The router is the single point of failure in any network, yet we are forced to rely on usually cheap, insecure black box proprietary firmware provided by hardware vendors and ISPs. These devices are often riddled with telemetry, tracking, and unnecessary services that compromise user privacy.
Software and hardware should be free and transparent, restrictive ideologies create closed gardens, slowing progress, security by obscurity and inevitably end up invading peoples privacy. Computers are supposed be a new world you can do anything in, but are being restricted more and more. By flashing OpenWrt on my Linksys SPNMX42 (it’s a rebranded MX4200v2), I reclaimed a large part of this back and improved the general browsing experience for my household. I replaced tracking with privacy-first solutions Stubby and adblock-lean.
The Linksys SPNMX42 is simply the Linksys MX4200v2 rebranded. Linksys provide a mediocre web interface with a few nice features, but also bloatware and poor navigation. The router comes with 1024MB of ram what is plent enough for adblock, stubby, WireGuard VPN
The chip on the system is a Qualcomm IPQ8174 (Hawkeye) which is a Quad-core ARM Cortex-A53 processor @ 1.4GHz
Tri-Band Wi-Fi 6 (802.11ax)
Accessing Recovery Mode: Linksys allows manual firmware uploads, though the option is usually hidden until you scroll to the footer and select ‘CA’. In my case, my ISP blocked manual uploads entirely. I managed to work around this by applying a validated firmware update to roll the device back, which subsequently enabled the OpenWrt factory image upload.
Flashing: Upload the openwrt-25.12.4-qualcommax-ipq807x-linksys_mx4200v2-squashfs-factory.bin to the stock firmware’s recovery page. OpenWrt firmware selector
LuCI: Once flashed, connect to the router at 192.168.1.1 (default) and log in via the LuCI web interface.
Configuration
DNS queries are traditionally sent in cleartext, allowing ISPs and third parties to profile your browsing habits. To rectify this, I utilise Stubby, a lightweight DNS-over-TLS (DoT) client, combined with Mullvad’s DNS servers.
apk update
apk add stubbyEdit the Stubby configuration file (/etc/stubby/stubby.yml) to point to Mullvad’s encrypted DNS resolvers.
resolution_type: GETDNS_RESOLUTION_STUB
round_robin_upstreams: 1
appdata_dir: "/var/lib/stubby"
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
edns_client_subnet_private: 1
idle_timeout: 9000
listen_addresses:
- 127.0.0.1@5453
- 0::1@5453
dns_transport_list:
- GETDNS_TRANSPORT_TLS
upstream_recursive_servers:
- address_data: 194.242.2.2
tls_auth_name: "dns.mullvad.net"
- address_data: 194.242.2.3
tls_auth_name: "dns.mullvad.net"Advertising networks often serve as vectors for malware and tracking scripts.
adblock-lean is a low maintenance (almost set and forget), powerful and ultra-efficient adblocking solution for OpenWrt that does not mandate any external dependencies or introduce unnecessary bloat.
apk add adblock-leanBy pointing dnsforwarder to dnsmasq, adblock-lean hijacks DNS lookups for known malicious and advertising domains, returning a null IP address. This prevents client devices from ever attempting to load the ad server, saving bandwidth and improving page load times.
Conclusion
The combination of encrypted DNS via Stubby and network-wide ad blocking provides an improvement in both security and performance.