OpenWrt for Your Homelab: Full Router Control on Consumer Hardware

Consumer router firmware is designed for simplicity: connect the internet, share it with your devices, done. For a homelab, that's not enough. You need VLANs to isolate lab traffic from home devices, traffic shaping to prevent a backup job from saturating your internet connection, custom DNS for local services, and visibility into what's happening on your network.

Photo by Andrew Neel on Unsplash

OpenWrt is a Linux-based operating system for embedded devices — primarily routers. It replaces the stock firmware with a full Linux environment: package manager, SSH access, Lua/Python scripting, and a comprehensive web UI (LuCI). Almost every router function becomes configurable.

Why OpenWrt Over pfSense/OPNsense

The common recommendation for homelab firewalls is pfSense or OPNsense running on x86 hardware (a mini PC, old desktop, or dedicated firewall appliance). Those are excellent choices. OpenWrt serves a different use case:

Run OpenWrt when:

• You want to repurpose an existing consumer router
• Power consumption matters (routers use 5-15W vs. 15-40W for mini PCs)
• The router's switching hardware provides native VLAN support (no managed switch required)
• You want a simpler setup than a full x86 firewall

Run pfSense/OPNsense when:

• You need enterprise VPN capabilities (IPsec with complex policies, etc.)
• You want a UI-driven, everything-from-the-web-console experience
• You need high-throughput packet inspection (hardware offloading is better on x86)
• You're running Suricata/Snort IDS/IPS

For many homelabs — especially those with one ISP connection, 1-5 VLANs, and a handful of servers — OpenWrt on a capable router is sufficient and far simpler to maintain.

Supported Hardware

OpenWrt supports 1,700+ devices. The most reliably supported consumer routers:

Budget options (under $50):

• TP-Link Archer C7 v2/v5 — Classic, well-supported, limited RAM (128MB)
• GL.iNet GL-MT300N-V2 — Tiny travel router, good for testing
• Raspberry Pi 4 — With a USB ethernet adapter, runs OpenWrt as a software router

Mid-range ($50-150):

• TP-Link Archer A7 — Similar to C7 but newer silicon
• Linksys WRT3200ACM — Excellent hardware, big community, dual flash storage
• Netgear R7800 — Snapdragon 618 CPU, 512MB RAM, handles demanding workloads

High-end ($150+):

• Banana Pi BPI-R3 — MediaTek MT7986A, dedicated hardware NAT, 2× 2.5GbE WAN, 4× GbE LAN, 1× SFP+
• Xiaomi AX6S — MediaTek MT7622B, Wi-Fi 6, good value outside the US
• GL.iNet GL-MT6000 (Flint 2) — Pre-installed OpenWrt, Wi-Fi 6, 2× 2.5GbE

Check the OpenWrt Table of Hardware before buying — filter by "supported current release" and look at RAM (256MB minimum for comfortable use) and CPU.

Installation

Installation varies by device. The typical process:

1. Download the correct firmware image from downloads.openwrt.org — match your exact device and revision (e.g., Archer C7 v2 and v5 use different images)
2. Access stock firmware upgrade UI — usually at 192.168.1.1
3. Upload the OpenWrt factory image via the stock firmware's update mechanism
4. Wait for reboot — typically 3-5 minutes
5. Connect to 192.168.1.1 — OpenWrt's default IP

For some devices (TP-Link, Netgear), the factory image uploads cleanly through the stock UI. For others, you may need TFTP recovery mode or serial console access. Check your device's specific installation page in the OpenWrt wiki.

Initial Configuration via SSH

OpenWrt's web UI (LuCI) isn't installed by default on all builds. Initial setup via SSH:

ssh [email protected]
# No password by default — set one immediately:
passwd

# Update package list:
opkg update

# Install LuCI (web UI):
opkg install luci luci-ssl

# Enable and start HTTPS:
/etc/init.d/uhttpd enable
/etc/init.d/uhttpd start

Access LuCI at https://192.168.1.1.

