HomeBlog › OpenWrt Explained
OpenWrt Advanced Networking VPN 12 April 2026 25 min read

OpenWrt Explained — Install, Configure, VLANs, WireGuard, OpenVPN and More

OpenWrt turns a router into a proper Linux computer. You get full control over your network — VLANs, VPNs, traffic shaping, ad blocking, 5G interface configuration, remote access, and thousands of packages. This is the complete guide, from installing it for the first time all the way to running WireGuard, OpenVPN and Ngrok.

📋

Transparency notice: Researched and drafted with AI assistance (Claude, by Anthropic), reviewed by Rocket Routers before publishing. We sell routers with OpenWrt support — the Rocket Pro and Rocket Plus both support it. We've tried hard to be accurate and fair. Spot an error? Tell us.

In this post
  1. What is OpenWrt and why does it matter?
  2. Choosing compatible hardware
  3. How to install OpenWrt
  4. The LuCI interface — your way around
  5. Interfaces explained — LAN, WAN, 5G and more
  6. Configuring VLANs on OpenWrt
  7. WiFi configuration — SSIDs, bands and guest networks
  8. The OpenWrt firewall — zones and rules
  9. Setting up WireGuard VPN
  10. Setting up OpenVPN
  11. Ngrok on OpenWrt — remote access without port forwarding
  12. Essential packages worth installing
  13. What is Bash and how do you use it?
  14. Reading SMS and checking data balance on your SIM
  15. Bonding two connections — beginner to enterprise
  16. Version differences and compatibility honest truth

1. What is OpenWrt and why does it matter?

Beginner

OpenWrt is a full Linux operating system for routers. When you buy a router from a manufacturer, it comes with stock firmware — proprietary software that does the basics but gives you very little control. OpenWrt replaces that stock firmware entirely, turning your router into a proper configurable Linux box running on your network.

The project started in 2004 when Linksys accidentally released GPL source code for their WRT54G router, and developers ran with it. Twenty years later it supports over 2,600 devices from 399 brands and has around 8,000 installable packages.

What you can do with OpenWrt that stock firmware can't

Stock Firmware vs OpenWrt — What You Actually Get Stock Firmware ✗ Basic NAT firewall only ✗ Simplified "guest network" only ✗ No WireGuard or OpenVPN ✗ No traffic shaping or SQM ✗ No network-wide ad blocking ✗ Updates stop when manufacturer decides ✗ Limited 5G/4G interface control ✗ No package manager — what you get is all you get OpenWrt ✓ Full nftables firewall with custom rules ✓ Full 802.1Q VLANs with trunk ports ✓ WireGuard + OpenVPN built-in ✓ SQM traffic shaping — kills bufferbloat ✓ AdGuard Home / adblock — whole network ✓ Community updates for years longer ✓ Full 5G modem interface control ✓ 8,000+ installable packages via opkg

Fig 1. Stock firmware vs OpenWrt — the capability gap is significant. Click to enlarge.

2. Choosing compatible hardware

Beginner

Not every router runs OpenWrt well even if it technically supports it. Before you buy or flash anything, check the official table of hardware — it tells you the support status, known issues and installation method for every supported device.

📋 OpenWrt Table of Hardware → 💾 OpenWrt Firmware Selector →

What to look for in hardware

The Rocket Pro and Rocket Plus

Both the Rocket Plus and Rocket Pro support OpenWrt. The Pro ships with OpenWrt support confirmed — it's a ZBT platform with the Qualcomm X75 modem. The ZBT WE3000 platform is well supported in the OpenWrt community. For the modem configuration sections later in this guide, we'll reference how this applies to the Pro specifically.

3. How to install OpenWrt

Beginner — Intermediate
Before you flash anything

Flashing incorrect firmware can permanently brick your router. Always check your exact model and hardware revision on the Table of Hardware first. Download firmware only from the official OpenWrt site. Never interrupt the flashing process. Have a recovery plan — know your router's TFTP recovery procedure before you start.

The three main installation methods

Method 1 — Web UI flash (easiest, most common)

Most routers allow you to upload custom firmware through the stock admin panel's firmware upgrade page. This is the preferred method where available.

  1. Go to the OpenWrt Firmware Selector and search for your exact model and revision
  2. Download the Factory image (not the sysupgrade — that's for updating an existing OpenWrt install)
  3. Log into your router's stock admin panel — usually at 192.168.1.1 or 192.168.0.1
  4. Find the firmware upgrade section — usually under Administration, Advanced, or System
  5. Disable any "check for official firmware" options if present
  6. Upload the OpenWrt factory image and confirm
  7. Wait — do not interrupt. Takes 2–5 minutes typically
  8. Router reboots to OpenWrt. Access it at 192.168.1.1
# First login - no password set by default # Open browser and go to: http://192.168.1.1 # Or via SSH: ssh root@192.168.1.1 # Press Enter when prompted for password (blank by default) # IMPORTANT: Set a password immediately passwd

Method 2 — TFTP recovery flash

Some routers support TFTP — a simple file transfer protocol used during boot for emergency recovery. This method works even if the stock web UI won't accept third-party firmware. The general process:

  1. Set your computer's IP address to a static address in the same subnet as the router's TFTP mode (usually 192.168.0.x or 192.168.1.x — check your device page)
  2. Rename the OpenWrt factory image to exactly the filename the router expects (specified on the device page)
  3. Start a TFTP server on your computer pointing to the firmware file
  4. Power cycle the router while holding the reset button to enter TFTP recovery mode
  5. The router fetches and flashes the file automatically
📖 OpenWrt TFTP installation guide →

Method 3 — SSH / command line on existing OpenWrt

If you're upgrading an existing OpenWrt installation:

# Upload sysupgrade image via SCP first: scp openwrt-sysupgrade.bin root@192.168.1.1:/tmp/ # Then SSH in and run sysupgrade: ssh root@192.168.1.1 sysupgrade -v /tmp/openwrt-sysupgrade.bin # To keep your config during upgrade: sysupgrade -c /tmp/openwrt-sysupgrade.bin

First steps after installation

The moment OpenWrt is running, do these things before anything else:

  1. Set a root password — the default has none. Go to System → Administration → Set Password, or run passwd via SSH
  2. Update the package list — System → Software → Update lists (or opkg update in SSH)
  3. Install LuCI if it's missing — some images ship without the web interface. If your browser shows nothing at 192.168.1.1 after a minute, SSH in and run opkg install luci
  4. Set your timezone — System → System → Timezone

4. The LuCI interface — finding your way around

Beginner

LuCI is OpenWrt's web interface. It lives at 192.168.1.1 by default. The menu structure is consistent across versions though the visual design has evolved over the years.

