Effective Parental Controls Using OpenWrt: A Complete Guide

15 min read
openwrt networking parental-controls security intermediate 2024
Effective Parental Controls Using OpenWrt: A Complete Guide

Introduction

Managing children’s internet access has become increasingly challenging in our hyper-connected world. While device-level controls exist, they’re often easy to circumvent and don’t protect all devices uniformly. OpenWrt, a Linux-based open-source router firmware, offers a powerful solution by implementing controls at the network level—where they’re harder to bypass and work across all connected devices.

In this comprehensive guide, you’ll learn how to build a multi-layered parental control system using OpenWrt that includes time-based access restrictions, DNS content filtering, and bypass prevention techniques. We’ll cover practical implementations that balance protection with usability, addressing the real-world challenges parents face.

This guide assumes you have basic networking knowledge and an OpenWrt-compatible router already flashed with a recent version (22.03 or later recommended).

Prerequisites

Before starting, ensure you have:

  • A router running OpenWrt 22.03 or later
  • SSH access to your router
  • Basic familiarity with the LuCI web interface
  • Understanding of MAC addresses and how to find them on devices
  • Ability to access your router’s command line interface
  • At least 128MB of RAM (256MB+ recommended for advanced features)

Understanding OpenWrt’s Parental Control Approach

OpenWrt doesn’t have a single “parental control” package. Instead, it provides building blocks that you combine to create a customized solution. This approach offers flexibility but requires understanding several components:

The Three Pillars of OpenWrt Parental Controls

1. Time-Based Access Control Using firewall rules to restrict internet access during specific hours (e.g., bedtime, school hours).

2. Content Filtering DNS-based filtering to block inappropriate content categories using services like OpenDNS, AdGuard DNS, or local solutions.

3. Bypass Prevention Techniques to prevent circumvention through DNS hijacking, blocking encrypted DNS protocols, and MAC address monitoring.

The most effective implementations combine all three pillars in a layered approach.

Outside Allowed

Within Allowed

Blocked Domain

Allowed Domain

Custom DNS Detected

Normal

Device Request

Time Check

Block via Firewall

DNS Check

Block via DNS Filter

Bypass Check

Force Router DNS

Allow Connection

Method 1: Time-Based Access Control with Firewall Rules

Time-based restrictions are the foundation of most parental control setups. They enforce bedtime rules and ensure devices can’t access the internet during inappropriate hours.

Step 1: Identify Devices by MAC Address

First, gather the MAC addresses of devices you want to control. You can find these in LuCI under Status → DHCP Leases or via SSH:

cat /tmp/dhcp.leases

Note the MAC addresses (format: aa:bb:cc:dd:ee:ff) for each device.

Step 2: Create Static DHCP Leases

Assign static IP addresses to make device management easier:

  1. Navigate to Network → DHCP and DNS
  2. Under Static Leases, click Add
  3. Enter the hostname, MAC address, and desired IP
  4. Click Save & Apply

Step 3: Configure Time-Based Firewall Rules

Navigate to Network → Firewall → Traffic Rules and create a new rule:

Via LuCI:

  1. Click Add to create a new traffic rule

  2. Configure the rule:

    • Name: Block_Kids_Bedtime
    • Protocol: Any
    • Source zone: lan
    • Destination zone: wan
    • Action: reject

  3. Under Advanced Settings, add source MAC addresses

  4. Under Time Restrictions, set start and stop times

    • Example: Start time 22:00:00, Stop time 07:00:00
    • Select weekdays (Mon-Sun)

Via SSH (more control):

Edit /etc/config/firewall:

config rule
	option name 'Block_Kids_Evening'
	option src 'lan'
	option dest 'wan'
	option target 'REJECT'
	option src_mac 'aa:bb:cc:dd:ee:ff'
	option start_time '22:00:00'
	option stop_time '07:00:00'
	option weekdays 'Mon Tue Wed Thu Fri Sat Sun'

Apply changes:

/etc/init.d/firewall reload

Important Considerations for Time-Based Rules

Timezone Settings: Ensure your router’s timezone is correctly set under System → System → Timezone.

