Guarding against DHCP option 121 threats on libreCMC routers running OpenVPN/Wireguard

You can find out more about the DHCP option 121 threat here. The solution to thwarting such attacks on libreCMC routers is below. The fix requires you to ssh into the router as there is no option in the web user interface to apply the fix.

1. You need to ssh into the router (192.168.3.1 is the default we usually use for our VPN configured routers, but you'll need to use the IP of your router here):

ssh root@192.168.3.1

Note: You may need to add the following to ~/.ssh/config on your machine before running the above command and then add the below lines to the file, ie nano ~/.ssh/config (the file may be blank, just add these lines and save) :

Host 192.168.8.1
User root
PubkeyAcceptedAlgorithms +ssh-rsa
HostkeyAlgorithms +ssh-rsa

2. Once connected to the router via ssh you need to edit the /etc/config/network file by running the following command:

vi /etc/config/network

Notes: For those unfamiliar with the vi text editor you'll need to know a few things to actually edit the network file. Once you've scrolled down and found the devices section you need to hit the "a" key on your computer. This puts you into an editing mode. Then you can scroll down and add the lines as directed below. When done you need to save this file. To save hit the escape key on your keyboard, then hit the ":" key on your keyboard. This will let you enter commands into the vi text editor. Type out "wq!" to save and quit. Keep in mind this is all without the quotes. Type exit and hit the enter key, do it twice to exit the ssh session and close out of your terminal window.

3. Once vi is open you should see the network configuration for the router. Under config interface 'wan' add the below text, then save and exit per the vi instructions explained above:

option classlessroute '0'

4. Run the following commands:

uci set network.wan.classlessroute=0
uci commit
service network reload