LuCI Menu Map — Where to Find Everything Status Overview Routes System Log Kernel Log Processes Realtime Graphs WireGuard Status System System (hostname/TZ) Administration Software (opkg) Startup Scheduled Tasks LED Configuration Backup / Flash Reboot Network Interfaces ← key Wireless DHCP and DNS Hostnames Static Routes Diagnostics (ping) Firewall ← key Switch (VLANs) QoS / SQM Services (installed packages add items here) AdGuard Home OpenVPN Dynamic DNS Wake on LAN Network Time CLI / UCI SSH access uci commands opkg install vi /etc/config/ Advanced users Full Linux shell

Fig 2. LuCI menu structure — the five main sections and what lives in each. Click to enlarge.

5. Interfaces explained — LAN, WAN, 5G and more

Intermediate

This is the section most guides gloss over and most people get confused by. Understanding interfaces is the key to understanding everything else in OpenWrt.

In OpenWrt, an interface is a logical network connection with an IP address, a protocol, and a set of firewall zone rules. The same physical ethernet port or wireless radio can carry multiple logical interfaces through VLANs and subinterfaces.

The default interfaces

A fresh OpenWrt install typically has three interfaces:

Adding a 5G / 4G modem interface

If your router has a built-in 5G modem — like the Rocket Pro with its Qualcomm X75 module — you'll see the modem presented as a network device. Depending on the modem and firmware, this will typically appear as one of:

# Install QMI packages for 5G modem support opkg update opkg install kmod-usb-net-qmi-wwan uqmi luci-proto-qmi # Check if modem is detected ls /dev/cdc-wdm* # Should show something like /dev/cdc-wdm0 # Check modem status uqmi -d /dev/cdc-wdm0 --get-signal-info

In LuCI, go to Network → Interfaces → Add new interface. Name it something like WWAN or 5G. Select QMI Cellular as the protocol. Select the modem device (usually /dev/cdc-wdm0). Enter your SIM's APN.

Which interface for which purpose — the honest guide

Interface / Protocol Best for Why
DHCP client (WAN) Fixed broadband (FTTC, FTTP, cable) Your ISP hands you an IP automatically. Simple and standard.
PPPoE DSL connections, some FTTP ISP requires username/password authentication. Common with BT, Sky, TalkTalk.
QMI / MBIM 5G/4G modems (recommended) Full modem control — signal info, APN settings, band locking, SIM switching.
NCM / RNDIS 5G/4G modems (simpler) Modem presents as ethernet adapter. Less control but easier to set up.
WireGuard VPN tunnel interface Creates a virtual network interface (wg0) for encrypted VPN traffic.
Static LAN, fixed server connections Fixed IP address. Used for LAN and any device that needs a permanent address.

WAN failover — 5G backup for your fixed line

One of the best things you can do with OpenWrt is set up automatic failover — if your fixed broadband drops, traffic switches to 5G automatically. This requires the mwan3 package.

# Install mwan3 for multi-WAN failover opkg install mwan3 luci-app-mwan3 # Configure in LuCI under Network → Load Balancing # Or via UCI: uci set mwan3.wan.enabled=1 uci set mwan3.wwan.enabled=1 uci set mwan3.wwan.metric=20 # Higher metric = lower priority = failover only uci commit mwan3 /etc/init.d/mwan3 restart
📖 mwan3 documentation →

6. Configuring VLANs on OpenWrt

Intermediate

OpenWrt supports proper 802.1Q VLANs — the same standard used in enterprise switches. There are two places VLANs are configured depending on your hardware: the switch configuration (for devices with a built-in managed switch chip) and bridge VLANs (the newer approach used in OpenWrt 21.02 and later).

The DSA change in OpenWrt 21.02 — important

This is the version difference that trips most people up. Before OpenWrt 21.02, VLANs were configured under Network → Switch using a VLAN table. From 21.02 onwards, OpenWrt moved to DSA (Distributed Switch Architecture), which changes how VLANs and bridge configuration works.

Which method do you need?

If you're on OpenWrt 21.02 or newer: use the Bridge VLAN filtering method (Network → Interfaces → Devices tab). If you're on OpenWrt 19.07 or older: use Network → Switch. If you're not sure, check System → Software → Installed packages and look for your OpenWrt version number.

Creating a VLAN — new DSA method (21.02+)

  1. Go to Network → Interfaces → Devices tab
  2. Click Configure on the br-lan bridge device
  3. Click the Bridge VLAN filtering tab
  4. Enable bridge VLAN filtering
  5. Add your VLAN IDs (e.g. VLAN 10 for staff, VLAN 20 for guest)
  6. Assign ports as tagged (trunk) or untagged (access) for each VLAN
  7. Go to Network → Interfaces → Add new interface
  8. Name it (e.g. staff), set protocol to Static, device to br-lan.10
  9. Set IP address (e.g. 192.168.10.1/24), enable DHCP server
  10. Assign firewall zone
# Via UCI — create VLAN 10 interface uci set network.staff=interface uci set network.staff.device='br-lan.10' uci set network.staff.proto='static' uci set network.staff.ipaddr='192.168.10.1' uci set network.staff.netmask='255.255.255.0' uci commit network /etc/init.d/network restart
📖 OpenWrt VLAN configuration documentation →

7. WiFi configuration

Beginner

WiFi in OpenWrt is configured under Network → Wireless. Each physical radio (2.4 GHz, 5 GHz, 6 GHz) appears separately. On each radio you can create multiple SSIDs — each appearing as a separate WiFi network to clients.

