Have a Question?

How to Install OpenWrt On Protectli Vaults + Additional WiFi/Modem Driver Config

Print
Created OnOctober 2, 2025
Last Updated OnOctober 2, 2025
bystuart.lawson

Overview

In the words of the official OpenWrt project, "OpenWrt is a Linux operating system targeting embedded devices. Instead of trying to create a single, static firmware, OpenWrt provides a fully writable filesystem with package management." While OpenWrt is popularly installed to replace stock firmware on consumer wireless routers, it can also be installed to run on a very wide range of computers, including every Protectli Vault and Vault Pro. Due to the incredible driver support, you can use OpenWrt in-tandem with a Vault to act as a Wireless Access Point, a basic firewall/router, or a handy travel router utilizing 4G/5G modems. 

OpenWrt has been successfully installed on all Protectli Vault and Vault Pro products regardless of whether AMI or coreboot firmware is being used

OpenWrt Images

OpenWrt provides images on their website that inherently require you to manually install drivers and packages required for WiFi cards, certain NICs, modems, etc after the OS has been installed. This article will have instructions on how to install the default images on Protectli Vaults and how to install drivers for a variety of components offered by Protectli.

Installing OpenWrt on a Protectli Vault

Unlike a vast majority of operating systems that are installed on Protectli Vaults, you cannot simply create a bootable USB with OpenWrt's image to install it. If you were to burn the OpenWrt .img to a USB and boot to it, you would be live booting into the USB and it would not be installed on the Vault's internal storage. The image must be written directly to the internal storage for an ideal use-case.

In order to do that, you must temporarily use another operating system to write OpenWrt to the Vault's internal storage (NVMe, eMMC, SATA, etc). For the purpose of this article, we will be using Ubuntu to accomplish this. We will outline a few ways of doing this below. Please click on the drop down to view instructions for either scenario. 

In this scenario, you will need to have a monitor or TV to connect to the Vault, a wired USB keyboard and mouse, a single USB drive, and an Ethernet cable to connect from your modem or router to one of the Vault's Ethernet ports. You will also need another computer or laptop to initially create the bootable USB drive.

