I had blogged back in October of last year about setting up DNS over HTTPS, and it’s been very reliable, except for the parts where I’ve had to run Software Update on the Mac mini to pick up security update, and while it’s restarting all of our DNS resolution stops working! I’d come across OpenWRT a while back, which is an open-source and very extensible firmware for a whole variety of different routers, but I did a bunch of searching and hadn’t come across any reports of people fully-successfully using it on our specific router, the Netgear D7800 (also known as the Nighthawk X4S), just people having various problems. One of the reasons I was interested in OpenWRT because it’s Linux-based and extensible and I would be able to move the DHCP and DNS functionality off the Mac mini back onto the router where it belongs, and in theory bring the encrypted-DNS over as well.
I finally bit the bullet and decided to give installing it a go today, and it was surprisingly easy. I figured I’d document it here for posterity and in the hopes that it’ll help someone else out in the same position as I was.
Important note: The DSL/VDSL modem in the X4S is not supported under OpenWRT!
- Download the firmware file from the “Firmware OpenWrt Install URL” (not the Upgrade URL) on the D7800’s entry on OpenWRT.org.
- Make sure you have a TFTP client, macOS comes with the built-in
tftpcommand line tool. This is used to transfer the firmware image to the router.
- Unplug everything from the router except power and the ethernet cable for the machine you’ll be using to install OpenWRT from (this can’t be done wirelessly).
- Set your machine to have a static IP address in the range of 192.168.1.something. The router will be .1.
- Reset the router back to factory settings by holding the reset button on the back of it in until the light starts flashing.
- Once it’s fully started up, turn it off entirely, hold the reset button in again and while still holding the button in, turn the router back on.
- Keep the reset button held in until the power light starts flashing white.
Now the OpenWRT firmware file needs to be transferred to the router via TFTP. Run
tftp -e 192.168.1.1 (
-e turns on binary mode), then
put <path to the firmware file>. It’ll transfer the file and then install it and reboot, this will take several minutes.
Once it’s up and running, the OpenWRT interface will be accessible at http://192.168.1.1, with a username of
root and no password. Set a password then follow the quick-start guide to turn on and secure the wifi radios — they’re off by default.
Additional dnsmasq configuration and DNS-over-TLS
I mentioned in my DNS-over-HTTPS post that I’d also set up
dnsmasq to do local machine name resolution, this is very trivially set up in OpenWRT under Network > DHCP and DNS and putting in the MAC address and desired IP and machine name under the Static Leases section, then hitting Save & Apply.
The other part I wanted to replicate was having my DNS queries encrypted. In OpenWRT this isn’t easily possible with DNS-over-HTTPS, but is when using DNS-over-TLS, which gets you to the same end-state. It requires installing Stubby, a DNS stub resolver, that will forward DNS queries on to Cloudflare’s DNS.
- On the router, go to System > Software, install
- Go to System > Startup, ensure Stubby is listed as
Enabledso it starts at boot.
- Go to Network > DHCP and DNS, under “DNS Forwardings” enter
dnsmasqwill forward DNS queries on to
stubby, which in turns reaches out to Cloudflare; Cloudflare’s DNS servers are configured by default. Stubby’s configuration can be viewed at
- Under the “Resolv and Hosts Files” tab, tick the “Ignore resolve file” box.
- Click Save & Apply.
Many thanks to Craig Andrews for his blog post on this subject!
Quality of Service (QoS)
The last thing I wanted to set up was QoS, which allows for prioritisation of traffic when your link is saturated. This was pretty straightforward as well, and just involved installing the
luci-app-sqm package and following the official OpenWRT page to configure it!
I’ll update this section as I come across other little tweaks and changes I’ve needed to make.
Plex local access
We use Plex on the Xbox One as our media player (the Plex Media Software runs on the Mac mini), and I found that after installing OpenWRT on the router, the Plex client on the Xbox couldn’t find the server anymore despite being on the same LAN. I found a fix on Plex’s forums, which is to go to Network > DHCP and DNS, and add the domain
plex.direct to the “Domain whitelist” field for the Rebind Protection setting.
Xbox Live and Plex Remote Access
Xbox Live is quite picky about its NAT settings, and requires UPnP to be enabled or you can end up with issues with voice chat or gameplay in multiplayer, and similarly Plex’s Remote Access requires UPnP as well. This isn’t provided by default with OpenWRT but can be installed with the
luci-app-upnp and the configuration shows up under Services > UPnP in the top navbar. It doesn’t start by default, so tick the “Start UPnP and NAT-PMP service” and “Enable UPnP” boxes, then click Save & Apply.