OpenWRT Travel Router · Pi-Based

OpenWRT on a Raspberry Pi 4 with two radios, a WireGuard tunnel home, and AdGuard at the DNS layer. The only network I trust on the road.

Hotel Wi-Fi is the worst category of network you'll voluntarily connect to. Captive portals that MITM your TLS, neighbours scanning the subnet, the inevitable router that hasn't been updated since 2017. I stopped trusting it years ago. The travel router is the answer: a tiny box that I trust, that talks to the hostile network on my behalf, and that all my devices live behind.

PI 4

2GB · USB-C POWER

2×

WIFI INTERFACES

WIREGUARD VPN

ADBLOCK

DNS-LEVEL FILTER

The build

Pi 4 with a USB Wi-Fi dongle for a second radio. The internal Wi-Fi (wlan0) joins the hotel network. The dongle (wlan1) broadcasts my own SSID with WPA2. Everything that connects to my SSID gets shoved through a WireGuard tunnel back to my home server before it touches the internet.

[ TRAFFIC FLOW ]
  device → wlan1 (my AP) → wg0 → hotel wlan0 → internet
                          ↓
                   (encrypted to home)
                          ↓
                  exit at home server

OpenWRT vs raw Debian — why I went OpenWRT

I tried this on plain Raspberry Pi OS first. hostapd, dnsmasq, iptables, all hand-written. It worked. It was also a complete pain to debug when the hotel network did something weird and I needed to reconfigure on the fly from a phone in a hotel lobby. OpenWRT's LuCI web UI is the saviour here. Stuck behind a captive portal? Connect to the AP, browse to the router, change the upstream Wi-Fi credentials in three clicks.

# /etc/config/wireless
config wifi-iface 'wifinet1'
    option device     'radio1'
    option mode       'sta'
    option network    'wwan'
    option ssid       'HotelGuest'
    option encryption 'none'

config wifi-iface 'wifinet0'
    option device     'radio0'
    option mode       'ap'
    option network    'lan'
    option ssid       'sujit-travel'
    option encryption 'psk2'
    option key        'redacted'

Captive portal handling

The annoying reality of hotel Wi-Fi: half the captive portals refuse to load until you accept their TOS, and the WireGuard tunnel can't come up until the captive portal is satisfied. So the routing table has a chicken-and-egg problem on every new network.

workflow

Step one: connect a phone to the AP, hit the router's IP, kill the WG tunnel. Step two: open any HTTPS site, get redirected to the captive portal, accept TOS. Step three: bring WG back up. The whole dance takes maybe 90 seconds and I trust the hotel network for none of it.

AdGuard at the DNS layer

Why I added AdGuard on top of OpenWRT's dnsmasq: every device behind the AP gets DNS-level ad and tracker blocking automatically. No per-device config, no app install, no broken HTTPS. It's also a decent trip-wire — anything weird suddenly making DNS requests for known C2 domains shows up immediately.

The travel router started as a security project and turned into the most useful piece of hardware I own. It has paid for itself in flaky-conference-Wi-Fi rescues alone.

Battery life and form factor

A 20,000mAh power bank runs the Pi 4 plus dongle for ~9 hours of moderate use. The whole thing fits in a hard pencil case with the cable. Total weight under 400g. It lives at the bottom of my backpack and gets unpacked first thing on arrival.

A Pi-Based Travel Router That Doesn't Trust Hotel Wi-Fi