  1. On your computer or laptop, please download the latest LTS image of Ubuntu Desktop (https://ubuntu.com/download/desktop)
  2. Plug in your USB drive to your computer and acknowledge that anything on that USB drive will be overwritten/deleted in the next few steps
  3. If on Windows, download/install Rufus if you do not already have it. On MacOS, download/install Balena Etcher if you do not already have it
  4. Use one of those programs to burn the Ubuntu .iso directly to your USB drive (this will delete any preexisting data on the USB drive)
  5. Once completed, connect a monitor, keyboard, mouse, your USB drive, and an ethernet connection to your Protectil Vault
  6. Turn on the Protectli Vault
  7. Hold the F11 key right as the Vault powers on, and select the USB drive as your boot option
  8. The system will now boot into Ubuntu, make sure to select "Try or Install Ubuntu"
  9. It may take a minute or two before it loads
  10. Once you see the "Choose your language" screen, close it out
  11. Open up Firefox and go to downloads.openwrt.org/releases
  12. Scroll down and click on the most recent version available. At the time of this article's creation, it was 24.10.3, but if a newer version has released you most likely will want to choose that
  13. You should then choose "targets", "x86", "64"
  14. Download the "generic-ext4-combined-efi.img.gz" (if you are on a FW series Vault with coreboot, you should instead download the "generic-ext4-combined.img.gz")
  15. The file should automatically save in your "Downloads" folder, so navigate there from the file browser
  16. Right click on the .gz file and extract it
  17. Right click on any of the empty white space in that directory and "open in terminal". This will open a new terminal window with you already in the directory.
  18. In most cases you will want to install OpenWrt to an SSD installed in your Vault. Type and enter lsblk to view all installed drives
  19. In the image above, sda is the USB drive, mmcblk0 is the on-board eMMC, and nvme0n1 is the NVMe. For the purpose of this article, we will install it to the NVMe, but you can choose a different storage medium
  20. Type and enter: sudo dd if=openwrt-xxx.img of=/dev/nvme0n1 bs=4M status=progress conv=fsync
    • Please note the OpenWrt image is not actually named openwrt-xxx.img, it will typically be something like openwrt-24.10.3-x86….img If you start typing openwrt and hit your tab key, it will automatically fill out
      the name
  21. Once completed, you will get a completion message
  22. We will now want to extend the partition so you have more space to install packages and other things on OpenWrt
  23. You can view the current partition table by typing and entering: lsblk /dev/nvme0n1
  24. Partition 2 (nvme0n1p2) is typically the root directory that we will want to increase
  25. Type and enter: sudo growpart /dev/nvme0n1 2
  26. Afterwards, type and enter: sudo resize2fs /dev/nvme0n1p2
  27. The partition has now been extended
  28. Power off the Vault
  29. Power it back on and hold F11 to choose the NVMe to boot to
    • If you are on coreboot, you can instead change the boot order so it always automatically boots to OpenWrt from here on forward
    • To do that, hold "delete" key at boot instead, go to Boot Maintenance Manager>Boot Options>Change Boot order
      • Hit Enter to select the boot options
      • Use the arrow keys to highlight over the NVMe
      • Press Shift and + a few times to move it to the top
      • Hit Enter again to accept
      • Hit F10 to save
      • Proceed
  30. Once OpenWrt boots fully, you can connect a computer to Port 1 on the Vault. 
  31. On a computer connected to Port 1, navigate to 192.168.1.1 in your browser to access the OpenWrt GUI
  32. "root" is the default username, and "openwrt" is the default password
  33. After logging in, it is highly recommended to change the default password
  34. After changing password, you can connect your modem to Port 2 on the Vault to give internet access to the Vault/OpenWrt
  35. OpenWrt is officially installed and is working as expected. Instructions on installing drivers can be found in the section titled "Installing Drivers" found lower down in this article

In this scenario, you will need to have a monitor or TV to connect to the Vault, a wired USB keyboard and mouse, and two individual USB drives (one USB drive will be used as storage, and the other will have Ubuntu installed to it). You will also need a computer or laptop (with internet access) to initially create the bootable USB drive and to download the OpenWrt image.

