About
The Start9 Router aims to make advanced networking and network security accessible to everyone. It is 100% open source, from hardware to operating system, and is the only router designed specifically to accommodate the complex needs of home-based self-hosting.
The router hardware and operating system are undergoing rapid development. Units are expected to ship in the first half of 2026.
Pre-orders and donations will be used to fund development and are therefore non-refundable.
Software Stack
- OpenSBI: a firmware layer in the boot process, providing runtime services from
the machine mode (M-mode) to the supervisor mode (S-mode) kernel,
abstracting platform-specific hardware details and making operating
systems more portable across different RISC-V systems. Learn more.
- OpenWrt: a highly extensible GNU/Linux distribution for embedded
devices (typically wireless routers). Unlike many other distributions
for these routers, OpenWrt is built from the ground up to be a
full-featured, easily modifiable operating system. Learn more.
- StartWrt:
Start9's extensions to OpenWrt, including a modern GUI, that reimagine the router product experience from first principles. All extensions will be
distributed under the MIT license.
Special Features
Security Profiles
Configuration sets that determine a device's behavior and permissions on the network, such as:
- DNS servers. Optionally override the router defaults.
- Outbound VPN. Force all outbound Internet traffic through a specified VPN.
- Network (LAN) access. Determine access to other devices on the LAN. e.g. "all", "none", "other devices with the same Security Profile", "devices with specific Security Profiles".
- Internet (WAN) access. Determine what access rights these devices have to the Internet. e.g. "all", "none", "everything except a blacklist", or "nothing except a whitelist".
Points of entry
Every device on the network receives a Security Profile, which is initially determined by how the device gained access
to the network. (see the Ethernet, WiFi, and Inbound VPN Servers below for examples)
Ethernet port mapping
Each Ethernet port maps to a different Security Profile. The Ethernet port a device uses determines the Security Profile it receives.
Example. A device plugs into Ethernet port 1 and receives the "Admin" Security Profile. Another devices plugs into Ethernet port 2 and receives the "Guest" Security Profile.
WiFi Passwords
Instead of creating different WiFi networks, there is one WiFi network with different passwords. Each password maps to a different Security Profile. The password a device uses determines the Security Profile it receives.
Example. Paul connect to WiFi using the "Admin" password, which leads to the "Admin" Security Profile, granting him full access to the LAN and Internet (through Mullvad VPN). Paul has a four children who all use the "child" password, which leads to the "Child" Security Profile, granting them Internet access during the day (through a custom Wireguard VPN) using custom DNS server that filters porn and no Internet access at night. Paul has friends over for dinner and gives him the "Guest" password, which leads in the "Guest" Security Profile, granting them full access to the Internet (through a Proton VPN) and only certain devices on the LAN. Paul connects his Roku and Nest thermostat using the "Smart Device" password, which leads to the "No LAN" Security Profile, granting these devices limited access to the Internet but no access to the LAN.
WiFi Schedules
Optionally disable WiFi entirely on a schedule. e.g. disable WiFi from 10pm-7am in order to prevent WiFi usage or to limit
radiofrequency EMF exposure.Inbound VPN servers
Create unlimited VPN servers for remote access to the LAN. Each VPN server maps to a different Security Profile. The VPN server a device uses determines the Security Profile it receives.
Example. Julie uses the "Primary" VPN server, which leads to the "Admin" Security Profile, granting her full access to the Internet and LAN. Julie gives her friends the "Friends" VPN server, which leads to the "Shared Services" Security Profile, granting them access to a family server, such that they can upload photos, save password, or use her Bitcoin node to send/receive/verify transactions but not see antyhing else on her netowrk or use her network to access the Internet.
Outbound VPN clients and VPN chaining
Connect unlimited, network-wide outbound VPN clients for Internet privacy. Optionally chain VPN clients together to avoid consolidating activity with a single provider and achieving multi-jurisdictional resilience.
Example. Mark has accounts with Mullvad VPN and Proton VPN. Whenever he makes a request to the Internet, it goes through Mullvad VPN, then through Proton VPN, then to the final destination. This ensures neither Mullvad nor Proton knows his Internet activity unless they collaborate with each other.
One-click dynamic DNS
Use Start9 Dynamic DNS for free with a single click. No account necessary.
Optionally use another dynamic DNS provider.
"Help Mode"
Toggle "Help Mode" to get a detailed explanation of everthing in the current view, including links to external resources. Toggle again to make it disappear.
Key Points
- Open Source: The Start9 router is 100% open source, all the way down through firmware and hardware.
- User-friendly:
Unlike other routers, especially routers with advanced functionality, the Start9 router is accessible to non-technical
users. Our modern GUI is easy to use and provides sane defaults
for users who just want a plug-and-play experience.
- StartOS-friendly: Start9 server owners will
be able to link their server with their router for a streamlined
clearnet experience. Meaning, if a user wants to host one of their
services on a domain they control, the server can remotely and
automatically configure the router to forward the appropriate ports and
create the appropriate firewall rules, etc.
Hardware
The Start9 Router is the world's first RISC-V router.
Specs
- Processor: SpacemiT K1 8 Core RISC-V chip
- BIOS: OpenSBI
- Memory: 4G LPDDR4
- Storage: 16GB eMMC
- Ethernet: 1 WAN Gb, 1 LAN Gb
WiFi Options
- Option 1 - AsiaRF AW7915-NP1 Wi-Fi 6 11ax 4T4R Mini PCIe Module, 2401Mbps
- Option 2 - No WiFi. If you intend to use your own wireless access point or mesh network downstream of their Start9 router.
