coilyco-flight-deck/infrastructure
1
0
Fork 0
Code Issues 101 Pull requests Projects Releases Packages Wiki Activity Actions 1

Post-20250919 router admin-surface audit (disable WAN admin, WPS, UPnP, cloud binding) #108

New issue
Open
opened 2026-05-24 21:45:37 +00:00 by coilysiren · 0 comments
coilysiren commented 2026-05-24 21:45:37 +00:00
Owner
Copy link

Problem

The TP-Link Archer A20 ships with several admin-surface defaults that are unsafe by modern threat-model standards. After the 20250919 firmware upgrade (tracked separately by the session that filed this issue), the router's admin surface needs an end-to-end audit and lockdown sweep.

Scope - in

  1. Disable WAN-side admin (remote management). Verify only LAN/tailnet can reach the admin UI.
  2. Disable WPS entirely.
  3. Disable UPnP. Downstream effect: also closes the root cause behind #106 (BT client saturating UPnP and evicting other devices' port mappings). Any device that needed UPnP gets a static port forward instead.
  4. Disable any TP-Link 'cloud' / TP-Link ID account binding. The router should not have an outbound control plane that isn't Kai's.
  5. Rotate the admin password if it hasn't been rotated post-upgrade. Store in SSM at /coilysiren/home/tplink-admin-password (already anticipated by #107).
  6. Audit the guest network, DMZ, ALG, and any 'open VPN client/server' features the new firmware may have enabled by default.

Scope - out

  • Replacing the router (tracked in the sibling Ubiquiti-evaluation ticket).
  • Playwright automation (#107). This sweep is one-shot manual; if automation ever happens it should re-apply the same end state.

Why now

Router CVE = pre-auth, pre-LAN, owns DNS+DHCP+gateway+TLS-MITM surface for the whole home network. Highest-leverage hardening surface on Kai's stack.

Filed by Claude.

**Problem** The TP-Link Archer A20 ships with several admin-surface defaults that are unsafe by modern threat-model standards. After the 20250919 firmware upgrade (tracked separately by the session that filed this issue), the router's admin surface needs an end-to-end audit and lockdown sweep. **Scope - in** 1. Disable WAN-side admin (remote management). Verify only LAN/tailnet can reach the admin UI. 2. Disable WPS entirely. 3. Disable UPnP. Downstream effect: also closes the root cause behind #106 (BT client saturating UPnP and evicting other devices' port mappings). Any device that needed UPnP gets a static port forward instead. 4. Disable any TP-Link 'cloud' / TP-Link ID account binding. The router should not have an outbound control plane that isn't Kai's. 5. Rotate the admin password if it hasn't been rotated post-upgrade. Store in SSM at `/coilysiren/home/tplink-admin-password` (already anticipated by #107). 6. Audit the guest network, DMZ, ALG, and any 'open VPN client/server' features the new firmware may have enabled by default. **Scope - out** - Replacing the router (tracked in the sibling Ubiquiti-evaluation ticket). - Playwright automation (#107). This sweep is one-shot manual; if automation ever happens it should re-apply the same end state. **Why now** Router CVE = pre-auth, pre-LAN, owns DNS+DHCP+gateway+TLS-MITM surface for the whole home network. Highest-leverage hardening surface on Kai's stack. **Filed by Claude.**
coilysiren added
P4
 and removed
P3
 labels 2026-05-31 07:00:41 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
dispatch/issue-294
tangled-knot
dispatch/issue-216
No results found.
Labels
Clear labels
  
P0
now / blocking / urgent

  
P1
next / important

  
P2
backlog / will do

  
P3
someday / low

  
P4
icebox / frozen / reopen if it becomes real

No labels
P0
P1
P2
P3
P4
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
coilyco-flight-deck/infrastructure#108
No description provided.