  1. On your computer or laptop, please download the latest LTS image of Ubuntu Desktop (https://ubuntu.com/download/desktop)
  2. You should also go to downloads.openwrt.org/releases
    • Scroll down and click on the most recent version available. At the time of this article's creation it was 24.10.3, but if a newer version has released you most likely will want to choose that
    • You should then choose "targets", "x86", "64"
    • Download the "generic-ext4-combined-efi.img.gz" (if you are on a FW series Vault with coreboot, you should instead download the "generic-ext4-combined.img.gz")
  3. Plug in the USB drive that will be used as storage to your computer, and move the openwrt.img you downloaded to it. You are not burning this image to the USB, you are simply placing the file on the USB. If it is a brand new USB drive, you may need to format it beforehand so it can be used as storage (typically formatted as FAT32 or similar)
  4. Plug in your other USB drive (that you did not save OpenWrt to) to your computer and acknowledge that anything on that USB drive will be overwritten/deleted in the next few steps
  5. If on Windows, download/install Rufus if you do not already have it. On MacOS, download/install Balena Etcher if you do not already have it
  6. Use one of those programs to burn the Ubuntu .iso directly to your USB drive (this will delete any preexisting data on the USB drive)
  7. Once completed, connect a monitor, keyboard, mouse, both of your USB drives to your Protectil Vault
  8. Turn on the Protectli Vault
  9. Hold the F11 key right as the Vault powers on, and select the USB drive that has Ubuntu on it as your boot option
  10. The system will now boot into Ubuntu, make sure to select "Try or Install Ubuntu"
  11. It may take a minute or two before it loads
  12. Once you see the "Choose your language" screen, close it out
  13. Access the file browser found on the left side of the screen
  14. Navigate to your USB drive that has the OpenWrt image on it, and right click on the .gz file and extract it
  15. It is recommended to now copy the .img file from your USB to your downloads (or another) folder on Ubuntu
  16. Navigate to the folder you just copied the image to
  17. Right click on any of the empty white space in that directory and "open in terminal". This will open a new terminal window with you already in the directory.
  18. In most cases you will want to install OpenWrt to an SSD installed in your Vault. Type and enter lsblk to view all installed drives
  19. In the image above, sda is the USB drive with Ubuntu, sdb is the USB storage device, mmcblk0 is the on-board eMMC, and nvme0n1 is the NVMe. For the purpose of this article, we will install it to the NVMe, but you can choose a different storage medium if you wish
  20. Type and enter: sudo dd if=OPENWRT-IMAGE.img of=/dev/nvme0n1 bs=4M status=progress conv=fsync
    • Please note the openwrt image is not actually named OPENWRT-IMAGE.img, it will typically be something like openwrt-24.10.3-x86….img If you start typing openwrt and hit your tab key, it will automatically fill out
      the name
  21. Once completed, you will get a completion message
  22. We will now want to extend the partition so you have more space to install packages and other things on OpenWrt
  23. You can view the current partition table by typing and entering: lsblk /dev/nvme0n1
  24. Partition 2 (nvme0n1p2) is typically the root directory that we will want to increase
  25. Type and enter: sudo growpart /dev/nvme0n1 2
  26. Afterwards, type and enter: sudo resize2fs /dev/nvme0n1p2
  27. The partition has now been extended
  28. Power off the Vault
  29. Power it back on and hold F11 to choose the NVMe to boot to
    • If you are on coreboot, you can instead change the boot order so it always automatically boots to OpenWrt from here on forward
    • To do that, hold "delete" key at boot instead, go to Boot Maintenance Manager>Boot Options>Change Boot order
      • Hit Enter to select the boot options
      • Use the arrow keys to highlight over the NVMe
      • Press Shift and + a few times to move it to the top
      • Hit Enter again to accept
      • Hit F10 to save
      • Proceed
  30. Once OpenWrt boots fully, you can connect a computer to Port 1 on the Vault. 
  31. On a computer connected to Port 1, navigate to 192.168.1.1 in your browser to access the OpenWrt GUI
  32. "root" is the default username, and "openwrt" is the default password
  33. After logging in, it is highly recommended to change the default password
  34. After changing password, you can connect your modem to Port 2 on the Vault to give internet access to the Vault/OpenWrt
  35. OpenWrt is officially installed and is working as expected. Instructions on installing drivers can be found in the section titled "Installing Drivers" found lower down in this article

Installing Drivers

There are various driver packages you can install to enable the functionality of your installed WiFi card, modem, or other peripherals. If you are using a WiFi card or modem in your Vault that wasn't directly purchased from us, you will need to find out what drivers are required by reading the documentation for the modules you purchased. 

  • To install drivers (or packages), you must access the web GUI at 192.168.1.1
  • There must be a valid WAN connection established as well
  • Navigate to System > Software
  • Click on the "Update Lists" button

  • From here, you can search for specific drivers and packages in the Filter box

The specific drivers for your components can be found in the drop downs below:

  • Search for and install ath10k-firmware-qca6174 
  • Search for and install kmod-ath10k 

In order to actually utilize the cards as an access point:

  • Search for and install hostapd
  • Reboot the entire Vault
  • You should now see a "Wireless" section under the "Interfaces" tab on the OpenWrt Web GUI
  • Basic Instructions for setting up an access point are in the "Setting up a WiFi Access Point" section of this article

This is the WiFi card that is only available for the FW2B, FW4B, FW4C,  and FW6 Series. This is a USB-based WiFi card that connects via mPCIe form factor.

