SecureNet Lite - AX880 Wireless Router Proof of Concept

A production proof-of-concept that turns a TekLager AX880 (Yuncore reference design, Qualcomm IPQ8074, OpenWRT 25.12) into a multi-SSID wireless router with on-device DNS and IP blocklisting, network segmentation, and an always-on WireGuard split-tunnel to an OSS SafeNet server.

Built and deployed by Open Source Security, Inc. (OSS) as a research artifact to validate that the AX880 hardware can host the full SecureNet Lite stack with adequate performance and resource headroom.

Status

Working production deployment as of May 2026. Currently the daily-driver gateway for one paying AirBnB rental in Edmonton and one residential apartment in Airdrie. Approximately three weeks of continuous uptime without incident at the time of writing.

What it does

• 4 isolated SSIDs (Home, Untrusted, Guest, SafeNet) on /24 subnets each, with RFC1918 lateral-movement blocked between them
• WPA3 transition-mode wireless on both 2.4 GHz and 5 GHz bands (8 radios total)
• DNS blocklisting via dnsmasq against ~450,000 malicious domains, sourced from the OSS blocklist aggregator
• IP blocklisting via nftables ipset against ~28,000 malicious IPs, same source
• Always-on WireGuard tunnel to an OSS SafeNet server (Virginia in this PoC); SafeNet SSID clients exit the internet at the SafeNet IP, other SSIDs exit direct via WAN
• Policy-based routing handled by the pbr package; the SafeNet zone is the only zone that traverses the tunnel
• Daily blocklist refresh via cron, boot-time refresh via hotplug
• Process monitoring via Monit with 10 watchdogs covering RAM, CPU, storage, dnsmasq, pbr, WAN/LAN/SafeNet interfaces, WireGuard handshake freshness, and blocklist file health
• Email alerts via SMTP (Proton in this PoC, customer-configurable)
• Web UI on LAN-only at port 2812

Performance

Metric	Measured
WAN throughput (Telus fiber)	580 Mbps
Wireless throughput at AP	580 Mbps Wi-Fi 6
Wireless through 38ft, 3 walls	300 Mbps
Throughput through SafeNet tunnel to Virginia exit	180 Mbps
RAM used at full load	~290 MB / 886 MB
CPU idle at full load	~99%
Overlay storage used	6.2 MB / 30 MB

Read the whitepaper

The complete technical document, including the architecture rationale, the failure modes encountered during development, the operational lessons, and the Phase 2 roadmap, is in docs/ax880-wr-whitepaper.md. It's about 50 pages and is the recommended starting point if you want to understand why this is built the way it is.

Restoring from the backup tarball

See RESTORE.md for the procedure to flash a fresh AX880 from the sanitized backup tarball in this repo.

Repository layout

securenet_lite/
├── README.md                                Project overview (this file)
├── RESTORE.md                               Flash and restore procedure
├── LICENSE                                  License terms
├── docs/
│   └── ax880-wr-whitepaper.md               Full technical whitepaper
├── scripts/
│   ├── blocklist-fetch                      Boot/cron blocklist refresh
│   ├── 99-blocklist-fetch                   Hotplug trigger for blocklist refresh
│   ├── check-wg-handshake.sh                Monit watchdog for WireGuard health
│   └── sanitize.sh                          Strip secrets from a sysupgrade tarball
├── config/
│   ├── monitrc                              Monit config with placeholder SMTP creds
│   └── monit-init                           Custom init script (passes -c flag)
└── backup/
    └── ax880-wr-stage5-sanitized.tar.gz     Sanitized backup tarball (no WG keys, no SMTP creds)

What's non-obvious about this build

The most instructive design decision was rejecting the obvious approach to WireGuard policy routing. The OpenWRT documentation heavily covers building this from primitives (custom routing tables, hotplug scripts, manual MSS clamps, rp_filter sysctls, custom firewall reorderings). The first attempt went down that path, produced three production outages in seven hours of debugging, and never reached a working state for TCP traffic. The architecture was a stack of workarounds where each layer existed because the layer below didn't work cleanly.

The right answer was the pbr package: about twenty UCI commands, zero custom scripts, zero sysctl overrides. The whitepaper documents both implementations and the postmortem of the first attempt. The lesson generalizes beyond this project: when proposing to build something from primitives, check whether a packaged solution exists before committing engineering hours to the hand-built path.

Hardware

• TekLager AX880 (Yuncore reference design)
• Qualcomm IPQ8074 quad-core ARMv8 @ 2.2 GHz
• 1 GB RAM, 256 MB NAND
• Wi-Fi 6 (802.11ax) dual-band, 4x4 MIMO
• 2 x 2.5 GbE ports
• Hardware crypto offload (used by WireGuard's ChaCha20-Poly1305)

Roadmap

Documented in Section 13 of the whitepaper. Highlights:

• Custom OpenWRT image via ImageBuilder so customers don't need post-restore apk add
• DNSSEC validation via dnsmasq-full
• DoT/DoH upstream via stubby or https-dns-proxy
• CrowdSec agent + nftables bouncer
• US assembly to satisfy FCC ruling
• Evaluation of alternative hardware (the AX880 is a research target, not the shipping product)

License

See LICENSE.

Acknowledgments

This project was developed with substantial AI-assisted collaboration. Architectural decisions, hardware selection, production deployment, and content review were performed by the human engineer. Configuration generation, troubleshooting collaboration, and documentation drafting were assisted by Anthropic's Claude. The whitepaper documents specific instances where AI-suggested approaches were rejected in favor of better architectures, and where AI-suggested approaches succeeded.