Notes to Future-Me

GL.iNet Slate AX as Secure Home Router


The Slate AX is fairly secure as shipped, except for the DNS configuration. The default DNS configuration is setup for compatibility–which makes sense because you want your new product to just work when it is plugged in for the first time.

After securing the router’s DNS against surveillance by ISPs and other entities, the next step would be using a VPN provider to encrypt all traffic coming from the router. Since the VPN endpoint will be used by many customers simultaneously, it becomes very difficult for a third party to determine which traffic belongs to which customer.

Setting up DNS

From the left side navigation, click Network and click DNS. (user manual)

Preventing DNS Hijacking and Leakage

Turn on “DNS Rebinding Attack Protection” and “Override DNS Settings for All Clients”. Overriding client settings will prevent clients on the network from leaking DNS queries by trying to use DNS servers other than the secure ones configured on the router.

Encrypted DNS

The hosts File

Security versus tracking, malware, and ads can be improved with a custom hosts file. However, the basic unified hosts file from Steven Black’s repository is over 4MB and will cause the “Edit Hosts” dialog on the DNS configuration page to choke.

Instead, from the command line:

The drawback to this method is that Steven Black’s block list is updated regularly, but this method does not automatically update.

To validate that the block list was loaded after the router reboot:

Port Forwarding / UPnP

UPnP is not available by default on OpenWRT (reference), and is not recommended because it is a massive security problem.

Instead, explicit port forwarding rules should be used. Instructions are in the user manual.

Setting up VPN

The Slate AX supports OpenVPN and WireGuard. Both are secure, but OpenVPN is more widely supported, while WireGuard has slightly better performance.

Configuration File from VPN Provider

These procedures are for NordVPN, but ExpressVPN or any other major provider will be very similar. NordVPN has a Help Center page for setting up the GL.iNet routers, but these are the basic instructions:

Arguably OpenVPN UDP will be marginally faster, but OpenVPN TCP (at least the NordVPN configuration files I looked at) are using port 443. The will preserve privacy and deniability since it looks like any normal HTTPS/SSL/TLS traffic.

Configuring the Slate AX VPN Client

In the router’s web interface:

The VPN can be started from the OpenVPN Client page or from the VPN Dashboard page.