  • Search for and install kmod-rt2800-usb

In order to use the card as an Access Point:

  • Search for and install hostapd
  • Reboot the Vault
  • You should now see a "Wireless" section under the "Interfaces" tab on the OpenWrt Web GUI
  • Basic Instructions for setting up an access point are in the "Setting up a WiFi Access Point" section of this article
  • Search for and install kmod-usb-net-rndis
  • Search for and install wwan if it is not already installed
  • Reboot the Vault

Once rebooted, you should see the modem as a device in your network interfaces. 

  • The MDG200 is seen as "usb0" ethernet adapter
  • The MDG230 will be seen as a new "eth" device
    • For example, if you only had two ethernet interfaces previously, the modem would be "eth2"
    • You can normally determine what eth interface it is by going to Network > Interfaces > Devices. The modem will have a MAC address that is drastically different then the ethernet ports, which normally start with 64:62:66…
  • If you wish to configure the modem as a WAN connection to give all LAN connected devices access to the internet, please go to the "Setting up the Modem as a WAN connection" section of this article

Setting up a WiFi Access Point

Instructions below are for the WiFi cards we offer, but the instructions are generally the same if you are using a different WiFi card.

Once the drivers required have been installed as well as hostapd, you should see a "Wireless" section under Network. If you do not see it, then make sure you have rebooted your Vault after initially installing the required drivers.

  • Navigate to Network > Wireless

  • Click on "Add" next to your WiFi card's name

  • Choose a Mode, Channel, and Width
    • For our example we used AC, 36, 80Mhz
    • You can play around with the channel and width to figure out what combination works best in your environment
    • Set the Country Code to correlate with the country you are physically located in

  • Scroll down a bit to the "Interface Configuration" section
  • Set Mode to Access Point
  • Give your network a name (ESSID)
  • Select lan as the Network
    • This will bridge the connection with the preexisting lan network, so no additional firewall rules will need to be set
  • You can turn on Hide ESSID if you wish (you won't see the SSID publicly visible on your devices, you will have to create a manual entry to connect)
  • You can leave WMM Mode enabled

  • Navigate to the "Wireless Security" tab
  • The following steps are up to you to determine what encryption method works in your use case, but we used the following settings:
    • Encryption set to WPA2-PSK (Strong Security)
    • Cipher set to auto
    • Key will be the password that allows you to connect to the network
    • Everything else left default

  • Click the green "Save" button
  • Then, click the blue "Save & Apply" button

  • You can also delete the preexisting "OpenWrt" SSID if you wish
    • Save & Apply after

At this point the Access Point will begin configuring and will enable. It can take a few minutes for it to initially show up, but subsequent reboots should only take a matter of seconds to a minute to load the AP. 

This is the WiFi card that is only available for the FW2B, FW4B, FW4C,  and FW6 Series. This is a USB-based WiFi card that connects via mPCIe form factor.

Once the drivers required have been installed as well as hostapd, you should see a "Wireless" section under Network. If you do not see it, then make sure you have rebooted your Vault after initially installing the required drivers.

  • Navigate to Network > Wireless
  • Click on "Add" next to your WiFi card's name
  • Choose a Mode, Channel, and Width
    • For our example we used N, 6, 20Mhz
    • You can play around with the channel and width to figure out what combination works best in your environment
  • Scroll down a bit to the "Interface Configuration" section
  • Set Mode to Access Point
  • Give your network a name (ESSID)
  • Select lan as the Network
    • This will bridge the connection with the preexisting lan network, so no additional firewall rules will need to be set
  • You can turn on Hide ESSID if you wish (you won't see the SSID publicly visible on your devices, you will have to create a manual entry to connect)
  • You can leave WMM Mode enabled
  • Navigate to the "Wireless Security" tab
  • The following steps are up to you to determine what encryption method works in your use case, but we used the following settings:
    • Encryption set to WPA2-PSK (Strong Security)
    • Cipher set to auto
    • Key will be the password that allows you to connect to the network
    • Everything else left default
  • Click the green "Save" button
  • Then, click the blue "Save & Apply" button
  • You can also delete the preexisting "OpenWrt" SSID if you wish
    • Save & Apply after

At this point the Access Point will begin configuring and will enable. It can take a few minutes for it to initially show up, but subsequent reboots should only take a matter of seconds to a minute to load the AP. 