The Established Connection Problem: Time-based iptables rules only block new connections. Existing connections may persist after the cutoff time. To address this, you have two options:

  1. Restart firewall at cutoff time (recommended):
# Add to System → Scheduled Tasks
0 22 * * * /etc/init.d/firewall restart
  1. Use connection tracking flush:
# More aggressive, affects all connections
0 22 * * * echo 1 > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established

MAC Address Randomization: Modern iOS and Android devices use random MAC addresses for privacy. You must disable this feature on controlled devices:

  • iOS: Settings → Wi-Fi → [Network] → Private Wi-Fi Address → OFF
  • Android: Settings → Network & Internet → Wi-Fi → [Network] → Advanced → Privacy → Use device MAC

Method 2: DNS-Based Content Filtering

DNS filtering blocks inappropriate content by preventing domain name resolution for unwanted sites. This method is effective but has limitations we’ll address in the bypass prevention section.

Option A: Using OpenDNS Family Shield

OpenDNS provides free DNS servers with built-in content filtering.

Basic Setup (All Devices):

  1. Navigate to Network → Interfaces
  2. Edit your LAN interface
  3. Under Advanced Settings, set custom DNS servers:
    • 208.67.222.123
    • 208.67.220.123
  4. Click Save & Apply

Selective Setup (Specific Devices Only):

To apply OpenDNS only to children’s devices while giving adults unrestricted access, use DHCP tags:

Edit /etc/config/dhcp:

# Create a tag for kids' devices
config tag 'kids'
	list dhcp_option '6,208.67.222.123,208.67.220.123'

# Assign tag to specific devices
config host
	option name 'kids_tablet'
	option mac 'aa:bb:cc:dd:ee:ff'
	option ip '192.168.1.100'
	option tag 'kids'
	
config host
	option name 'kids_laptop'
	option mac 'bb:cc:dd:ee:ff:aa'
	option ip '192.168.1.101'
	option tag 'kids'

Restart dnsmasq:

/etc/init.d/dnsmasq restart

Option B: Using AdGuard Home

AdGuard Home provides more granular control with a user-friendly interface and better blocking lists.

Installation:

# Install AdGuard Home
opkg update
opkg install adguardhome

# Start and enable at boot
/etc/init.d/adguardhome start
/etc/init.d/adguardhome enable

Configuration:

  1. Access AdGuard Home at http://[router-ip]:3000
  2. Complete initial setup wizard
  3. Navigate to Settings → DNS Settings
  4. Enable Parental Control filtering
  5. Under Filters, enable:
    • AdGuard DNS filter
    • AdGuard DNS family protection filter
  6. Add custom blocklists as needed

Performance Note: AdGuard Home requires 128MB+ RAM. For routers with limited memory, stick with OpenDNS or simple dnsmasq-based blocking.

Option C: Local Blocklist with Adblock Package

For a lightweight solution, use the adblock package:

opkg update
opkg install adblock luci-app-adblock

Configuration:

  1. Navigate to Services → Adblock
  2. Enable the service
  3. Select blocklist sources (include family-friendly lists)
  4. Enable DNS hijacking to prevent bypass
  5. Click Save & Apply

Method 3: Advanced - OpenAppFilter with DPI

For the most sophisticated control, OpenAppFilter uses Deep Packet Inspection (DPI) to identify and block specific applications regardless of port or protocol.

What Makes OpenAppFilter Different

Traditional methods block based on:

  • DNS queries (easily bypassed)
  • IP addresses (change frequently)
  • Ports (many apps use port 443)

OpenAppFilter inspects actual packet content to identify apps like TikTok, YouTube, or Fortnite, even when they use encrypted connections.