Creating a guest WiFi network on its own VLAN

  1. Go to Network → Wireless
  2. Under your 5 GHz radio, click Add to create a second SSID
  3. Set the SSID name (e.g. "Guest")
  4. Under the Network tab, assign it to your guest interface (e.g. guest) rather than lan
  5. Enable WPA2 or WPA3 password
  6. Save and Apply

The guest SSID now puts clients directly onto the guest VLAN — they get internet access but cannot reach your main LAN at all.

Band steering and WiFi 7 on OpenWrt

One honest note: WiFi driver support in OpenWrt sometimes lags behind the hardware capabilities of newer routers. On WiFi 7 hardware, some advanced features like Multi-Link Operation (MLO) may not be fully supported in the current OpenWrt stable release. The snapshot builds are often ahead of stable in driver support. Check the device page on the Table of Hardware for current driver status before expecting full WiFi 7 feature support.

8. The OpenWrt firewall — zones and rules

Intermediate

OpenWrt uses a zone-based firewall. Every interface belongs to a zone, and rules are defined between zones rather than between specific IP addresses. This makes it much easier to reason about than raw iptables rules.

Default zones

Adding a zone for a new VLAN

Every new VLAN interface needs its own firewall zone, or you assign it to an existing zone. For a guest network:

# Create a guest zone via UCI uci set firewall.guest=zone uci set firewall.guest.name='guest' uci set firewall.guest.network='guest' uci set firewall.guest.input='REJECT' uci set firewall.guest.output='ACCEPT' uci set firewall.guest.forward='REJECT' # Allow guest to reach internet (forward from guest to wan) uci set firewall.guest_wan=forwarding uci set firewall.guest_wan.src='guest' uci set firewall.guest_wan.dest='wan' # Block guest from reaching LAN (explicit rule) uci set firewall.block_guest_lan=rule uci set firewall.block_guest_lan.src='guest' uci set firewall.block_guest_lan.dest='lan' uci set firewall.block_guest_lan.target='REJECT' uci commit firewall /etc/init.d/firewall restart
📖 OpenWrt firewall documentation →

9. Setting up WireGuard VPN

Advanced

WireGuard is a modern VPN protocol — fast, lean, and far simpler to configure than OpenVPN. It's now built into the Linux kernel. On OpenWrt it requires a few packages and creates a virtual network interface (typically wg0).

There are two scenarios — WireGuard client (your router connects to a VPN provider or remote server) and WireGuard server (your router IS the VPN server, allowing you to connect back to your home network from anywhere).

WireGuard server on your router — access your home network remotely

# Install WireGuard packages opkg update opkg install wireguard-tools kmod-wireguard luci-proto-wireguard # Reboot after install reboot

After reboot, in LuCI go to Network → Interfaces → Add new interface:

# Alternative: generate keys manually via SSH wg genkey | tee /etc/wireguard/server_private.key | wg pubkey > /etc/wireguard/server_public.key cat /etc/wireguard/server_private.key # Copy this — you'll need it for the interface config cat /etc/wireguard/server_public.key # Copy this — you'll give it to clients # Generate a client keypair wg genkey | tee /etc/wireguard/client1_private.key | wg pubkey > /etc/wireguard/client1_public.key

Adding a peer (client device)

In LuCI, in your wg0 interface, scroll to the Peers section and click Add peer:

Firewall for WireGuard server

# Create WireGuard firewall zone uci set firewall.wg=zone uci set firewall.wg.name='wireguard' uci set firewall.wg.network='wg0' uci set firewall.wg.input='ACCEPT' uci set firewall.wg.output='ACCEPT' uci set firewall.wg.forward='ACCEPT' # Allow WireGuard port through WAN uci set firewall.wg_port=rule uci set firewall.wg_port.src='wan' uci set firewall.wg_port.dest_port='51820' uci set firewall.wg_port.proto='udp' uci set firewall.wg_port.target='ACCEPT' uci commit firewall /etc/init.d/firewall restart

Client config file to put on your phone or laptop

# Create this as a .conf file for your WireGuard client app [Interface] PrivateKey = <client_private_key> Address = 10.0.0.2/24 DNS = 10.0.0.1 [Peer] PublicKey = <server_public_key> Endpoint = your.router.ip.or.domain:51820 AllowedIPs = 0.0.0.0/0 PersistentKeepalive = 25
📖 OpenWrt WireGuard documentation →

10. Setting up OpenVPN

Advanced

OpenVPN is older than WireGuard and more complex to configure, but it's extremely widely supported and is often required for corporate VPN connections. It also works on port 443 (TCP), making it difficult for firewalls to block — useful in restrictive network environments.

OpenVPN client — connecting to a VPN provider

If you have an OVPN config file from a VPN provider (ExpressVPN, NordVPN, Mullvad etc.), this is the simplest route:

# Install OpenVPN packages opkg update opkg install openvpn-openssl luci-app-openvpn # Upload your .ovpn config file via SCP scp myvpn.ovpn root@192.168.1.1:/etc/openvpn/ # Start OpenVPN with the config openvpn --config /etc/openvpn/myvpn.ovpn --daemon # Or enable via UCI to start on boot uci set openvpn.myvpn=openvpn uci set openvpn.myvpn.enabled='1' uci set openvpn.myvpn.config='/etc/openvpn/myvpn.ovpn' uci commit openvpn /etc/init.d/openvpn start /etc/init.d/openvpn enable

Routing specific traffic through OpenVPN

A common setup is to put one VLAN (say, your work devices) through the VPN while other devices use the direct internet connection. This is called policy-based routing — OpenWrt handles it well via the ip rule and routing table system.

