Guiderails is a wrapper to DNSMASQ that blacklists everything and then selectively whitelists specific servers for a fully controlled and curated internet experience. The typical use case is to enable online education for young kids by blocking ALL internet sites, except for a dozen or two sites manually added by parents/teachers for an online experience that's safe and avoids time wasters.
NOTE: Guiderails is designed for Asus-WRT routers running Merlin's custom linux firmware. Stock routers are typically limited, so this won't work
- ssh into the router
- run
curl -sO https://raw.githubusercontent.com/SidShetye/guiderails/master/install-guiderails.sh && sh install-guiderails.sh - You'll be prompted for a free IP address (e.g.
192.168.1.2) that Guiderails can use to start it's own auxiliary DNSMASQ based DNS service on your router. So if your router is at192.168.1.1on thebr0interface, Guiderails can come up at192.168.1.2onbr0:guiderails. Everything will run on your router itself and the overhead is quite low.
NOTE: You must ensure the router's DHCP service doesn't give this IP address to other clients, so increase the DHCP start as needed. To do so, log into your router Web UI -> LAN -> DHCP -> IP Pool Starting Address. You can also change this later in the
/opt/share/guiderails/guiderails.conffile under thelisten-address=192.168.1.2setting.
- done!
The initial whitelist is roughly what I needed for my son's Google Classroom usage, modify as needed.
- ssh into the router
nano /opt/share/guiderails/guiderails.confand add/replace the domains as you deem fit on the topservice restart_dnsmasqto reload your changes
Finally, you set the kids devices to use this auxiliary DNS server.
- Log into your router's Web UI -> LAN -> DNSFilter
Enable DNS-based Filtering=ONGlobal Filter Modecan be whatever you want (e.g. No Filtering). This applies to non-kids devices.- Under
Custom (user-defined) DNS 1put the Guiderails auxiliary IP address used during installation. e.g.192.168.1.2 - On the same page, at the bottom, select your kids' devices' mac address -> Filtering mode =
Custom 1 - Hit
Applyon the bottom
Use your childs device and try going to a site NOT in the whitelist (e.g. netflix.com).
If you want to manually install, follow these instructions
- ssh into the router
mkdir /opt/share/guiderails/for a location that persists reboots on Merlin firmware with Entware- Download the
guiderails.shandguiderails.conffiles to that location - Edit the
guiderails.conffile to set any whitelist domains you want (all on the on the top). - Edit the
guiderails.conffile to changelisten-address=192.168.1.2to a suitable IP address. It should be a unique IP address so you might want to change your DHCP servers start address to begin after this. - We need to start guiderails automatically, so create (or edit)
/jffs/scripts/dnsmasq.postconfto have something like
#!/bin/sh
. /opt/share/guiderails/guiderails.sh restart
chmod a+x /jffs/scripts/dnsmasq.postconfto make it executable- test by the
service restart_dnsmasqcommand
- ssh into the router
- stop by
/opt/share/guiderails/guiderails.sh stop - delete Guiderails by
rm -rf /opt/share/guiderails/* nano /jffs/scripts/dnsmasq.postconfand remove the. /opt/share/guiderails/guiderails.sh restartline
Typically the script starts/restart automatically when the router boots up or when settings change. But if you want to manually run the script, log into the router via SSH and issue /opt/share/guiderails/guiderails.sh [start/stop/restart]
You are free to file an issue but note that I did this purely to learn the state of custom routers and the ability to add 3rd party services to them. It's something I did in my free time while also helping my kids be safe online. I would encourage you to try to fix the issue yourself or ask on SNBForums.
Web UI for the whitelists? Or some other idea? Please, fork this and go for it!