About this post. Written by Rocket Routers about features we are actively building into our firmware. We use AI assistance (Claude, by Anthropic) to help draft and research content — we review everything before it goes live. The features described here are in development and not yet available. We will announce when they ship.
Part one — WireGuard VPN in LuCI
WireGuard is already available in OpenWrt. You can install it today on any OpenWrt router and configure it manually via the command line. It works brilliantly. The problem is that setting it up from scratch requires comfort with the terminal, generating key pairs, editing config files, and understanding how VPN routing works. For most people that is a barrier.
We are building a clean WireGuard configuration interface directly into the Rocket Router's LuCI web panel — the same interface you use to check your connection status and set up WiFi. No command line needed.
What you will be able to do from LuCI
Road warrior VPN
Connect your phone or laptop back to your home or office network from anywhere in the world. All your traffic routes through your Rocket Router — encrypted, private, with your home IP address.
Site-to-site tunnel
Connect two Rocket Routers at different locations — two offices, a home and a office, a site and a head office. Devices at both ends appear on the same private network.
QR code device setup
Add a new device to your VPN by scanning a QR code with the WireGuard app on your phone. No manual key entry. The router generates everything.
Peer management
See every device connected to your VPN, when it last connected, and how much data it has used. Remove devices instantly if a phone is lost or a staff member leaves.
Why WireGuard and not OpenVPN?
OpenVPN has been the standard for years and it works. But WireGuard is better in almost every measurable way for most use cases.
Speed. WireGuard lives in the Linux kernel. OpenVPN runs in userspace. The difference in latency and throughput is significant — especially on a router's less powerful CPU. WireGuard on a Rocket Router will outperform OpenVPN on the same hardware by a meaningful margin.
Simplicity. OpenVPN requires a certificate authority, server certificates, client certificates, CRL files, config files with dozens of options. WireGuard needs a public key, a private key, and an endpoint. That is it. Smaller attack surface, fewer things to misconfigure.
Auditable code. WireGuard's entire codebase is around 4,000 lines of C. OpenVPN is over 100,000 lines. A security researcher can read the entire WireGuard codebase in a day. That matters when you are trusting software with your private communications.
Encryption. WireGuard uses ChaCha20-Poly1305 for encryption — the same cipher used in TLS 1.3, Signal, and our own encrypted messaging tool described below. No cipher negotiation, no downgrade attacks, no padding oracles. One cipher, implemented once, correctly.
For the technically minded: WireGuard is built into the Linux kernel from version 5.6 onwards. It uses Curve25519 for key exchange, ChaCha20-Poly1305 for authenticated encryption, BLAKE2s for hashing, and SipHash24 for hashtable keys. Every algorithm was chosen specifically to be fast on hardware without AES acceleration — which includes most router chips.
Part two — Encrypted messaging built into the router
This is where things get interesting — and genuinely unusual. We are not aware of any other consumer or prosumer router that has done this.
We are building an end-to-end encrypted message tool directly into the Rocket Router's LuCI web interface. You open your router's control panel in a browser, navigate to the encryption tab, type a message, enter a passphrase, and get back an encrypted blob of text you can send via any channel — email, WhatsApp, Signal, SMS, a sticky note, anything. The recipient uses the same interface on their router, pastes the blob, enters the same passphrase, and reads the message.
No accounts. No apps. No servers. No third party ever sees your message or your passphrase. The encryption and decryption happens entirely on the router's own processor.
The cryptography
We take cryptography seriously and we do not roll our own. The tool uses two established, well-reviewed algorithms in sequence:
scrypt — a memory-hard key derivation function. Your passphrase is not used directly as an encryption key. scrypt transforms it into a 256-bit cryptographic key using a process that requires significant RAM per attempt — around 128 megabytes. This makes brute-forcing your passphrase computationally expensive. An attacker who intercepts an encrypted message and knows you used a short passphrase cannot simply throw GPU power at it — each guess costs them 128MB of RAM and meaningful compute time.
ChaCha20-Poly1305 — authenticated encryption. The 256-bit key from scrypt is used to encrypt your message with ChaCha20 and simultaneously generate a 16-byte authentication tag with Poly1305. The authentication tag means the ciphertext is verified on decryption — if anyone altered even a single byte of the encrypted message in transit, decryption fails immediately. No partial data is ever returned. Wrong passphrase, tampered message, or corrupted data all produce the same result: a hard error and nothing else.
The random salt and nonce mean that encrypting the same message twice produces completely different ciphertext. An observer watching your encrypted messages over time cannot tell if you are sending the same thing repeatedly. No patterns leak.
What this means in plain English
If you and a colleague both have Rocket Routers and you share a passphrase once — in person, over a phone call, via Signal — you can exchange encrypted messages forever via any channel you like. WhatsApp reads every message it carries. Email providers scan for advertising data. SMS is not encrypted at all. None of that matters if the content is already encrypted before it leaves your device.
The encrypted blob looks like this:
That is a real encrypted message — encrypted using the tool we have built and tested. It means something to the person who has the passphrase. To anyone else, including us, it is meaningless noise. We cannot decrypt it. No server was involved in creating it. No account was needed.
Why build this into a router?
Because the router is infrastructure you already trust. It is already handling your network traffic. It is already running a web interface you access from your browser. Adding an encryption tool to that interface means it is available on any device on your network — PC, phone, tablet — without installing anything. It works even when the internet is down, because it runs locally on the router. And because it is in the firmware we write and publish, you can inspect exactly what it does.
We are not building a communications platform. We are not storing messages. We are not providing a service. We are giving you a tool that runs on hardware you own, using cryptography that has been reviewed by the global security community, with no moving parts that can be subpoenaed, shut down, or compromised by a third party.
Lawful use only. Strong encryption is a tool, like a lock on a door. We build it for the same reasons door manufacturers make good locks — because privacy is legitimate and important. Our firmware includes a clear terms of use: this tool is for lawful private communications only. It cannot and does not prevent misuse by determined bad actors — no technology can — but the same is true of every communications tool ever built. The law applies regardless of encryption.
The standalone desktop tool
While the LuCI integration is in development, we have already built a standalone desktop version of the encrypted messaging tool — a single executable file for Windows and Linux that requires no installation and no internet connection. It uses identical cryptography to the LuCI version. You can contact us to find out more.
When will these features ship?
The WireGuard LuCI interface is targeted for our firmware release alongside the main product launch in July 2026. The in-router encryption tool will follow in a subsequent firmware update. We will not rush either feature — security software that ships with bugs is worse than no security software at all.
Both features will ship as firmware updates automatically applied to all Rocket Plus and Rocket Pro units. No hardware change needed. If you buy a router at launch, you get these features when they are ready.