# Create a separate routing table for VPN traffic echo "100 vpn" >> /etc/iproute2/rt_tables # Add rule: traffic from VLAN 10 (192.168.10.0/24) uses vpn table ip rule add from 192.168.10.0/24 lookup vpn # Route all traffic in vpn table through the tun0 (OpenVPN) interface ip route add default dev tun0 table vpn
📖 OpenWrt OpenVPN documentation →

11. Ngrok on OpenWrt — remote access without port forwarding

Expert

Ngrok is a tunnelling service that creates a secure public URL pointing at your router — without needing to open ports on your firewall or have a static IP. It's particularly useful if you're behind CGNAT (Carrier-Grade NAT), which many 5G and mobile broadband connections are.

The use case: you want to SSH into your home network, access a local web service, or expose a local device to the internet temporarily — without dealing with your ISP's NAT or dynamic IP.

CGNAT and 5G — why this matters

Most 5G and 4G mobile broadband connections use CGNAT — your router doesn't get a real public IP, it gets a private address shared with many other customers. This means standard port forwarding won't work. WireGuard (if you have a VPS to connect to) or Ngrok are both good solutions for this problem.

Installing Ngrok on OpenWrt

Ngrok doesn't have an official OpenWrt package, but you can run the ARM or MIPS binary directly depending on your router's architecture.

# Check your router's architecture uname -m # Common results: mipsel_24kc, aarch64, armv7l, x86_64 # Download the correct Ngrok binary from ngrok.com for your architecture # Copy it to /usr/local/bin/ via SCP scp ngrok root@192.168.1.1:/usr/local/bin/ chmod +x /usr/local/bin/ngrok # Authenticate with your Ngrok account token ngrok authtoken YOUR_AUTH_TOKEN # Start an SSH tunnel (exposes port 22 publicly) ngrok tcp 22 # Start an HTTP tunnel to a local web service ngrok http 80 # Run in background ngrok tcp 22 &

Making Ngrok start on boot

# Create an init script at /etc/init.d/ngrok cat > /etc/init.d/ngrok << 'EOF' #!/bin/sh /etc/rc.common START=99 STOP=10 start() { /usr/local/bin/ngrok tcp 22 --log=/tmp/ngrok.log & } stop() { kill $(pgrep ngrok) } EOF chmod +x /etc/init.d/ngrok /etc/init.d/ngrok enable
Ngrok free tier limitation

The free Ngrok tier gives you a random URL that changes every time you restart. The paid tier gives you a fixed domain. For permanent remote access, WireGuard to a cheap VPS (£3–£5/month) is more cost-effective long-term — but Ngrok is faster to set up for occasional use.

📖 Ngrok documentation →

12. Essential packages worth installing

Intermediate
Package What it does Install command
luci-app-sqm Smart Queue Management — eliminates bufferbloat, makes video calls smooth even with heavy downloads opkg install luci-app-sqm
adguardhome Network-wide DNS ad blocking. Covers every device including smart TVs opkg install adguardhome
luci-app-ddns Dynamic DNS — keeps a domain name pointing at your router even when your IP changes opkg install luci-app-ddns ddns-scripts
mwan3 Multi-WAN load balancing and failover — automatic switchover to 5G if fixed line drops opkg install mwan3 luci-app-mwan3
luci-app-nlbwmon Network bandwidth monitor — see which devices are using how much data opkg install luci-app-nlbwmon
tcpdump Packet capture — see exactly what's passing through your network for debugging opkg install tcpdump
htop Interactive process viewer — see router CPU and memory usage opkg install htop
luci-app-upnp UPnP support — useful for gaming consoles and some streaming devices that need automatic port forwarding opkg install luci-app-upnp miniupnpd

12b. What is Bash — and how do you actually use it?

Complete Beginner

Before we get to reading SMS messages on your router, there is something important to understand — because nearly everything in the more advanced sections of this guide involves typing commands into something called Bash. If you have never done this before, do not skip this section. It will make everything else click.

What is Bash?

Bash is a command line shell — a way of talking to a computer by typing instructions rather than clicking buttons. When you use Windows or macOS normally, you are clicking on icons and menus. Behind all of that, the computer is actually running text commands. Bash lets you talk to the computer directly in that language, without the icons in the way.

Think of it like this. Using a GUI (graphical interface — the clickable kind) is like ordering food at a restaurant by pointing at pictures on a menu. Using Bash is like walking into the kitchen and telling the chef exactly what you want. More powerful, more precise, and faster once you know what to say — but you do need to learn the words.

On OpenWrt, Bash (or more precisely its lighter cousin ash, which works identically for everything we need) is how you do anything the LuCI web interface does not cover. Installing packages from third-party repositories, reading SMS messages, configuring advanced routing — all of it involves typing commands into the shell.

How to get to Bash on your OpenWrt router

You access your router's command line via SSH — Secure Shell. SSH is an encrypted connection from your computer to the router over your network. You type commands on your computer and they run on the router.

On Windows (Windows 10 and 11)

Windows 10 and 11 have SSH built in. Open PowerShell or Command Prompt — press the Windows key, type PowerShell, press Enter. Then type:

# Connect to your router via SSH # Replace 192.168.1.1 with your router's IP if different ssh root@192.168.1.1 # It will ask: Are you sure you want to continue connecting? # Type: yes and press Enter # Then enter your router password # (You set this when you first installed OpenWrt)

On Mac

Open Terminal — press Cmd + Space, type Terminal, press Enter. Then type the same command:

ssh root@192.168.1.1

Via LuCI (no separate app needed)

If you install the luci-app-ttyd package, you get a terminal window right inside the LuCI web interface — no SSH client needed. Just go to Services → Terminal in LuCI after installing it.