Installation

# Add OpenAppFilter feed
echo "src/gz oaf http://downloads.sourceforge.net/project/openwrt-dist/packages/base" >> /etc/opkg/customfeeds.conf

# Update and install
opkg update
opkg install luci-app-oaf
opkg install appfilter

# Start service
/etc/init.d/appfilter start
/etc/init.d/appfilter enable

Configuration

  1. Navigate to Services → OpenAppFilter
  2. Enable application filtering
  3. Select categories to block:
    • Games
    • Video streaming
    • Social media
    • Downloads
  4. Configure time schedules
  5. Apply rules to specific MAC addresses

Example Configuration:

Block gaming apps on weekdays during school hours (8 AM - 3 PM):

  1. Add device MAC address
  2. Select “Games” category
  3. Set schedule: Mon-Fri, 08:00-15:00
  4. Save and apply

Preventing Bypass Attempts

DNS-based filtering is effective but can be circumvented by tech-savvy users. Implement these measures to close common loopholes.

Block Alternative DNS Servers

Prevent devices from using custom DNS servers (like Google’s 8.8.8.8):

Install required package:

opkg install iptables-mod-ipopt

Add firewall rules to /etc/config/firewall:

# Block outbound DNS to non-router destinations (IPv4)
config rule
	option name 'Block_External_DNS'
	option src 'lan'
	option dest 'wan'
	option dest_port '53'
	option proto 'tcp udp'
	option target 'REJECT'
	option family 'ipv4'

# Block external DNS over IPv6
config rule
	option name 'Block_External_DNS_IPv6'
	option src 'lan'
	option dest 'wan'
	option dest_port '53'
	option proto 'tcp udp'
	option target 'REJECT'
	option family 'ipv6'

DNS Hijacking (Force Router DNS)

Redirect all DNS queries to your router, even when devices try to use custom DNS:

# IPv4 DNS hijacking
config redirect
	option name 'DNS_Hijack'
	option src 'lan'
	option proto 'tcp udp'
	option src_dport '53'
	option target 'DNAT'
	option dest 'lan'
	option dest_ip '192.168.1.1'  # Your router IP
	option dest_port '53'

# IPv6 DNS hijacking
config redirect
	option name 'DNS_Hijack_IPv6'
	option src 'lan'
	option proto 'tcp udp'
	option src_dport '53'
	option target 'DNAT'
	option dest 'lan'
	option dest_ip 'fd00::1'  # Your router IPv6
	option dest_port '53'
	option family 'ipv6'

Reload firewall:

/etc/init.d/firewall reload

Block DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT)

Modern browsers often use encrypted DNS, bypassing your router’s DNS filtering:

Install BanIP package:

opkg install banip luci-app-banip

Add DoH/DoT server IPs to blocklist. Create /etc/banip/banip.custom.list:

# Google DoH/DoT
8.8.8.8
8.8.4.4
2001:4860:4860::8888
2001:4860:4860::8844

# Cloudflare DoH/DoT
1.1.1.1
1.0.0.1
2606:4700:4700::1111
2606:4700:4700::1001

# Quad9
9.9.9.9
149.112.112.112
2620:fe::fe
2620:fe::9

Configure BanIP:

  1. Navigate to Services → BanIP
  2. Enable custom list
  3. Select path to your custom list
  4. Enable service and reload

Alternatively, block DoH/DoT ports directly:

# Block DoT (port 853)
config rule
	option name 'Block_DoT'
	option src 'lan'
	option dest 'wan'
	option dest_port '853'
	option proto 'tcp'
	option target 'REJECT'

# Block common DoH patterns (port 443)
# Note: This is aggressive and may break some services
config rule
	option name 'Block_DoH_Cloudflare'
	option src 'lan'
	option dest 'wan'
	option dest_ip '1.1.1.1'
	option dest_port '443'
	option proto 'tcp'
	option target 'REJECT'

Monitor and Alert on Bypass Attempts

Create a simple logging system to track when devices attempt DNS queries to external servers:

# Add to /etc/config/firewall
config rule
	option name 'Log_External_DNS'
	option src 'lan'
	option dest 'wan'
	option dest_port '53'
	option proto 'tcp udp'
	option target 'LOG'
	option log_prefix 'DNS_BYPASS:'

View logs:

logread | grep DNS_BYPASS

Automation and Scheduling

Use OpenWrt’s cron system to automate control changes based on schedules.

