About
The Start9 Router aims to make advanced network configurations and security measures accessible to everyone. It is the only router designed specifically to accommodate the complex needs of home-based self-hosting.
The router is design-complete, and coding will now begin. Devices are expected to ship no later than October 2026 but possibly sooner.
Contributions/Donations will be used to fund development and are therefore non-refundable.
Software Stack
- Coreboot: an extended firmware platform that delivers a lightning fast and
secure boot experience on modern computers and embedded systems. As an Open
Source project it provides auditability and maximum control over technology. Learn more.
- OpenWrt: a highly extensible GNU/Linux distribution for embedded
devices (typically wireless routers). Unlike many other distributions
for these routers, OpenWrt is built from the ground up to be a
full-featured, easily modifiable operating system. Learn more.
- StartWrt:
Start9's extensions to OpenWrt, including custom plugins and a beautiful GUI that makes OpenWrt
accessible to anyone and a pleasure to use. All extensions will be
distributed under the MIT license.
Special Features
Security Profiles
Configuration sets that determine a device's behavior and permissions on the network, such as:
- Priority. e.g. in low bandwidth situations.
- DNS servers. Optionally override the router defaults.
- Outbound VPN. Force all outbound Internet traffic through a specified VPN.
- Network (LAN) access. Determine what access rights these devices have on the LAN. e.g. "all", "none", "other devices with the same profile", "custom devices/ports".
- Internet (WAN) access. Determine what access rights these devices have to the Internet. e.g. "all", "none", "everything except a blacklist", or "nothing except a whitelist".
Security Schedules
Schedules of Security Profiles. e.g. Devices with a hypothetical "Strict Nighttime" Security Schedule might recieve the "Child" Security Profile from 7am-8pm but the "No Internet" Security Profile from 8pm-7am.
Points of entry
Every device on the network receives a Security Profile/Schedule, which is initially determined by how the device gained access
to the network. (see the Ethernet, WiFi, and Inbound VPN Servers below for examples)
Ethernet port mapping
Each Ethernet port maps to a different Security Profile/Schedule. The Ethernet port a device uses determines the Security Profile/Schedule it receives.
Example. A device plugs into Ethernet port 1 and receives the "Admin" Security Profile. Another devices plugs into Ethernet port 2 and receives the "Child" Security Profile.
WiFi Passwords
Instead of creating different WiFi networks, there is one WiFi network with different passwords. Each password maps to a different Security Profile/Schedule. The password a device uses determines the Security Profile/Schedule it receives.
Example. Paul connect to WiFi using the "Admin" password, which leads to the "Admin" Security Profile, granting him full access to the LAN and Internet (through Mullvad VPN). Paul has a four children who all use the "child" password, which leads to the "Strict Nighttime" Security Schedule, granting them Internet access during the day (through a custom Wireguard VPN) using custom DNS server that filters porn and no Internet access at night. Paul has friends over for dinner and gives him the "Guest" password, which leads in the "Guest" Security Profile, granting them full access to the Internet (through a Proton VPN) and only certain devices on the LAN. Paul connects his Roku and Nest thermostat using the "Smart Device" password, which leads to the "No LAN" Security Profile, granting these devices extremely limited Internet access but no access to the LAN.
WiFi Schedules
Optionally disable WiFi entirely on a schedule. e.g. disable WiFi from 10pm-7am in order to prevent WiFi usage or to limit
radiofrequency EMF exposure.Inbound VPN servers
Create unlimited VPN servers for remote access to the LAN. Each VPN server maps to a different Security Profile/Schedule. The VPN server a device uses determines the Security Profile/Schedule it receives.
Example. Julie uses the "Primary" VPN server, which leads to the "Admin" Secuirty Profile, granting her full access to the Internet and LAN. Julie gives her friends the "Friends" VPN server, which leads to the "Bitcoin" Security Profile, granting them access to a single port on a single device, such that they can remotely connect to her Bitcoin node to send/receive/verify transactions but not see antyhing else on her netowrk or use her network to access the Internet.
Outbound VPN clients and VPN chaining
Connect unlimited, network-wide outbound VPN clients for Internet privacy. Optionally chain VPN clients together to avoid consolidating activity with a single provider and achieving multi-jurisdictional resilience.
Example. Mark has accounts with Mullvad VPN and Proton VPN. Whenever he makes a request to the Internet, it goes through Mullvad VPN, then through Proton VPN, then to the final destination. This ensures neither Mullvad nor Proton knows his Internet activity unless they collaborate with each other.
One-click dynamic DNS
Use Start9 Dynamic DNS for free with a single click. No account necessary.
Optionally use another dynamic DNS provider.
"Help Mode"
Toggle "Help Mode" to get a detailed explanation of everthing in the current view, including links to external resources. Toggle again to make it disappear.
Key Points
- Open Source: The Start9 router is 100% open source, all the way down
through firmware.
- User-friendly:
Unlike other routers, especially routers with advanced functionality, the Start9 router is accessible to non-technical
users. Our modern GUI is easy to use and provides sane defaults
for users who just want a plug-and-play experience.
- StartOS-friendly: Start9 server owners will
be able to link their server with their router for a streamlined
clearnet experience. Meaning, if a user wants to host one of their
services on a domain they control, the server can remotely and
automatically configure the router to forward the appropriate ports and
create the appropriate firewall rules, etc.
Hardware
The Start9 router strikes the perfect balance between power and affordability. It will run without a hiccup for years to come.
Specs
- Processor: Intel Celeron N5105, 4 core 4 thread, 2.0GHz
- BIOS: Coreboot (with Intel Management Engine DISABLED)
- Memory: 4GB DDR4
- Storage: 256GB NVMe
- Ethernet (WAN): 1 x RJ45 COM port (WAN)
- Ethernet (LAN): 4 x Intel i225/i226, 2.5 Gigabit
- Size: 136 x 126 x 40 mm
- Weight: 1KG
WiFi Options
- Option 1 - Open: WiFI 4 Qualcomm Atheros AR9380, up to 450Mbps. Uses open source drivers. This is the best wireless card on the market that does not require closed source drivers.
- Option 2 - Powerful: WiFi 6 Intel AX210, up to 5400Mbps. Uses closed source drivers.
- Option 3 - None: This option is for anyone who intends to use their own wireless access point or mesh network downstream of their Start9 router.