# Install the browser-based terminal opkg install luci-app-ttyd # Then go to Services - Terminal in LuCI

Solving the "WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED" error

If you have SSH'd into your router before and then reflashed or reset OpenWrt, you may see this alarming-looking message when you try to connect:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! Offending ED25519 key in C:\Users\YourName/.ssh/known_hosts:1 Host key verification failed.

Do not panic. This almost certainly is not an attack. Here is what is actually happening.

When you first SSH into any device, your computer saves that device's unique identity key in a file called known_hosts. Think of it like saving someone's face in your memory. Next time you connect, your computer checks — does this face match what I remember? If the router has been reflashed, reset, or reinstalled, it generates a brand new identity key. Your computer sees a different face at the same address and refuses to connect, warning you something might be wrong.

In the context of your own home or office router — especially right after setting up OpenWrt — this is completely normal and safe. The fix is a single command that tells your computer to forget the old key so it can save the new one.

The fix — run this in PowerShell or Terminal:

# This removes the old saved key for your router's IP address ssh-keygen -R 192.168.1.1 # Output will say something like: # Host 192.168.1.1 found: line 1 # known_hosts updated. # Now SSH in again as normal ssh root@192.168.1.1 # It will ask you to confirm the new key — type yes and press Enter # The new key is saved and you will not see this warning again # (unless you reflash again, in which case just repeat this fix)
When should you actually worry?

On your own home or office network, this warning after a reflash or reset is always fine to dismiss with the fix above. You would only have genuine cause for concern if you saw this warning on a public network — a hotel WiFi, an airport, a coffee shop — where someone could theoretically be intercepting your connection. On your own private network, with a router you own, it is always safe to fix and proceed.

What you see when you are in

Once connected via SSH you will see something like this:

BusyBox v1.36.1 (2024-01-01) built-in shell (ash) _______ ________ __ | |.-----.-----.-----.| | | |.----.| |_ | - || _ | -__| || | | || _|| _| |_______|| __|_____|__|__||________||__| |____| |__| root@OpenWrt:~#

That root@OpenWrt:~# is called the prompt. It is the router waiting for you to type a command. The # symbol means you are logged in as root — the administrator with full control over the system.

Basic Bash commands every beginner should know

Command What it does Example
ls List files and folders in the current location ls /etc/opkg/
cat Print the contents of a file to the screen cat /etc/opkg/customfeeds.conf
cd Change directory — move to a different folder cd /etc/config/
opkg install Install a package (OpenWrt's package manager) opkg install htop
opkg update Refresh the list of available packages opkg update
reboot Restart the router reboot
passwd Change the root password passwd
logread Show the system log — useful for troubleshooting logread | tail -20

What is grep — and why does it keep appearing?

grep stands for Global Regular Expression Print. That sounds intimidating. The practical meaning is simple: grep searches through text for a pattern and shows you the matching lines.

Think of it like the Ctrl+F find function in a browser — except it works on files and command output, and you can use it in combination with other commands.

# Basic grep — search a file for a word grep "something" /path/to/file # Real example — search for "IceG" in the opkg config file grep "IceG" /etc/opkg/customfeeds.conf # If IceG appears in that file, grep prints the matching line # If it doesn't appear, grep prints nothing # The -q flag means "quiet" — don't print anything, just tell us yes or no grep -q "IceG" /etc/opkg/customfeeds.conf # No output either way — but the exit code tells other commands the result

That last point — the exit code — is what makes grep so powerful when combined with other commands. When grep finds something, it exits with code 0 (success). When it finds nothing, it exits with code 1 (failure). Other commands can react to that result, which leads us nicely to explaining the command that is needed to install the SMS tool.

Breaking down that repo command — line by line

Here is the command that trips up most beginners. Let us pull it apart completely so every part makes sense before you run it:

grep -q IceG_repo /etc/opkg/customfeeds.conf || echo 'src/gz IceG_repo https://github.com/4IceG/Modem-extras/raw/main/myrepo' >> /etc/opkg/customfeeds.conf opkg update opkg install luci-app-sms-tool-js

At first glance that looks like a wall of symbols. Let us go through each part:

What is a repository (repo)?

Before we decode the command, you need to understand what a repository is. A repository — or repo — is simply a server on the internet that hosts software packages. When you run opkg install something, OpenWrt goes to its official repository servers and downloads that package.

The problem is that not every useful package is in the official OpenWrt repository. Some packages are made by community developers and hosted on their own servers. To install those, you first have to tell OpenWrt where to find them — you add the developer's repository to the list of places OpenWrt knows to look. That list lives in a file called /etc/opkg/customfeeds.conf.

The 4IceG SMS tool is one of these community packages. The developer — a Polish OpenWrt community member who has done excellent work on modem tools — hosts it on their own GitHub repository. We need to add that location to OpenWrt before we can install it.

Part 1: grep -q IceG_repo /etc/opkg/customfeeds.conf

This searches the customfeeds.conf file for the text IceG_repo. The -q flag means quiet — do not print anything, just check whether it is there or not. This is a safety check: we are asking "has this repo already been added?" before trying to add it again. Adding it twice would cause problems.

Part 2: ||

This is the OR operator in Bash. It means: "if the previous command failed, then run the next command." Since grep -q exits with failure when it finds nothing, the logic is: "if IceG_repo was NOT found in the file, then do the next thing." If it WAS already there, skip the next part entirely. This is how the whole command protects itself from running twice.