Access LuCI Scheduled Tasks

Navigate to System → Scheduled Tasks and add entries using cron syntax.

Common Automation Examples

Block internet during school hours (weekdays 8 AM - 3 PM):

# Enable restriction at 8 AM weekdays
0 8 * * 1-5 /usr/sbin/iptables -I FORWARD -s 192.168.1.100 -j REJECT
0 8 * * 1-5 /usr/sbin/iptables -I FORWARD -s 192.168.1.101 -j REJECT

# Remove restriction at 3 PM weekdays  
0 15 * * 1-5 /usr/sbin/iptables -D FORWARD -s 192.168.1.100 -j REJECT
0 15 * * 1-5 /usr/sbin/iptables -D FORWARD -s 192.168.1.101 -j REJECT

Automatic weekend extensions (allow 2 extra hours on Fri/Sat nights):

# Normal bedtime: 10 PM
0 22 * * 0-4 /etc/init.d/firewall restart

# Weekend bedtime: Midnight
0 0 * * 5-6 /etc/init.d/firewall restart

Daily internet access time budget using scripts:

Create /root/time_budget.sh:

#!/bin/sh
# Simple 2-hour daily budget implementation

DEVICE_MAC="aa:bb:cc:dd:ee:ff"
BUDGET_FILE="/tmp/budget_${DEVICE_MAC}.txt"
MAX_MINUTES=120

# Check current usage
if [ -f "$BUDGET_FILE" ]; then
    USED=$(cat "$BUDGET_FILE")
else
    USED=0
fi

if [ "$USED" -ge "$MAX_MINUTES" ]; then
    # Budget exhausted - block device
    iptables -I FORWARD -m mac --mac-source "$DEVICE_MAC" -j REJECT
    logger "Time budget exhausted for $DEVICE_MAC"
else
    # Increment counter every minute
    echo $((USED + 1)) > "$BUDGET_FILE"
fi

Add to cron (runs every minute):

* * * * * /root/time_budget.sh

Reset daily at midnight:

0 0 * * * rm /tmp/budget_*.txt

Testing and Verification

Always verify your controls are working as expected:

Test Time-Based Rules

  1. Set a rule for immediate effect (e.g., current time + 2 minutes)
  2. Wait for the time to pass
  3. Attempt to browse from controlled device
  4. Verify blocking occurs

Check firewall rules are active:

iptables -L -n -v | grep REJECT

Test DNS Filtering

From a controlled device, try accessing a test domain:

# Should be blocked
nslookup adult-content-test.com
nslookup playboy.com

# Should work
nslookup google.com

Test Bypass Prevention

Try to circumvent controls:

  1. Manually set device DNS to 8.8.8.8
  2. Attempt to browse - should still be filtered
  3. Check router logs for bypass attempts

Common Pitfalls and Troubleshooting

Issue: Time Rules Not Working

Symptoms: Devices can still access internet outside allowed hours.

Solutions:

  • Verify router timezone is correct: date
  • Check if rule is using UTC vs local time
  • Install iptables-mod-ipopt package
  • Use kerneltz or utc flag consistently
  • Restart firewall after rule changes

Issue: Established Connections Persist

Symptoms: YouTube video continues playing after bedtime.

Solutions:

  • Schedule firewall restart at cutoff time
  • Use connection tracking flush
  • Consider using application-level blocking (OpenAppFilter)

Issue: MAC Address Changes

Symptoms: Device suddenly has internet access despite restrictions.

Solutions:

  • Check if device has MAC randomization enabled
  • Disable “Private Wi-Fi Address” (iOS) or “Randomized MAC” (Android)
  • Use IP-based rules as backup (less reliable)
  • Monitor DHCP leases for new MACs

Issue: DNS Filtering Not Working

Symptoms: Inappropriate content still accessible.

Solutions:

  • Verify DNS servers are correctly configured
  • Check device isn’t using custom DNS
  • Implement DNS hijacking rules
  • Block DoH/DoT servers
  • Use AdGuard Home for better visibility

Issue: VPN Bypass

Symptoms: Child uses VPN app to circumvent controls.

