About
The RISC-V Router by Start9 makes advanced networking and network security accessible to everyone. Built on a RISC-V processor with an open-source boot stack and operating system, it is the most open router on the market — and the only one designed specifically for the complex needs of home-based self-hosting.
Units are expected to ship no later than September 2026.
Pre-orders and donations will be used to fund development and are therefore non-refundable.
Key Points
- Maximally Open Source: The Start9 router is built on RISC-V — an open instruction set architecture — with a fully open-source boot stack (OpenSBI, U-Boot), open-source Linux kernel, and published board schematics. Like every modern router on the market, the WiFi radio requires a proprietary firmware blob from the chipset vendor (MediaTek); there is no open-firmware option for WiFi 5 or WiFi 6 from any manufacturer. For everything that matters to sovereignty — the OS, the network stack, the software you run — this router is open source.
- User-friendly:
Unlike other routers, especially routers with advanced functionality, the Start9 router is accessible to non-technical
users. Our modern GUI is easy to use and provides sane defaults
for users who just want a plug-and-play experience.
- StartOS-friendly: Start9 server owners will
be able to link their server with their router for a streamlined
clearnet experience. Meaning, if a user wants to host one of their
services on a domain they control, the server can remotely and
automatically configure the router to forward the appropriate ports and
create the appropriate firewall rules, etc.
Hardware Specs
Software Stack
- OpenSBI: a firmware layer in the boot process, providing runtime services from
the machine mode (M-mode) to the supervisor mode (S-mode) kernel,
abstracting platform-specific hardware details and making operating
systems more portable across different RISC-V systems. Learn more.
- StartWrt:
Start9's fork of OpenWrt, including a modern GUI, that reimagines the router experience from first principles.
- Note on firmware: The WiFi card (MediaTek MT7915) requires a closed-source firmware blob loaded at runtime — the same situation as every other WiFi 6 card from any vendor. The kernel driver that interfaces with it (mt76/mt7915) is fully open source and upstream in mainline Linux. Early boot components (FSBL, DRAM init) also involve vendor-provided binaries that execute once at startup; we are actively working to replace these with open-source equivalents.
Open Source: What Is and Isn't
- What is open: The RISC-V instruction set, board schematics, boot stack (OpenSBI + U-Boot), Linux kernel, and the OS. The WiFi kernel driver (mt76) is fully open source and upstream in mainline Linux.
- What is closed: The WiFi radio firmware — true of every WiFi 5/6 card; there is no open-firmware option for modern WiFi from any
manufacturer. Additionally, two early boot binaries (DRAM
initialization and the first-stage bootloader) execute once at startup
and are closed; open-source replacements are in progress.
Features
Security Profiles
Every device on the network receives a Security Profile, which is determined by how the device gained access
to the network.
Ethernet
Each Ethernet port maps to a different Security Profile. The Ethernet port a device uses determines the Security Profile it receives.
Example. A device plugs into Ethernet port 1 and receives the "Admin" Security Profile. Another devices plugs into Ethernet port 2 and receives the "Guest" Security Profile.
WiFi
Instead of creating different WiFi networks, there is one WiFi network with different passwords. Each password maps to a different Security Profile. The password a device uses determines the Security Profile it receives.
Example. Paul connect to WiFi using the "Admin" password, which leads to the "Admin" Security Profile, granting him full access to the LAN and Internet (through Mullvad VPN). Paul has a four children who all use the "child" password, which leads to the "Child" Security Profile, granting them Internet access during the day (through a custom Wireguard VPN) using custom DNS server that filters porn and no Internet access at night. Paul has friends over for dinner and gives him the "Guest" password, which leads in the "Guest" Security Profile, granting them full access to the Internet (through a Proton VPN) and only certain devices on the LAN. Paul connects his Roku and Nest thermostat using the "Smart Device" password, which leads to the "No LAN" Security Profile, granting these devices limited access to the Internet but no access to the LAN.
Inbound VPNs
Create unlimited inbound VPN servers for remote access to the LAN. Each VPN server maps to a different Security Profile. The VPN server a device uses determines the Security Profile it receives.
Example. Julie uses the "Primary" VPN server, which leads to the "Admin" Security Profile, granting her full access to the Internet and LAN. Julie gives her friends the "Friends" VPN server, which leads to the "Shared Services" Security Profile, granting them access to a family server, such that they can upload photos, save password, or use her Bitcoin node to send/receive/verify transactions but not see antyhing else on her netowrk or use her network to access the Internet.
WiFi Schedules
Optionally disable WiFi entirely on a schedule. e.g. disable WiFi from 10pm-7am in order to prevent WiFi usage or to limit
radiofrequency EMF exposure.Outbound VPNs and VPN chaining
Connect unlimited, network-wide outbound VPN clients for Internet privacy. Optionally chain VPN clients together to avoid consolidating activity with a single provider and achieving multi-jurisdictional resilience.
Example. Mark has accounts with Mullvad VPN and Proton VPN. Whenever he makes a request to the Internet, it goes through Mullvad VPN, then through Proton VPN, then to the final destination. This ensures neither Mullvad nor Proton knows his Internet activity unless they collaborate with each other.
One-click dynamic DNS
Use Start9 Dynamic DNS for free with a single click. No account necessary.
Optionally use another dynamic DNS provider.
Help Mode
Toggle "Help Mode" to get a detailed explanation of everthing in the current view, including links to external resources. Toggle again to make it disappear.
