TP-Link makes really solid products, and if you don’t want to use their firmware then almost all of them can easily flash OpenWRT. In fact most of their routers are built from OpenWRT anyway.
I installed their mesh Wi-Fi system for my parents recently and was really impressed how seamless the process was. It did involve making a cloud account which I wasn’t thrilled about, however.
All modern WiFi APs require closed firmware blobs that run below or parallel to OpenWRT.
You replacing the router OS with OpenWRT does nothing when the radio has full DMA access and runs its own OS on its own processor. The OpenWRT layer will have no idea what it's running/infiltrating/exfiltrating.
I say this as someone who has been running and building OpenWRT forever. It's great but it isn't a panacea.
That's why I bought a PCEngines box (one of the last of their inventory before they went out of business) with completely transparent hardware and no Chinese manufacturer in the supply chain.
For anyone asking this question I might suggest Protectli. They've got x86 systems with coreboot. That's about as good as you can get these days for open source-ness without going really obscure or outdated. I've got a VP2440 as my router and firewall. You can neuter the intel management engine with coreboot, but there's still going to be firmware blobs somewhere in it, especially if you're trying to build a wifi ap.
One of my 2 pcengines APUs has developed an issue with its solder joints I suspect. It hangs at the bootloader unless the unit is already warm. Can't complain at all, it lasted ages and problems like this are just life for things that thermally cycle, it was in a pretty extreme climate for most of its life. Doesn't help with me needing a replacement now pcengines is out of business though, hence getting a protectli box.
This is the route I went. After a decade plus of shite consumer routers and finally an EdgeRouter which died (along with Ubiquiti's quality) I bought a Protectli box, build and flashed Coreboot and run OPNSense.
It's been going strong with regular updates (and by regular I mean as regular as your Linux workstation) for over half a decade now.
It wasn't cheap, somewhere in the region of £700 after adding SSD and RAM but it's a way, way overkill model and never exceeds 10% RAM usage and 15% CPU with an IDS running and a bunch of VLANs and Gigabit symmetric WAN.
My original goal for overspeccing it was longevity, but I regret it now, I want to upgrade to 10G+ networking and I can't justify replacing it when it runs so well and wasn't cheap.
Sure, but if you run OpenWRT you can pick the radio firmware image. And you can trust Qualcomm cause they're from San Diego and made Eudora; their firmware won't have intentional security issues.
The US intelligence apparatus is the GOAT of overthrowing foreign governments. They love it so much they even sometimes come back and overthrow the puppet regime they put in place a few years earlier (or just bomb the shit out of the civilians).
I use their Omada stuff for my business. I own a coffee shop where I have a few devices I need online and I provide free WiFi to customers. I needed something where I could run multiple networks, segregate my own devices, support a large number of clients, automatically turn off free wifi outside of business hours, run a captive portal, reserve a minimum amount of bandwidth for my own devices and prioritize my own traffic, etc. It’s absolutely packed with features and costs less than the stuff I run at home. It was a fraction of the cost of the Meraki gear I was considering. The performance is great too.
I don’t know how much I trust TP Link, but my risk level is very low. There’s not much an attacker could do if they get on my network. None of my data is accessible on that network and everything important has MFA anyway. The most sensitive things are my POS and menu displays and they are just client devices connecting to the internet. I probably wouldn’t run this stuff in an environment where I had complex security requirements.
I don't think the attackers are after your credit card records as much as they are after using your network as one base amongst thousands of others to perform illicit compute, generate traffic to a victim network, etc. That is: the attack is outbound from you to the victim, not inbound to you as the victim (at least not beyond the initial beachhead).
I bought a cellphone from them many years ago and they never really supported it and I couldn't even buy a replacement battery.
Recently I bought a router with the firm intent of installing OpenWRT, but I received a newer revision that had a different CPU, less RAM, and less flash memory.
These events left a bad impression, but they do make affordable stuff with reasonable quality.
> Recently I bought a router with the firm intent of installing OpenWRT, but I received a newer revision that had a different CPU, less RAM, and less flash memory.
This also happened many years ago with Linksys (prior to Cisco). It’s not that uncommon for manufacturers to release new revisions of hardware without necessarily making it clear to the purchaser. If their purpose is to deliver a router and they can shave a few cents off the BOM with less RAM, but it still works with their software, why would they care. And once new revisions have been released into the supply chain, it can be hard to know exactly what version you are buying.
In the Linksys case, IIRC they eventually re-released the first revision WRT54G as the WRT54GL (for Linux), so that people who wanted different firmware could get the exact hardware they wanted.
Wouldn't it be nice if that was illegal? Sell whatever, but label it accurately, it's different hardware so it needs to have a different version label in the listing or something.
We see this all the time with SSDs, where a high-spec model is released to reviewers, then a low-spec model is mass-produced and sold under the same model number. That's fraud, isn't it? Shouldn't it be?