Solutions:

  • Block common VPN ports (1194, 443 to known VPN IPs)
  • Use OpenAppFilter to detect and block VPN apps
  • Implement device-level controls (app restrictions)
  • Monitor for unusual port 443 traffic

Issue: Mobile Hotspot Bypass

Symptoms: Child shares phone’s cellular data with other devices.

Solutions:

  • This is difficult to prevent at router level
  • Requires device-level controls (screen time restrictions)
  • Monitor for new MAC addresses on network
  • Use carrier parental controls to restrict hotspot

Best Practices and Recommendations

Layered Approach

Don’t rely on a single method. Combine multiple techniques:

  1. Time-based restrictions (foundation)
  2. DNS filtering (content control)
  3. Bypass prevention (enforcement)
  4. Monitoring and alerts (awareness)

Communication is Key

Technical controls are supplements, not replacements for parenting:

  • Explain why controls exist
  • Set clear expectations
  • Review internet activity together
  • Adjust controls as children mature
  • Foster trust alongside accountability

Regular Maintenance

  • Weekly: Review logs for bypass attempts
  • Monthly: Update blocklists and firmware
  • Quarterly: Reassess rules and age-appropriateness
  • Annually: Evaluate if controls still match family needs

Performance Considerations

Router resources matter:

  • 64MB RAM: Basic time rules + OpenDNS
  • 128MB RAM: Time rules + Adblock + DNS hijacking
  • 256MB+ RAM: Full suite including AdGuard Home or OpenAppFilter

Documentation

Keep records of:

  • Device MAC addresses and owners
  • Current rules and schedules
  • Bypass attempts and how you addressed them
  • Configuration changes and reasons

Gradual Implementation

Don’t deploy everything at once:

  1. Week 1: Time restrictions only
  2. Week 2: Add basic DNS filtering
  3. Week 3: Implement bypass prevention
  4. Week 4: Fine-tune and monitor

This allows you to troubleshoot issues without overwhelming complexity.

Advanced: Multi-User Profiles

For families with children of different ages, create distinct profiles:

Using Multiple SSIDs

Create separate Wi-Fi networks for different age groups:

# /etc/config/wireless
config wifi-iface 'teen_wifi'
	option device 'radio0'
	option network 'teen'
	option mode 'ap'
	option ssid 'HomeNet-Teen'
	option encryption 'psk2'
	option key 'your_password'

config wifi-iface 'kids_wifi'
	option device 'radio0'
	option network 'kids'
	option mode 'ap'
	option ssid 'HomeNet-Kids'
	option encryption 'psk2'
	option key 'your_password'

Create corresponding interfaces and firewall zones with different filtering rules for each.

Using DHCP Tags

Alternative approach using DHCP tags (covered earlier) allows same SSID but different DNS servers per device.

Conclusion

Implementing effective parental controls on OpenWrt requires combining multiple layers of protection: time-based access restrictions, DNS content filtering, and bypass prevention measures. While the initial setup demands technical knowledge, the result is a robust, network-wide solution that works across all devices and is harder to circumvent than device-level controls.

Remember that no technical solution is perfect or foolproof. The most effective approach combines router-level controls with device-level restrictions, active parental involvement, and open communication about online safety. OpenWrt provides powerful tools, but they work best as part of a comprehensive family internet safety strategy.

Start with basic time restrictions, add DNS filtering, then implement bypass prevention as you become comfortable with each layer. Regular monitoring and adjustment will ensure your controls remain effective as both technology and your children evolve.

References:

  1. OpenWrt Official Documentation - Parental Controls - Official guide covering time-based rules and firewall configuration
  2. OpenAppFilter Project - Deep packet inspection solution for application-level filtering
  3. AdGuard Home on OpenWrt - Network-wide ad and content blocking with detailed filtering options
  4. Intercepting DNS Queries on OpenWrt - Technical guide for DNS hijacking and bypass prevention
  5. Ben Tasker’s OpenWrt Time-Based Rules Guide - Practical implementation guide with caveats