Why I built my own homebrew Linux router
Why I built my own homebrew Linux router
For the last few months, I've been talking a lot about using a bare install of standard Linux distribution as a router. I've written about it at Ars Technica, I did a presentation at Great Wide Open, and I'm doing another one at SouthEast LinuxFest next week. And I have to tell you, the homebrew router has been one of the more controversial topics I've ever written and presented about—some people love the idea, but the ones who don't seem to really, really hate it.
To be fair, setting up your own router from a generic server distro isn't a project for everyone. It certainly isn't user-friendly, both during the build process and once it's finished. While it's not terribly complex, it's definitely arcane, with absolutely no hand holding along the way. If you aren't already very experienced with Linux, you'll likely do a lot of puzzled head scratching (and maybe a little cursing). You won't get a super feature-rich build once you're done, either—unless you go on to do a lot more for your build than I have with mine, you won't have fancy quality of service features, usage graphs, or much of anything else besides a bare-bones (although extremely high performance) router that hands out IP addresses, resolves DNS records, connects to the Internet, and makes packets go where they're supposed to.
I don't have a problem with anybody pointing out any of that. Heck, I point it all out myself, and usually in the first couple of paragraphs. The common complaint that makes me shake my head, though, is, "That's going to be super insecure, and get you rooted, and that's why you should be running a purpose-built router distribution." Wait—what?
OK, let's talk about security for a moment. Security isn't something you tack on after the fact, or build on with a few thousand more lines of code. Security is a mindset, and it's a design—it's something you build in from the foundation. Heightened security is actually the entire reason why I built my own personal bare linux router.
My career forces me to be paranoid about information security, which is why I wanted to build a bare Linux router in the first place. Proprietary router firmware often goes months or years between upgrades—and when it does upgrade, it's more frequently to add some shiny to the UI—more than likely introducing more bugs—than to fix security problems. Open source firmware isn't really in much better territory. DD-WRT is one of the most popular, and while it has a new (and incredibly bug-ridden) beta release every few weeks, the project hasn't had a stable release in eight years. Eight years! pfSense is pretty much the darling of the industry, and rightly so—but it's still a big, complex pile of moving parts with web interface and pretty graphs and bits and bobs to toggle and you're never going to truly know everything that it's doing—you click the boxes in the web UI and you assume it's doing what you told it to, which is already pretty far abstracted from the reality of the underlying configs. It also goes months (or longer) between firmware updates being made available, with (again) no real guarantee that an update won't change major parts of the UI and the capabilities, not just fix bugs.
For a lot of people—and businesses, don't get me wrong—that's perfectly fine. For my own personal network, it's no longer good enough. I wanted something minimal, in which I knew every inch of the actual configurations because I'd written it myself. And I wanted truly frequent security updates, with the kind of quality assurance and testing that a major distribution brings to the table. The little specialty router distros can't help but be also-rans at this.
And that's where my homebrew router came in. No, it's not "less secure" than a router distro—it's got far, far fewer moving parts, and I know all of them well. Every single piece of it, aside from my actual config files, gets automatic security updates on a daily basis. If there's a minor security issue in dhcpd, it's not going to have its patch sit in a queue until "there's enough stuff to bother" with a full firmware upgrade release. It's going to go out and get patched automatically by the unattended-upgrades service right now, when it should.
I don't have to worry about if I accidentally exposed the web interface to the outside world by forgetting to click the right check box—there is no web interface. I similarly don't have to worry about whether a bug in the web interface does something similar despite my having checked a box—because there is no checkbox, the configurations I'm doing are the real configurations to the actual services, not an abstracted and simplified version that must be translated by a few thousand lines of PHP code that get orders of magnitude fewer eyeballs reviewing them.
So this brings us back around to the topic of who a homebrew router is or isn't right for. Is it right for a busy admin who isn't already intimately familiar with Linux networking at the command line level, including dhcpd, iptables, and bind? Probably not—they don't have time to deal with all that. Is it right for a home user who isn't a hobbyist interested in those things? Again, probably not—they'll get frustrated with the arcane (though ultimately simple) nature of the configs.
A homebrew Linux router is right for a hobbyist or junior sysadmin who is genuinely interested in how these things work under the hood, though. Setting up and managing one will teach you a lot. It's also a pretty good fit for a veteran sysadmin who already understands the majority of the systems and only has to brush up on a thing or two to get comfortable with it—the raw performance is just plain jaw-dropping, and the simple nature of the system will leave that veteran sysadmin free to manage it and back it up in the ways they're already very comfortable with. And finally, it's perfect for the incredibly tin-foil-hatted types (also, unfortunately, like me these days) since its stripped-down nature lets them be absolutely certain they understand what it is, and isn't, doing and plan around that accordingly when they're mapping out their security setup.
If you're an interested hobbyist or sysadmin who thinks this sounds like the kind of project you'd like to get your teeth into—or even the kind who thinks this sounds completely batty, but might be fun to think about for an hour—come to SouthEast LinuxFest this year in Charlotte, N.C.! The event runs June 10-12, and my talk should be on Saturday, June 11, from 9-10 a.m.