asus-router-opslisted

# ASUS Router Operations Authoritative guidance for configuring and hardening ASUS routers — stock **Asuswrt** and **Asuswrt-Merlin** firmware — via the web UI and SSH/nvram. Covers security hardening, encrypted DNS, VPN, network segmentation, AiMesh, AiProtection, and JFFS scripting. > **Safety first.** Changes here can lock you out or drop the network. Test during low-usage windows, document the before value, and know how to undo. Cite official docs, not folklore. --- ## Stock Asuswrt vs Asuswrt-Merlin | | Stock Asuswrt | Asuswrt-Merlin | |---|---|---| | Base | ASUS official | Community fork of ASUS source (same core, more control) | | Scripting | Limited | **JFFS custom scripts**, cron, `services-start`, `firewall-start`, nat-start | | DNS control | Basic | **DNS Director** (per-client/global DNS redirection, DoT) | | VPN | OpenVPN/WireGuard server+client | + **VPN Director** (policy/split-tunnel routing) | | Best for | Most users | Power users wanting scripts, fine-grained DNS/VPN routing | **Never mix stock and Merlin nodes in the same AiMesh network.** Keep the firmware family consistent across mesh nodes. --- ## Security hardening checklist Do these on every new router, in order: 1. **Change defaults immediately** — both the admin/login password *and* the WiFi password. 2. **Disable WPS** — it's a brute-force surface. 3. **Disable UPnP** unless an app genuinely needs it (it creates unpredictable port forwards). 4. **Use explicit port forwarding, never DMZ** —