Part 3: echo 'src/gz IceG_repo https://...'

echo simply prints text. In this case it is printing the line we want to add to the config file. The text src/gz IceG_repo https://github.com/4IceG/Modem-extras/raw/main/myrepo is in OpenWrt's package feed format — src/gz means it is a compressed package source, IceG_repo is the name we are giving it, and the URL is where the packages actually live.

Part 4: >> /etc/opkg/customfeeds.conf

The >> symbols mean append to file. They take the output of the echo command (our new repo line) and add it to the end of the customfeeds.conf file. One important distinction: >> adds to the end. A single > would overwrite the whole file — which would wipe your existing config. Always use >> when you want to add to a file without destroying what is already there.

Part 5: The backslashes \

The backslash at the end of a line means "this command continues on the next line." It is just for readability — the whole thing is actually one single command split across multiple lines so it is easier to read. You can type it all on one line if you prefer, without the backslashes.

Part 6: opkg update

Now that we have added the new repository, we tell OpenWrt to refresh its package list — going out to all repositories including our newly added one and fetching the current list of what is available. Without this step, OpenWrt would not know about the new packages even though the repo address is now in the config.

Part 7: opkg install luci-app-sms-tool-js

Finally — install the package. OpenWrt now knows where to find it (from our new repo), the package list is up to date, and this command downloads and installs the SMS tool along with any dependencies it needs.

The whole thing in plain English

"Check if we have already added the IceG repository. If we have not, add it. Then refresh the package list so OpenWrt knows what is in that repository. Then install the SMS tool."

Why use a community repo at all?

The official OpenWrt repository is conservative — packages go through review before being included. Community developers often build useful tools that fill gaps in the official offering. The 4IceG packages are well-regarded in the OpenWrt community and specifically tested against Quectel modems — the same family as the RM520N-GL in the Rocket Pro. Using a trusted community repo is normal and common in the OpenWrt world.

12c. Reading SMS and checking your data balance

Beginner — Intermediate

Your router has a SIM card inside it. That SIM can receive text messages — from your network provider, from automated systems, sometimes from people if the number is known. More usefully, most UK mobile networks have USSD codes — short dial codes like *#100# — that you can send to check your remaining data, your balance, or your account status. With the right OpenWrt packages you can do all of this from the router's web interface or command line, without needing to put the SIM in a phone.

Which package to install — the important choice first

The package you need depends on how your modem is connected to OpenWrt. There are two paths and they use different tools:

Your modem setup Package to use How to check
QMI protocol (most Quectel modems including RM520N-GL) sms-tool + luci-app-sms-tool-js Run ls /dev/cdc-wdm* — if you see a result, this is you
ModemManager mmcli (built into ModemManager) Run mmcli -L — if it lists a modem, this is you
Not sure Try QMI path first The Rocket Pro uses QMI by default

Path A — Installing sms-tool with LuCI interface (QMI modems)

This gives you a proper web interface inside LuCI for reading and sending messages. Here is the full process step by step:

Step 1 — SSH into your router (as explained in the Bash section above)

Step 2 — Install the base sms-tool package from the official repo

# Update package lists first opkg update # Install the serial driver packages and sms-tool opkg install kmod-usb-serial kmod-usb-serial-option sms-tool

Step 3 — Add the 4IceG community repository

The LuCI interface for sms-tool is not in the official OpenWrt repo — it lives in the 4IceG community repo. Here is that command again, now you understand exactly what every part does:

# Check if repo is already added — if not, add it grep -q IceG_repo /etc/opkg/customfeeds.conf || echo 'src/gz IceG_repo https://github.com/4IceG/Modem-extras/raw/main/myrepo' >> /etc/opkg/customfeeds.conf # Refresh package lists including the new repo opkg update # Install the LuCI SMS interface opkg install luci-app-sms-tool-js

Step 4 — Find your modem's AT port

The SMS tool needs to know which device port to talk to your modem through. Run this to see what is available:

# List USB serial ports — your modem's AT port is usually here ls /dev/ttyUSB* # Typical output: /dev/ttyUSB0 /dev/ttyUSB1 /dev/ttyUSB2 /dev/ttyUSB3 # The AT command port is usually ttyUSB2 or ttyUSB3 for Quectel modems # Test which port responds to AT commands echo -e 'AT ' > /dev/ttyUSB2 && cat /dev/ttyUSB2 & # If you see "OK" come back, that is your AT port

Step 5 — Configure sms-tool in LuCI

After installing, refresh LuCI (log out and back in, or clear your browser cache). You should see a new SMS Tool section appear in the LuCI menu. Go into it and set your modem's AT port (usually /dev/ttyUSB2 for the RM520N-GL). Then you can read all incoming messages, send texts, and send USSD codes.

Path B — Reading SMS via mmcli (ModemManager)

# List all modems ModemManager can see mmcli -L # Output example: /org/freedesktop/ModemManager1/Modem/0 [Quectel] RM520N-GL # The number at the end (0) is your modem index # List all SMS messages mmcli -m 0 --messaging-list-sms # Read a specific message (replace /SMS/0 with actual path from above) mmcli -m 0 --sms /org/freedesktop/ModemManager1/SMS/0 # Send an SMS mmcli -m 0 --messaging-create-sms="text='Hello from my router',number='+447700900000'" mmcli -m 0 --sms /org/freedesktop/ModemManager1/SMS/0 --send

Checking your data balance — USSD codes

USSD codes are short codes you dial to get information from your network. Every UK network has them. On a phone you would dial them like a number. On your router you send them via the AT command interface or through the sms-tool LuCI interface.

