On OpenWrt

It’s better to block bad-guys at the boarder and CrowdSec on OpenWrt allows you do do that. It’s also more efficient to do it there than on every instance you want to protect.

Installation

There’s two parts; the ‘hub’ that downloads and maintains the list of baddies, and the ‘bouncer’ that checks the list every so often and updates firewall tables to block them.

OpenWRT is best served by installing just the bouncer. But if your install is very small, you can run the hub (crowdsec) there as well.

# At the OpenWrt command line
apk update
apk install crowdsec crowdsec-firewall-bouncer luci-app-crowdsec-firewall-bouncer

There will be some error messages as the packages disagree on file ownership, but this seems OK as they don’t use the .yaml files you expect.

The bouncer won’t be running after installation like it would with a normal linux install. You must register the bouncer with the hub and start it like so:

# Note the API key this command generates
cscli bouncers add openwrt

# Edit OpenWRT's config file for the service and configure the bouncer section.
vi /etc/config/crowdsec

config bouncer
	option enabled '1'
	option ipv4 '1'
	option ipv6 '1'
	option api_url 'http://localhost:8080/'
	option api_key 'XXXXXXXXXXXXXXX'
	option deny_action 'drop'
	option deny_log '0'
	option log_prefix 'crowdsec: '
	option log_level 'info'
	option filter_input '1'
	option filter_forward '1'
	list interface 'eth0'

And then restart and check.

service crowdsec restart
service crowdsec-firewall-bouncer restart

# This should now have a long list of rules at the end under "crowdsec-blacklists-CAPI"
nft list ruleset

We installed the luci-gui package that lets you access the bouncer config in the GUI at network -> firewall -> crowdsec-firewall-bouncer. Though beyond being a curiosity, I’ve not found a use for it.

Sources

https://docs.crowdsec.net/u/user_guides/multiserver_setup/ https://kroon.email/site/en/posts/2025/10/openwrt-crowdsec/ https://openwrt.org/docs/guide-user/services/crowdsec