Parental control with OpenWRT and OpenDNS

The following recipe took me a whole evening to find, so I am documenting it here in hope it could be useful to somebody else.

I recently upgraded my home network to a beefier TP-Link C5 Archer. This little box packs two Wi-Fi access points in 2.4 and 5GHz (Wi-Fi ac), which pushes wireless speeds up to 500Mbit/s within a few meters range. The main selling point for me was that it runs the latest OpenWRT firmware with absolutely no issue whatsoever. Flash firmware, done.

OpenWRT has become a real Linux distribution today, packing more power than you could ever imagine achieving with such hardware. I certainly miss the Tomato user-friendly GUI, but I do enjoy the power at my fingertips when it comes to network configuration. Kudos to the OpenWRT team for such a technical achievement!

Back to the point: parental control. I have kids at home and all sorts of networked devices: smartphones, tablets, computers, servers, printers, you name it. I want to be able to disable adult site browsing and the like from kids hardware. The easiest solution I found so far is OpenDNS, which offers you free DNS filtering for one IP address. Create an account, configure your home IP address, set the categories you want to ban, and done. Any machine on my internal network using OpenDNS will receive re-directs for unwanted sites. In the past I used to manually modify the DNS settings on all kids hardware to switch to OpenDNS servers, but that quickly becomes old, and sometimes requires some sleight-of-hand to configure. Forget it.

Enter OpenWRT: you can actually assign different DHCP settings to hosts on your network, e.g. different DNS servers. Even if the documentation is respectfully thick on that topic, it took me a while to understand it.

In its latest incarnation Barrier Breaker (Dec 2014), OpenWRT packs all DHCP information into /etc/config/dhcp. Make your modifications there and restart the dnsmasq daemon to activate them.

Procedure:

1. edit /etc/config/dhcp to add a new section

config tag 'kids'
    list dhcp_option '6,208.67.222.222,208.67.220.220'

2. Now add individual sections for all devices you want to include in the 'kids' section:

config host
    option name 'pluto'
    option mac 'YOUR DEVICE MAC ADDRESS'
    option ip 'YOUR DEVICE ADDRESS ON THE INTERNAL NETWORK'
    option tag 'kids'

3. Restart dnsmasq with:

/etc/init.d/dnsmasq restart

And you are done. Just tag the hosts you want to be part of the kids zone to distribute the OpenDNS servers instead of the default one.

Same procedure if you want to achieve the reverse effect: set the default DNS to be kid-friendly, tag machines that don't need to be, and assign them another regular DNS.

References:

• OpenWRT: Classifying Clients And Assigning Individual Options
• Send different DNS servers to different hosts