OpenWRT on tp-link Archer C7 v5 AC1750 router
Your Internet Service Provider (ISP) has access to your router provided by them and therefore access to your whole network.
In order to get some privacy into your network, you can use another router. To gain some more trust, use an open-source custom firmware, like OpenWrt.
If your router is supported, I recommend to try LibreCMC. It is a free firmware without any blobs required for some firmwares.
1. Original Firmware Download
2. OpenWrt Download
3. Install OpenWrt
5. Problem with SSH connection
$ ssh -v firstname.lastname@example.org [...] debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: curve25519-sha256 debug1: kex: host key algorithm: (no match) Unable to negotiate with 192.168.1.1 port 22: no matching host key type found. Their offer: ssh-rsa
The solution was to specify the algorithm directly:
ssh -v -oHostKeyAlgorithms=+ssh-rsa email@example.com
I am not sure why this was needed though.
6. Upgrade Firmware
See the official instructions.
I had to add the
-O flag to scp:
Use the legacy SCP protocol for file transfers instead of the SFTP protocol. Forcing the use of the SCP protocol may be necessary for servers that do not implement SFTP, for backwards-compatibility for particular filename wildcard patterns and for expanding paths with a ‘~’ prefix for older SFTP servers.
scp -oHostKeyAlgorithms=+ssh-rsa -O openwrt-22.03.2-ath79-generic-tplink_archer-c7-v5-squashfs-sysupgrade.bin firstname.lastname@example.org:/tmp # Then, on the server in the /tmp directory: sysupgrade -v openwrt-22.03.2-ath79-generic-tplink_archer-c7-v5-squashfs-sysupgrade.bin
7. Enable WiFi
uci show wireless uci set wireless.radio0.country='DE' uci set wireless.radio0.disabled='0' uci set wireless.default_radio0.encryption='psk2' uci set wireless.default_radio0.ssid='MyNetwork' uci set wireless.default_radio0.key='Password' # Same for radio1 / default_radio1 uci commit wireless wifi
8. Resolve hostnames on the local network
uci -N show dhcp.@dnsmasq uci set dhcp.@dnsmasq.domainneeded='0' uci commit dhcp /etc/init.d/dnsmasq restart
In Germany, there is a law to guarantee customers to work with a modem of their choice (Gesetz zur Auswahl und zum Anschluss von Telekommunikationsendgeräten, see here).
My provider (willy.tel) has some instructions and lecture you the disadvantages of operating your own router. However, they provide all information needed, which is great.
Unfortunately, DOCSIS doesn't work on OpenWrt. See here for the explanation:
DOCSIS functionality is based on cryptographic certificates to authenticate cable modems and their running firmware to the ISP - that is not supportable by OpenWrt under any circumstances. There is no FOSS solution available for cable modems.