Network Data balance code Account balance
EE *#100# *#100#
Vodafone *#1345# *#1345#
Three *100# *100#
O2 *10# *#10#

Via AT commands directly (works regardless of which SMS tool you use):

# Send a USSD code via AT commands # Replace ttyUSB2 with your actual AT port # Replace *#100# with your network's balance code echo -e 'AT+CUSD=1,"*#100#",15 ' > /dev/ttyUSB2 # The response comes back on the same port # You may need to read it back: cat /dev/ttyUSB2 # Or use the sms-tool command line directly: sms-tool -d /dev/ttyUSB2 ussd "*#100#"
Why this matters for router SIMs

Most router SIMs are data-only — you set them up once, plug the router in, and the SIM just sits inside working away. You never think about it until your data runs out or there is a network message you need to see. Being able to check your balance and read messages directly from the router without having to pull the SIM out and put it in a phone is genuinely useful. USSD balance checks are particularly handy for prepay or capped business SIMs.

📖 luci-app-sms-tool-js on GitHub →

13. Combining two connections — from beginner to enterprise

This is one of the most asked-about topics in 5G networking — and one of the least honestly explained. Can you combine two mobile connections and get double the speed? Yes — but the details matter enormously, and there are several different approaches depending on what you need and how deep you are prepared to go.

First, an important hardware note. The Rocket Pro and Rocket Plus each have one M.2 modem slot, fitted with one 5G modem. The ZBT platform supports one M.2 module — so fitting two modems inside the same unit is not possible on current hardware. What IS possible — and very practical — is connecting a second 5G source via USB (a USB 5G dongle or a phone tethered by USB cable), which OpenWrt treats as a second WAN interface. Everything in this section works with that setup.

Three Ways to Combine Two Connections Load Balancing mwan3 — Free — Beginner + Free — no VPS needed + Easy to set up in LuCI + Great for multi-device offices - Single download uses one line - Not true aggregation Best for: offices with many users browsing simultaneously True Bonding (MPTCP) OpenMPTCProuter — ~5/mo VPS + Real aggregation — one pipe + Single download uses both lines + Up to 8 connections supported + Works through CGNAT - Needs a VPS (~5/month) Best for: home offices, SMBs, rural sites, 5G-only locations Enterprise SD-WAN Commercial — Full control + Managed SLAs + Per-app routing policies + Central management dashboard + Multi-site automatic failover - Commercial cost Best for: multi-site enterprise, mission-critical uptime needs

Fig 3. Three approaches to combining connections — pick the one that matches your situation. Click to enlarge.

Level 1 — Beginner: Load balancing with mwan3

Beginner

Think of this like having two checkout queues at a supermarket. You cannot put one shopping trolley through both at once — but if you have ten customers, you split them across both queues and everyone gets served faster. That is load balancing in a nutshell.

You have your router's built-in 5G modem as Connection 1. You plug in a USB 5G dongle or tether your phone via USB as Connection 2. OpenWrt sees both as separate internet connections. mwan3 then automatically sends different devices — or different sessions — across whichever connection is least busy at that moment.

The practical benefit: if you have an office with ten people all browsing, video calling and downloading simultaneously, they spread across both connections. You effectively double the total available bandwidth for your whole network. What it will not do is give a single device a single download at double speed — that still uses one connection at a time.

# Install mwan3 — the load balancing package opkg update opkg install mwan3 luci-app-mwan3 reboot # After reboot go to: Network - Load Balancing in LuCI

In LuCI under Network → Load Balancing there are four tabs to configure:

  1. Interfaces — add both WAN connections. Set a tracking IP of 8.8.8.8 on each so mwan3 checks if the connection is actually alive
  2. Members — each member is a connection with a weight. Give your main 5G modem weight 2 and your secondary weight 1 — main carries twice the traffic
  3. Policies — create a "balanced" policy using both members. Or a "failover" policy that only switches to the backup if the main goes down
  4. Rules — assign your default traffic to the policy you created
Use different networks for best results

If both SIMs are on the same mobile network — both EE, both Vodafone — they are competing for capacity from the same masts. You will still see benefit but not double the speed. For best results use two different networks — EE and Vodafone, or Three and O2. They draw from genuinely separate infrastructure at separate masts.

📖 mwan3 official documentation →

Level 2 — Intermediate: True bonding with OpenMPTCProuter

Intermediate

This is where it gets genuinely exciting. OpenMPTCProuter uses a technology called MPTCP — Multipath TCP. Instead of one connection carrying all your traffic, MPTCP splits that traffic across multiple connections simultaneously at the packet level, and a server in the cloud reassembles it into a single seamless stream.

The result: a single download genuinely uses both connections at once. If each 5G connection does 200 Mbps, you can see close to 400 Mbps from a single download. This is not load balancing — it is actual aggregation at the packet level.

How OpenMPTCProuter Works Your Location OpenMPTCProuter Router or Raspberry Pi SIM 1 EE 5G SIM 2 Vodafone 5G Packets split across both lines Your devices see one fast connection SIM 1 path — encrypted SIM 2 path — encrypted Your VPS ~5/month — London or EU MPTCP Kernel Reassembles both streams Receives packets from both SIMs merges into one fast outbound stream to the internet INTERNET VPS IP = your IP 200 Mbps SIM 1 + 200 Mbps SIM 2 = ~380-400 Mbps combined A single download sees the full aggregated speed

Fig 4. OpenMPTCProuter — packets from two SIMs travel separate paths, a VPS reassembles them into one fast stream. Click to enlarge.

What you need

Step 1 — Set up the VPS (about 5 minutes)

SSH into your fresh Debian 12 VPS and run one command. That is genuinely all it takes on the server side:

# SSH into your VPS ssh root@YOUR.VPS.IP.ADDRESS # Run the one-line installer wget -O - https://www.openmptcprouter.com/server/debian-x86_64.sh | sh # Answer Y to all questions, then reboot reboot # SSH back in after reboot and save your keys cat /root/openmptcprouter_config.txt # Note down the server key — you need it for the router setup

Step 2 — Flash OpenMPTCProuter onto your router device

Download the image for your device from openmptcprouter.com. Flash it to a microSD card using Balena Etcher. Insert into your Pi or device, power on. The interface is at 192.168.100.1 — default login is root with no password. Set a password immediately.

