Privacy Tools #router security#home network privacy#firewall

How to Harden Your Home Router for Privacy and Security

Step-by-step guide to hardening your home router: change defaults, disable WPS, enable DNS encryption, segment networks, and block telemetry.

7 min read

Why Your Router Is a Privacy Risk

Your router is the single point through which all your internet traffic flows. A poorly configured router leaks DNS queries, exposes management interfaces to the internet, broadcasts identifying information via its SSID, and may run outdated firmware with unpatched vulnerabilities. ISP-provided routers are often the worst offenders, collecting telemetry and providing the ISP with visibility into your network activity.

Hardening your router takes less than an hour and significantly reduces your attack surface and exposure to passive surveillance.

Step 1: Replace ISP Router Firmware or Hardware

ISP-provided routers (“gateway” devices) typically cannot be fully configured and often send data back to the ISP. If your ISP allows it, put their modem in bridge mode (turns off the ISP router’s NAT and routing) and use your own router running open-source firmware.

OpenWrt

OpenWrt is the gold standard for home router firmware. It is an open-source Linux distribution for routers, supports virtually every privacy and security feature you could want, and runs on hundreds of devices including many TP-Link, Netgear, and GL.iNet models.

Check device compatibility at openwrt.org/toh/start before purchasing hardware. GL.iNet routers ship with OpenWrt-based firmware out of the box and are a good entry point.

OPNsense / pfSense

For full-featured firewall and routing, OPNsense (preferred over pfSense due to its open development model) running on a mini-PC (e.g., Protectli Vault or Minisforum with 2+ NICs) gives you enterprise-grade control. This is the option for users who want VLAN segmentation, IDS/IPS (via Suricata), and granular firewall rules.

Step 2: Change Default Credentials

This seems obvious, but it is still the most commonly skipped step.

  1. Log into your router’s admin panel (typically 192.168.1.1 or 192.168.0.1)
  2. Change the admin username from “admin” to something non-default
  3. Set a strong, unique password (20+ characters, generated by Bitwarden or KeePassXC)
  4. If your router has a separate WiFi management password, change that too

Default router credentials are publicly documented for every model — any attacker on your network or who accesses your admin panel via a vulnerability can take over immediately with defaults.

Step 3: Update Firmware

Router manufacturers release firmware patches for known vulnerabilities. Most routers do not auto-update.

  • Log into the admin panel
  • Navigate to Administration → Firmware Update (exact path varies by brand)
  • Check for updates and apply them
  • Enable automatic updates if the option exists

On OpenWrt: use opkg update && opkg upgrade in the SSH terminal, or use the LuCI web interface under System → Software.

Step 4: Disable WPS (Wi-Fi Protected Setup)

WPS has a well-documented PIN vulnerability (the Pixie Dust attack) that allows an attacker within WiFi range to recover the WPS PIN in minutes using tools like reaver or bully, then use it to access your network.

Disable WPS immediately. Look under Wireless → WPS or Advanced → WPS and turn it off. There is no legitimate reason to keep WPS enabled.

Step 5: Configure Encrypted DNS

Your router handles DNS for every device on your network. Configure it to use an encrypted DNS resolver so all devices benefit automatically.

On OpenWrt (using DNS-over-TLS with Unbound)

opkg update
opkg install unbound-daemon

# Edit /etc/unbound/unbound.conf

Add to unbound.conf:

forward-zone:
  name: "."
  forward-tls-upstream: yes
  forward-addr: 9.9.9.9@853#dns.quad9.net
  forward-addr: 149.112.112.112@853#dns.quad9.net
/etc/init.d/unbound restart

Set DHCP to push 192.168.1.1 (the router) as the DNS server for clients, then ensure only the router resolves — block clients from bypassing it.

On OPNsense

Go to Services → Unbound DNS → General → enable Unbound. Under DNS over TLS, add:

ServerPortHostname
9.9.9.9853dns.quad9.net
45.90.28.0853[your NextDNS profile].dns.nextdns.io

On Stock Firmware

Many consumer routers have a DNS field under WAN Settings or Internet Settings. Enter Quad9 (9.9.9.9, 149.112.112.112) or NextDNS addresses. Note that this sends queries unencrypted — better than ISP DNS but not ideal.

Step 6: Disable Remote Management

Remote management allows access to your router’s admin panel from the internet. Unless you specifically need this, disable it.

Look under Administration → Remote Management or Advanced → Remote Access. Set it to Disabled or ensure it only accepts connections on the LAN interface.

Also disable UPnP (Universal Plug and Play) — it allows devices on your network to open ports automatically without your approval, which is a significant attack vector. Find it under Advanced → UPnP and disable it.

Step 7: Create Network Segments (VLANs)

Network segmentation prevents compromised IoT devices from attacking your computers or accessing your NAS.

Recommended network segments:

VLANDevicesInternetAccess other VLANs
TrustedPCs, laptops, phonesYesAll
IoTSmart TVs, cameras, AlexaYesNone
GuestVisitor devicesYesNone
NAS/ServerSynology, home serverControlledTrusted only

On OPNsense: create VLANs under Interfaces → Other Types → VLAN, assign them interfaces, and create firewall rules blocking cross-VLAN traffic as needed.

On OpenWrt: VLANs are configured under Network → Switch or Network → Interfaces depending on your hardware.

Step 8: Enable a Firewall and Block Telemetry

Block IoT Telemetry

Smart TVs and IoT devices phone home constantly. On your IoT VLAN, create firewall rules blocking outbound traffic to known telemetry domains. On OPNsense, use DNSBL (DNS Blocklist) with AdGuard or Steven Black’s hosts list to block trackers at the DNS level for the IoT segment.

Enable Stateful Firewall

Ensure your router’s firewall:

  • Blocks all unsolicited inbound connections on the WAN
  • Allows established and related connections through
  • Logs dropped packets (useful for identifying intrusion attempts)

On OPNsense: Firewall → Settings → Advanced → confirm “Disable Firewall” is unchecked.

Step 9: Harden WiFi Settings

  • Use WPA3 if all your devices support it. If not, WPA2-AES (not TKIP). Never use WEP or WPA.
  • Set a strong WiFi password (20+ random characters)
  • Disable SSID broadcast for your trusted network (minor security benefit, but reduces exposure)
  • Enable client isolation on the guest network to prevent guest devices from talking to each other
  • Use 5GHz band where possible — its shorter range reduces exposure outside your home
  • Disable 802.11r (Fast BSS Transition) unless you need seamless roaming — it has had vulnerabilities

Step 10: Review Connected Devices Regularly

Log into your router’s DHCP client table regularly and check every connected device. Unknown MAC addresses indicate an unauthorized device on your network.

On OpenWrt: cat /tmp/dhcp.leases via SSH shows all current DHCP leases with MAC addresses, IPs, and hostnames.

Block unknown MAC addresses and change your WiFi password if you find unauthorized devices.

Summary

Router hardening is foundational to home network privacy. Replace ISP firmware with OpenWrt or OPNsense, disable WPS and UPnP, enable encrypted DNS (DoT to Quad9 or NextDNS), segment your network with VLANs to isolate IoT devices, and keep firmware updated. These steps protect every device on your network simultaneously, making router hardening among the highest-impact privacy improvements you can make.

#network hardening #DNS #firewall #home network privacy #router security

// related articles

privacy-tools Setting Up Unbound as a Local Recursive DNS Resolver 7 min read privacy-tools NextDNS vs Quad9 vs Cloudflare DNS Comparison 7 min read privacy-tools SPF, DKIM, and DMARC Explained: Protect Your Email Domain 7 min read