VLAN Configuration

This is where OpenWrt shines for homelab use. Setting up VLANs isolates traffic between segments:

Common homelab VLAN design:

Configuration via LuCI:

1. Network → Switch — Create VLANs, assign ports (tagged/untagged)
2. Network → Interfaces — Create a new interface for each VLAN (assign to eth0.20, eth0.30, etc.)
3. Network → DHCP and DNS — Configure DHCP server for each interface
4. Network → Firewall → Zones — Create zones (or use existing lan/wan and add custom rules)
5. Network → Firewall → Rules — Block inter-VLAN traffic as needed

Via /etc/config/network (UCI configuration):

config interface 'lab'
    option ifname 'eth0.20'
    option proto 'static'
    option ipaddr '10.0.20.1'
    option netmask '255.255.255.0'

config interface 'iot'
    option ifname 'eth0.30'
    option proto 'static'
    option ipaddr '10.0.30.1'
    option netmask '255.255.255.0'

Traffic Shaping with SQM

Bufferbloat — latency spikes under load — is a common problem with consumer internet connections. When a file upload saturates your connection, ping times spike and VoIP calls break up. OpenWrt's SQM (Smart Queue Management) package solves this:

opkg update
opkg install luci-app-sqm
/etc/init.d/sqm enable
/etc/init.d/sqm start

Configure in LuCI under Network → SQM QoS:

• Interface: eth1 (your WAN interface)
• Download speed: 90% of your actual measured download speed
• Upload speed: 90% of your actual measured upload speed
• Queue discipline: cake (recommended)
• Link layer adaptation: ethernet-with-overhead for fiber; PPPoE for DSL

The 90% headroom prevents SQM from fighting with your ISP's own shaping and provides consistent results.

Custom DNS

OpenWrt runs dnsmasq for DNS and DHCP. For a homelab, you likely want:

1. Local domain resolution — myserver.lan resolving to local IPs
2. DHCP static leases — servers always get the same IP by MAC address
3. Upstream DNS with filtering — forward to Pi-hole or AdGuard Home, or configure filtering directly in dnsmasq

Static leases (LuCI → Network → DHCP and DNS → Static Leases):

config host
    option mac '00:11:22:33:44:55'
    option name 'myserver'
    option ip '10.0.20.10'

With this, myserver.lan resolves to 10.0.20.10 from any device on the network.

WireGuard VPN

OpenWrt has first-class WireGuard support:

opkg update
opkg install wireguard-tools luci-proto-wireguard kmod-wireguard

Configure a WireGuard interface in LuCI → Network → Interfaces → Add new interface → Protocol: WireGuard VPN. This gives you a VPN endpoint so you can access your homelab from anywhere.

Package Ecosystem

OpenWrt's package manager (opkg) gives access to hundreds of additional tools:

• adblock — DNS-based ad blocking (alternative to Pi-hole)
• haproxy — Load balancer
• shadowsocks-libev — Proxy for bypassing geographic restrictions
• tcpdump — Packet capture
• nmap — Network scanning
• python3 — Python scripting on the router itself
• vnstat — Long-term traffic statistics

Performance Considerations

OpenWrt's routing performance depends heavily on hardware offloading support. Many modern routers have hardware NAT/forwarding offloading that OpenWrt supports (or partially supports) through the kmod-nf-flow flow offloading module.

Without offloading, routing throughput is limited by the CPU:

• MIPS 74Kc @ 750MHz (Archer C7): ~300-500 Mbps NAT throughput
• IPQ8065 @ 1.7GHz (R7800): ~700-900 Mbps
• MT7986A @ 2.0GHz (BPI-R3): ~2+ Gbps with hardware offloading

For gigabit and faster internet connections, verify your chosen hardware can handle line-rate NAT with OpenWrt enabled.

OpenWrt vs. Stock Firmware

For homelab use, the argument for stock firmware is essentially zero — unless your hardware isn't supported by OpenWrt.

Getting Started

The fastest path to a working OpenWrt homelab router:

1. Check your current router's support at openwrt.org/toh
2. If not supported, buy a supported device (GL.iNet Flint 2 comes with OpenWrt pre-installed)
3. Flash OpenWrt following your device's specific guide
4. Set a root password immediately
5. Install LuCI (opkg install luci luci-ssl)
6. Install SQM and configure bandwidth limits
7. Add your VLANs for lab/IoT/guest isolation

The OpenWrt community and wiki are excellent resources. Almost every configuration question has a detailed answer in the wiki or forum.