Step 3 — Connect router to VPS and add your WANs

In the web interface go to System → OpenMPTCProuter → Settings Wizard:

  1. Enter your VPS IP address in the Server IP field
  2. Paste the server key from your config file
  3. Go to Network → Interfaces and add your WAN connections
  4. Primary connection: set Multipath TCP: Master
  5. Secondary connection: set Multipath TCP: Enabled
  6. Enable SQM on both interfaces — this smooths out latency differences between the two connections
  7. Save and Apply
# Quick UCI config for two WANs uci set network.wan.multipath='master' uci set network.wan2.multipath='enabled' uci commit network /etc/init.d/network restart
If MPTCP gets blocked

Some mobile networks filter MPTCP traffic. If OpenMPTCProuter reports that multipath is blocked, switch the tunnel mode from MPTCP to Glorytun UDP or MLVPN in the settings. These use a different tunnelling approach that almost no network blocks — you still get real aggregation, just through a different protocol.

🌐 OpenMPTCProuter official site → 📖 OpenMPTCProuter wiki →

Level 3 — Enterprise: SD-WAN and multi-site bonding

Enterprise

For enterprise deployments — multiple sites, mission-critical uptime, dozens of connections across a whole organisation — the OpenMPTCProuter approach still works but you are looking at commercial SD-WAN solutions that sit on top of the same principles, adding professional management, SLAs and centralised control.

Platforms like Cisco Meraki, Fortinet SD-WAN and Cradlepoint do essentially the same thing as OpenMPTCProuter but with managed cloud orchestration — you configure all sites from a single dashboard. They add per-application routing policies (video calls down the lowest-latency link, bulk downloads down the highest-bandwidth link, VoIP on a dedicated path), guaranteed SLAs, and automatic failover with sub-second detection so traffic moves before users even notice a link has dropped.

Enterprise Multi-Site Bonded WAN Site A — HQ SD-WAN Router Rocket Pro + OpenWrt FTTP 1G 5G Backup 50 staff — VLANs configured Failover to 5G if fibre drops Site B — Branch Rocket Pro — Two 5G SIMs No fixed line — bonded 5G only 15 staff — OpenMPTCProuter Cloud Aggregation VPS or managed SD-WAN PoP MPTCP kernel — traffic merged Central policy management Site C — Temporary Rocket Pro — 5G only Construction site or event Deployed in minutes No fixed line needed INTERNET Single public IP

Fig 5. Enterprise multi-site — each location has bonded WAN connections meeting at a cloud aggregation point. Temporary sites deploy in minutes with no fixed line. Click to enlarge.

The Rocket Pro running OpenWrt with mwan3 or OpenMPTCProuter is genuinely enterprise-capable for small and medium sites — offices up to around 50 people, temporary deployments, construction sites, and anywhere fixed broadband is unavailable or unreliable. For sites needing fully managed multi-gigabit connectivity with professional SLAs, dedicated SD-WAN hardware makes sense. But for a small office wanting to combine two 5G connections cost-effectively without a big budget, the Rocket Pro plus OpenMPTCProuter on a five pound a month VPS is the most cost-effective solution available.

Approach Monthly cost per site True bonding? Best for
mwan3 only Free — software only No — load balance only Failover, multi-user load spreading
OpenMPTCProuter + VPS ~£5/month VPS Yes — full MPTCP aggregation SMB, remote sites, rural, 5G-only locations
Commercial SD-WAN £50–£300+/month Yes — with managed SLAs Multi-site enterprise, mission-critical uptime
ISP-provided bonding Varies — ask your ISP Yes — ISP handles it end-to-end Where available — mainly ADSL/FTTC lines

14. Version differences and compatibility — the honest truth

Intermediate

This is the section most OpenWrt guides skip because it's awkward. The truth is that OpenWrt version compatibility is genuinely complex and you will hit walls if you're not aware of it.

The DSA migration — the biggest breaking change

As mentioned in the VLANs section, OpenWrt 21.02 introduced DSA (Distributed Switch Architecture) which fundamentally changed how switch and VLAN configuration works. Guides written for 19.07 will not work on 21.02+ and vice versa. Always check what version a guide was written for.

Snapshot vs stable builds

WiFi driver limitations — be honest with yourself

Some WiFi chipsets have significantly better driver support than others on OpenWrt. The honest matrix:

Chipset family OpenWrt support quality Notes
Qualcomm Atheros (ath9k, ath10k) Excellent Full open-source drivers. Best choice for OpenWrt.
MediaTek (mt76) Very good Open-source mt76 driver. Good WiFi 6 support improving rapidly.
Qualcomm (ath11k — WiFi 6) Good Open-source ath11k driver. Some features still maturing.
Broadcom (b43, brcmfmac) Poor Relies on proprietary blobs. Avoid for OpenWrt if you want full WiFi functionality.
Intel (iwlwifi) Good on x86 Fine for x86 OpenWrt builds, not relevant for most routers.

When OpenWrt might not be the right choice

Worth being straight about this: OpenWrt is not always the right answer. If you need rock-solid WiFi performance above all else and aren't planning to use VLANs, VPNs or advanced routing features, the stock firmware on a high-quality router will often give better WiFi throughput than OpenWrt — because manufacturers tune their proprietary drivers for maximum speed. OpenWrt's strength is control and flexibility, not always raw performance.

The sweet spot for OpenWrt is anyone who wants full control over their network, needs VPNs or VLANs, runs a home server or NAS, or has a CGNAT connection and needs remote access solutions. For those use cases, OpenWrt is genuinely transformative.

Ready to run OpenWrt?

The Rocket Pro and Rocket Plus both support OpenWrt. Full control over your network — VLANs, WireGuard, 5G failover, ad blocking and more.

View Routers →
← Back to Blog