Review: 6 slick open source routers

DD-WRT, Tomato, OpenWrt, OPNsense, PFSense, and VyOS suit a wide range of devices and networking needs

Review: 6 slick open source routers
Table of Contents
Show More

Hackers of the world, unite! You have nothing to lose but the lousy stock firmware your routers shipped with.

Apart from smartphones, routers and wireless base stations are undoubtedly the most widely hacked and user-modded consumer devices. In many cases the benefits are major and concrete: a broader palette of features, better routing functions, tighter security, and the ability to configure details not normally allowed by the stock firmware (such as antenna output power).

The hard part is figuring out where to start. If you want to buy a router specifically to be modded, you might be best served by working backward. Start by looking at the available offerings, picking one of them based on the feature set, and selecting a suitable device from the hardware compatibility list for that offering.

In this article. I’ve rounded up six of the most common varieties of third-party network operating systems, with the emphasis on what they give you and who they’re best suited for. Some of them are designed for embedded hardware or specific models of router only, some as more hardware-agnostic solutions, and some to serve as the backbone for x86-based appliances. 


DD-WRT has proved to be a popular router firmware choice not only with hobbyists and hackers, but router manufacturers as well. Buffalo, for instance, has used DD-WRT as the basis for many of its home and prosumer router offerings. The original product was created in 2005 for the Linksys WRT54G router, a device designed to accept Linux-based firmware, and the core software is available as a GPL offering. Note that there may be fairly major differences in implementation or presentation between the core version of DD-WRT and third-party, router-specific editions such as Buffalo’s.

Supported hardware for DD-WRT

DD-WRT supports Broadcom, ADM, Atheros, or Ralink chip sets, but be aware that not all devices using these chip sets are automatically compatible. Some may require unit-specific hackery to work; some may not work at all, period. Also note that a newer router does not automatically mean a more compatible one, as it can take time to produce a version compatible with a newer router. The DD-WRT maintainers keep a database of supported devices, along with a list in their wiki of both devices and features, so it isn’t hard to tell if a given model is supported or to what degree.

DD-WRT features

DD-WRT provides a breadth of powerful features not normally found in consumer-grade routers, such as support for creating public Wi-Fi hotspots through a variety of providers, using dynamic DNS (again, from multiple providers), and supplying OpenVPN services for connected clients. It also comes in a range of different-sized builds, from the 2MB “micro” build that supports only the most essential functions to the 8MB “mega” build that has, well, everything. This lets the firmware be placed on devices of widely varying storage capacity.

DD-WRT limitations

The core version of DD-WRT is updated very infrequently. If you want more frequent updates, you either must go with an interim beta or pick a manufacturer-supplied version with regular revisions.

DD-WRT is the best choice for most users. The fact that DD-WRT comes as a stock preload (albeit with mods) in many routers makes it easy to get your hands on a router with it installed and tuned specifically to work with your hardware, as well as to keep it updated.

dd wrt IDG

A commercial version of DD-WRT ships with many routers from Buffalo and other hardware makers. The unbranded version may vary in terms of presentation and feature set.


OpenWrt is a router firmware project that’s like a full-blown Linux distribution for embedded systems. You can download the packages for a specific hardware configuration and build the code for the hardware using a supplied tool chain. This complicates the deployment process, but provides enormous flexibility.

To save time, various prebuilt versions of OpenWrt are available for common hardware types and router platforms. This includes everything from generic x86-based systems to the Broadcom and Atheros chip sets used to power many open-firmware routers. The makers of OpenWrt recommend starting with an off-the-shelf version, then learning how to roll your own once you’ve found your footing.

Over the last couple of years, the development of OpenWrt went through some convulsions. A spinoff project called LEDE (Linux Embedded Development Environment) forked the OpenWrt codebase and continued its development at a faster pace than the original OpenWrt team. As of January 2018, though, the two projects have agreed to merge their efforts back under the original OpenWrt name.

openwrt lede IDG

The LEDE Project revamped OpenWrt’s development process, merging in newer versions of components and making it more user-friendly.

Supported hardware for OpenWrt/LEDE

In a word: Lots. More than 50 hardware platforms and 10 CPU architectures are supported, from ARM miniboards to full-blown x86-64 systems. The project also provides a buyer’s guide to help you choose the proper hardware for your particular needs, in the event you’re shopping for a specifically OpenWrt-compatible product.

Features for OpenWrt/LEDE

In addition to broad hardware and platform support, OpenWrt includes support for the OLSR mesh networking protocol, which allows you to create mobile ad hoc networks out of multiple OpenWrt devices. Conveniently, OpenWrt, once deployed, can be modified without reflashing the firmware. Packages can be added or removed as needed through a built-in package management system.

Various spin-offs of OpenWrt are available, some with highly specific usage scenarios. Gargoyle offers as one of its big features the ability to monitor bandwidth and set per-host caps. A now-dead project, FreeWRT, was even more developer-focused than the core OpenWrt builds and had a handy web-based image builder for those who want to create a FreeWRT firmware with a little guidance.

Innovations from some of the spinoff builds have been fed back into OpenWrt. LEDE is one example, but another is the Cerowrt build. Cerowrt was created as part of the Bufferbloat project to address network bottlenecking issues in LANs and WANs. It’s no longer being maintained, as all of its technical innovations are now in OpenWrt’s codebase.