It’s only fraud if they sold you or marketed to you on those specs. But at least for things like reflashing your router, short of a few explicit opener vendors (like glinet) and Linksys AFTER releasing the WRTGL version, router manufacturers aren’t usually advertising on how much ram or flash memory space they have, any more than car manufacturers are advertising how much flash memory is in their ECUs. It’s not an intended or marketed purpose, so they’re not going to be changing model numbers just because they made an internal update.
Changing the flash in a router is pretty understandable. Changing a router's CPU is going to affect core performance, and so does changing parts in an SSD, and core performance should totally count as being used to sell the product.
“Core performance” only matters relative to what the company is selling you though. For example let’s say a company sells 2 tiers of switch. One does 10G and the other 1G. For whatever reason when they start selling these, it’s cheapest for them to sell the same internal hardware, but with the internals underclocked in software. Some hardware hackers discover this and start unlocking the 10G capabilities of the 1G units. Later down the road, the company finds a cheaper implementation of hardware for the 1G that still can do 1G but even if up-clocked can now only do 2.5 at best. That’s a change to “core performance” but it’s also not fraud. They didn’t advertise or sell you a “switch that starts at 1G but can be unlocked for 10G”, they sold you a “switch that can do 1G”. As long as that’s what they’re still selling you, everything else is ancillary.
I agree with the upclocking example, but "what the company is selling" goes beyond what's on the box. If the old 1G model can do 500k packets per second, but the new one can only do 200k, that should not qualify for the same model number. There are a lot of situations where that's going to cause real problems on stock settings, after people tested the capabilities and made purchases based on those tests.
I want the most important performance characteristics that would be on a good datasheet to be maintained, even if there is no datasheet.
If you can build a plausible case that you did this (eg. simply making your fw image smaller justifies using a smaller eMMC chip), and provide a few benchmarks that demonstrate equivalent performance in those scenarios, you'd be of the hook in any legal mandate to keep the performance the same even if your new hw revision ships with weaker hardware.
This is even a common product development strategy: ship to market asap, optimize the margins later.
At some point it won't matter that you run OpenWRT on it. Obvious case in point: at a certain point it doesn't matter that you run Linux instead of Windows on your Intel PC, because it'll still be subjected to Intel ME, Intel AMT, Intel SGX and god knows what else.
On a PC, Intel ME and the like can be accessed remotely only through an Intel NIC, which can be avoided by using a PCIe Ethernet card from another manufacturer, if the motherboard does not have such an interface on it. Even many of the Intel Ethernet interfaces are supposed to have the remote access disabled from the factory, but you cannot be certain about this.
A more serious problem is caused by the laptops having Intel WiFi, which is difficult to replace. With such a laptop one would have to disconnect the internal antennas and use an external WiFi dongle, to be sure that remote control is not possible.
At one point laptop wifi cards seemed to mostly be m.2 cards, which, while not usually trivial, were relatively feasible to swap out. Has that changed?
Do any of TP-Link's mesh routers support OpenWrt? I didn't think there was overlap between the "easy to set up for my parents" and "easy to install custom firmware" subsets.
I'm getting ready to set a mesh network for my older parents as well. Do you have any suggestions for hardware and software? I live a ways away from them so I need this to be pretty much faultless. I don't want to drive 4 hours for IT support.
My paranoia goes against this idea. How sure are you that the remote management is hardened? Assuming that disabling external control is actually effective, that seems like it removes most practical exploits one would encounter. A network configuration for a non technical person should be so simple it does not require regular maintenance.
The TP-Link option was great. If it was for myself, I'd build my own with OpenWRT but my goal was to minimize the chance of downtime in case I'm not available to help debug issues. They already had a TP-Link range extender running for 4+ years without ever needing to touch it, so I figured their mesh network was a good option too.
And in reverse, you think Palentir has a transparent business model to trust with your data? I don't get why people find china more suspect than most of these billionaire led monopolies buying politicians and laws and spout paranoid gibberish about Christianity and anti Christ etc.
Both might be fundamentally evil or being, but they aren't different in danger based solely on how white they are.
And yes an American company in cahoots with the government having the ability to snoop on traffic and turn entire networks off, while bad, is nowhere near as bad as a Chinese one having the exact same capability.
Their hypothetical does have weight, though. Damn near every desktop/laptop computer does have "a hidden little core running a hidden little OS" nowadays, after all.[0]
Obviously this particular one isn't in non-Intel equipment, but...
Devices from companies under direct or implicit CCP control should indeed be considered suspect until proven otherwise. Not just them, but them much more than local ones.
I installed their mesh Wi-Fi system for my parents recently and was really impressed how seamless the process was. It did involve making a cloud account which I wasn’t thrilled about, however.