Setting up the Modem as a WAN Connection

If you are using one of our 4G/5G internal modems, you can set this as a WAN connection to allow internet access to LAN connected devices. This is great for a travel router scenario.

Verify you have the required drivers/firmware/packages mentioned previously in this article. Note that you will need a SIM card to be installed in the modem in order to actually establish a connection. In the example below, we utilized a Google Fi SIM card.

  • You can determine what your modem is labeled as at Network > Interfaces > Devices
    • In our example, our modem was eth4, because eth0-3 are the ethernet ports on the Vault
  • Go back to Network > Interfaces

  • Click on "Add new interface" towards the bottom left

  •  Give the interface a name
  • Set Protocol to DHCP client
  • Choose the device that correlates with the modem that you determined earlier
    • For example, ours is eth4

  • Click "Create interface" button
  • All the default options in the "General Settings" and "Advanced Settings" tab can be left alone
  • In the "Firewall Settings", choose the preexisting WAN zone as the firewall-zone
    • This will allow LAN connected devices to gain internet access through the modem

  • In the "DHCP Server" tab, click on "Set up DHCP Server"
  • Then, uncheck the "Ignore Interface" box so it is NOT selected
  • Click "Save", and then hit "Save & Apply"

  • Please allow for upwards of a minute or two for everything to configure
  • In a web browser on a computer connected to the LAN port of OpenWrt, navigate to 192.168.123.254
    • This is the modem's gateway, GUI location
    • If you are unable to access this, wait another minute and try again
    • If you still can't access it, try removing the Ethernet cable from your computer and plug it back in, and also you may need to reboot the Vault one time
  • If you have not logged in before, the default username and password should be either:
    • admin / admin
    • admin / Admin12345
    • The information should have been provided on a physical note with your order

  • After logging in, use this GUI to navigate to Setup > Network > Cellular tab

  • Typically you will need to configure an APN correlating with your SIM card to establish a connection
    • For our Google FI SIM, we set APN to Auto
  • After setting the APN, make sure to save and apply settings!
  • After a little bit of time, you should gain an IP address and establish a connection with your network provider
    • You can go to Status section of GUI to confirm
    • If you aren't establishing a connection, wait a bit, and then reboot the entire Vault one time
    • On the subsequent reboot, wait another minute or so, and a connection should be established
  • You should now be able to access the internet on a computer connected to the LAN port without a physical WAN connection to a modem
    • Again, if you still aren't getting a connection on the computer, try resetting the ethernet connection to the computer

Using a COM Connection

If you don't want to use a monitor connected via HDMI to view OpenWrt's console, you can instead use a Serial COM connection to view the console output on a computer or laptop.

All Protectli Vaults have a COM port and a COM cable is included with every Vault.

OpenWrt enables COM access by default. There should be no additional configuration required on OpenWrt directly. You will need to use a Serial Terminal program to view it. Please use our How to use the Vault's COM Port article for detailed instructions for your Vault.

Conclusion

This article should have given you an idea of how to get OpenWrt up and running on your Protectli Vault or Vault Pro. For detailed instructions and documentation on the OS as a whole, please go to OpenWrt's official website: https://openwrt.org/docs/start

If you have any questions, please reach out to us as support@protectli.com

As a final statement, we are currently working with our partners on a custom image of OpenWrt that will include drivers for every single component we sell. This image will also enable functionality of the "reset" button found on most Vaults. When pressed for 10 seconds, the OS would be reverted to factory defaults all while maintaining the initially included drivers. Please keep a lookout on updates for this!

Table of Contents