Recommended users for OpenWrt

Originally, OpenWrt was for experts, people who want as few limitations as possible on what they can do, who are ambitious about implementing unusual hardware, and who feel comfortable with the kind of tinkering that would normally go into rolling one’s own Linux distro. All of that is still possible with OpenWrt, but its merging with LEDE makes it a little more accessible and user-friendly.

gargoyle IDG

Gargoyle is one of many breeds of OpenWrt, specifically offering special bandwidth-capping features. Like a miniature Linux distro, OpenWrt lends itself easily to this sort of respinning.


Originally devised as a replacement firmware for Broadcom-based routers, Tomato drew attention for its GUI, bandwidth-monitoring tools, and other nifty professional-level and tweakable features. Development has ceased on the original Tomato project, but other developers have picked up where the original project left off, intermittently releasing incremental upgrades.

Supported hardware for Tomato

Hardware support is much the same as with DD-WRT, although you should pay close attention to exactly which builds are compatible with the particular hardware you’re using.

Tomato features

Many functions found in Tomato are also found in DD-WRT, such as sophisticated QoS controls, CLI access via Telnet or SSH, Dnsmasq, and so on. That said, Tomato has been designed such that few configuration changes require rebooting. There’s also been a wealth of custom scripting developed by the Tomato community, such as redirecting the router’s syslog to disk or another computer, and backing up router settings.

Tomato itself is no longer actively developed, but it has seeded a vast crop—pun intended—of spin-offs and offshoots. One regularly and recently updated Tomato build is offered by Shibby, which compiles many changes by other Tomato developers into a single bundle. Some of those additions included support for routers that have USB ports, thus allowing the mounting of removable media, improved QoS modules and IP traffic client-monitoring tools, support for SDHC (Secure Digital High Capacity)/MMC media storage, 802.11Q VLAN tagging, and the experimental MultiSSID web interface. Shibby has in turn added support for NFS servers, the HFS/HFS+ file system, USB 3G modems, and many other improvements across the board.

Another build, AdvancedTomato, adds an attractive web management GUI, although it’s available for only a small selection of routers.

Tomato limitations

Tomato and its derivatives are limited to routers that use a selection of Broadcom chip sets, such as the “classic” Linksys WRT54G.

Another big drawback to using Tomato is that there’s no guarantee that any particular edition will continue to receive updates or that it will pass into capable hands if the current developer decides to throw in the towel. Also be sure to pick the right edition for your router firmware, which has become a little more difficult now that each fork of Tomato follows its own path.

Recommended users for Tomato

Tomato is best for moderately advanced users. Working with Tomato is on a par with dealing with DD-WRT: You need to make sure you have the right hardware and follow the flashing instructions to the letter. Tomato isn’t used as a commercial preload, though, so don’t expect to see it in any off-the-shelf routers à la DD-WRT.

advanced tomato AdvancedTomato

After development ceased on the original version of Tomato, others picked up the torch. AdvancedTomato is an add-on skin for one of the many Tomato variants out there.

OPNsense and PFSense

In an earlier version of this review, we examined the M0n0wall and PFSense projects, which are FreeBSD-based firewall and routing platforms—closer to a full-blown OS installation than a mere firmware layer. M0n0wall is no longer being developed, but PFSense has continued development under the aegis of Netgate. A project named OPNsense, developed by hardware maker Decisio, is a fork of PFSense with its own roadmap.

Supported hardware for OPNsense and PFSense

OPNsense runs on 32- and 64-bit x86-based hardware, with at least 512MB of RAM and 4GB of flash storage. A high degree of compatibility with common PC components is provided through the BSD driver library. As little as 256MB of RAM and 1GB of storage is needed for PFSense, although 1GB of RAM and more storage is recommended.

OPNsense and PFSense features

Because both products are derived from a common base, OPNsense and PFSense share many features. Both support all common router features, including traffic-shaping and QoS, as well as features useful on high-end networks such as VLAN tagging and polling.

The OPNsense documentation contains details for getting the software running on local hardware, in virtualization, and on cloud providers like Amazon Web Services. OPNsense features a sophisticated web interface for configuring and managing the product.

Touted features in OPNsense include the ability to choose either LibreSSL or OpenSSL as the SSL library used in the product; an importer that allows you to recycle configurations from some versions of PFSense; and a plug-in system that allows for extension of the GUI. Recent releases of PFSense feature a redesigned web UI, which replaces one that was a constant target of criticism; an implementation of the netmap-fwd project to allow much faster packet processing; and other performance improvements via FreeBSD.

OPNsense and PFSense limitations

OPNsense supports x86/64 chip sets only; PFSense supports x86/64 chip sets and Netgate ADI embedded device hardware.

Recommended users for OPNsense and PFSense

Those repurposing old PC hardware as a firewall or router should check out either OPNSense or PFSense. Of the two, PFSense has slightly more modest hardware needs. OPNsense and PFSense have common roots but radically different UIs and development paths.

opnsense IDG


pfsense IDG



VyOS is a fork of Vyatta, a Linux-based network operating system available in both a core open source implementation and a commercial edition. The open source edition was phased out after Brocade acquired Vyatta, but a fork of the open source version continues to live on as VyOS.

VyOS can work as a small-office or branch-office gateway, as a VPN concentrator, or as a bridge between datacenters or between datacenters and clouds.

Supported hardware for VyOS

1 2 Page 1
Page 1 of 2