll want to use. Filtering cookies will give you additional privacy, though at the expense of convenience. You have to decide if it’s worth the trade-off, and keep in mind there are other ways to track you. If you have Flash installed and enabled in your web browser, turning cookies off may do more to inconvenience you than it does to stop people from tracking you. Filtering Java can be useful, as Java has many security vulnerabilities and this protects you if Java gets accidentally enabled in your browser. Filtering ActiveX sounds like a good idea, but one of the filetypes it blocks is .CAB, which can also be used for Windows updates. So I don’t recommend this setting. If you want to avoid ActiveX vulnerabilities, use Firefox or Chrome.
Under Block WAN Requests and Impede WAN/DoS Bruteforce, check all of the options.
Navigate to the Keep Alive tab and enable the option labeled “Schedule Reboot.” Rebooting once a week is usually sufficient. The day doesn’t matter–pick a time and day that nobody is likely to be awake. Router malware is memory-resident, so this flushes it out of memory. It also may help reliability, although I’ve found DD-WRT to be a lot more solid than what most router manufacturers ship.
Unless you know you need UPnP, click on the NAT/QoS tab, then click the UPnP tab and select “Disable” under UPnP Service. If you’re not sure, consider leaving it enabled for a few days, revisit this tab and see if anything is using it, and disable it if not. If you need it, you need it, but if you don’t need it, then that takes the urgency out of updating to a newer version of DD-WRT because of a vulnerability discovered in UPnP.
Setting up a guest network
You may not want all of your visitors putting who-knows-what on your network along with your devices, but fortunately, DD-WRT makes it possible to set up a second guest network, even on very inexpensive routers.
Go back to the Wireless tab, then to Basic Settings. Under the heading Virtual Interfaces, click Add. You can now provide the name of a second SSID. Click the Advanced checkbox, then click the AP Isolation option to give your guests better security from one another’s devices. Then click the Wireless Security tab and set up security settings for your guest network. Once again, use WPA-Personal and AES and a long password, though you may opt not to make it quite as obnoxious as your regular one.
If you have very old devices that can only do WPA or WEP, such as some Nintendo handheld games, and plugging them into a wired jack isn’t an option, your best bet is to create a separate guest network for them with the reduced security settings. Set the Max Associated Clients as low as you possibly can–hopefully 1. Turn on MAC address filtering, which really doesn’t provide much extra security, but with WPA and WEP you need all you can get. Click the MAC Filter tab, then click the button labeled Use Filter, select Permit only clients listed to access the wireless network, and enter the MAC address of your old device. It’s still not very safe, but at least you can limit what an uninvited guest can get to.
Here’s more on guest networks if you’re interested.
Make a backup
Now that you’ve created all of these settings, back them up so that if anything happens to your router, you can easily restore them and have a good, working configuration in seconds. Click Administration, then click the Backup tab, then click the Backup button and specify a filename.
Reduce packet errors
Some routers work perfectly at this point, but if you notice packet errors, I’ve dealt with that topic in a separate post.
If your router has USB ports, here’s how set it up to act as a print server. And here’s how I configure DD-WRT on a second router as an access point. And while I don’t recommend MAC address filtering for security, you can use it to force clients to use a 2.4 or 5 GHz network.
If you need a new or additional router, here’s how to find DD-WRT compatible routers.
I hope you’ve found this helpful. Please secure your router, and after you finish doing that, please share a link with your friends via social media like Facebook or Twitter, your own blog, or a relevant discussion group or forum. Thank you!