Network

Network security for crypto holders

## Who this guide is for

Network security for crypto holders

Who this guide is for

This guide is for people who already treat their crypto as a meaningful asset and want to close the network-security gap around exchanges, wallets, and home access.

It fits especially:

readers who already have a hardware wallet or serious asset exposure
people who realised their router and home network are still weak links
users deciding how much network hardening is worth doing and in what order

What you gain, and what it costs

If you improve this layer properly, you gain:

less exposure to router compromise, DNS manipulation, and weak internal network design
a better match between how seriously you treat your assets and how seriously you treat the network around them
clearer upgrade steps by budget instead of vague “buy a better router” advice

What it costs:

money once you move beyond the free steps
more network complexity as you go up the ladder
the need to keep perspective so that your security stack does not turn into a permanent hobby project

When this is overkill

If your crypto exposure is small and your main issue is still password hygiene, backups, or phishing resistance, a full network project is probably not your first priority.

This guide matters once crypto is substantial enough that network compromise would be a meaningful loss scenario, not just a theoretical worry.

You have a hardware wallet. Your seed phrase is safely offline. You’ve thought about what happens to your crypto if something happens to you.

But your router is still the thing your provider sent you three years ago.

This is the most common gap in crypto holder security: a lot of attention on the vault, not much on the door. This article explains the real risks at the network level and what to do about them — by budget, in order of priority.

This guide is primarily for readers who already know that crypto is a meaningful asset for them. It is not automatic advice to immediately start a new network project.

What are the real risks?

DNS manipulation You type coinbase.com into your browser. Your router asks a DNS server: “what’s the IP address of coinbase.com?” If that DNS server is compromised — or if your router itself is hacked — you can be redirected to a perfect copy of the real site. You log in. Your password is gone.

Router compromise Most home routers run outdated firmware with known vulnerabilities. Attackers actively scan for routers with default passwords or unpatched software. Once in, they can intercept all your traffic — including login attempts at exchanges and wallet interfaces.

Network interception Traffic from your computer to an exchange or wallet interface goes through your router. If that traffic isn’t encrypted, or if an attacker is sitting between you and the server (man-in-the-middle), it can be intercepted or manipulated.

Devices on the same network A compromised smart TV, IP camera or games console on your network can be used as a stepping stone. They’re on the same network as your laptop. Separation doesn’t exist without VLANs.

What you can do now — free

These steps cost nothing but immediately reduce risk.

1. Change your router’s admin password It’s probably on a sticker right now, or it’s “admin/admin”. This is the first door attackers try. Change it to a strong, unique password and store it in a password manager.

2. Update the router firmware Go to your router’s admin page (usually 192.168.1.1 or 192.168.0.1), find the firmware update section, and install the latest version. Many vulnerabilities are already patched — but only if you update.

3. Switch DNS to a trustworthy resolver By default your router uses your provider’s DNS. Switch to:

1.1.1.1 (Cloudflare, fastest option)
9.9.9.9 (Quad9, blocks known malware domains)

This doesn’t fully protect against DNS attacks, but it’s better than the default.

4. Disable UPnP UPnP lets devices on your network automatically open ports in your router — without your permission. Turn it off unless you have a specific reason to keep it on.

5. Check which devices are on your network Go to your router and look at the list of connected devices. Do you recognise everything? An unknown device can be a sign of a breach or a device you’ve forgotten about.

Level 1 — €80-110: GL.iNet router

If you buy one thing for network security as a crypto holder, it’s a GL.iNet router.

Why:

OpenWrt pre-installed — the most tested open-source router OS
VPN client built in — all your devices automatically route through VPN
DNS-over-TLS — DNS traffic encrypted, much harder to manipulate
AdGuard Home — blocks known phishing domains at network level
Actively maintained, regular security updates

Model	Price	Suitable for
GL.iNet Beryl AX (MT3000)	~€80	Home, Wi-Fi 6, fast enough for everything
GL.iNet Flint 2 (MT6000)	~€100	Home, more ports, higher throughput

What to set up after purchase:

Activate VPN client (Mullvad, ProtonVPN or your own WireGuard server)
Set DNS-over-TLS to Quad9 (blocks malware domains)
Enable AdGuard Home for DNS filtering at network level
Create guest network for IoT devices (smart TV, cameras, etc.)

With this setup, all your crypto-related traffic runs through an encrypted tunnel. DNS attacks are significantly harder. Phishing domains are blocked before your browser ever reaches them.

Adoption friction: medium. Maintenance burden: medium.

Overkill when: you rarely transact, manage no significant amounts, or haven’t completed the free basic steps yet.

Level 2 — €150-200: Firewalla Gold

If you also want network monitoring and a VPN server — so you can connect securely from a hotel or office — the Firewalla Gold is the next step.

What it adds over GL.iNet:

Real-time alerts when a device behaves strangely
Overview of all network traffic per device
VPN server so you can connect home securely from outside
App-based management — no CLI knowledge needed

Downside: closed platform. You depend on Firewalla for updates. For most crypto holders this is acceptable — for high-risk situations it is not.

Level 3 — €180-400: Protectli + OPNsense

If you want full control — open-source all the way down, no dependency on a company, complete logs of all your network traffic — a mini-PC with OPNsense is the right choice.

Hardware:

Protectli FW4B (~€180) — 4 network ports, fanless, Intel J3160
Protectli FW6 (~€350) — 6 ports, more powerful processor

What OPNsense adds:

Intrusion Detection (Suricata) — detects known attack patterns
VLANs — crypto laptop completely separated from other devices
Full DNS logging — see exactly which domains are being queried
WireGuard VPN server built in

Difficulty: high. Expect a weekend to set everything up. But once you have this running, you have more insight into your network than most small businesses.

Maintenance burden: high. Only sensible if you genuinely want to manage this system properly.

Level 4 — €600+: Deciso DEC series

For those managing crypto as part of a business, asset management, or working in a high-risk environment: Deciso makes official OPNsense hardware.

Dutch manufacturer, used by governments and financial institutions. Plug-and-play OPNsense, professional support, long lifecycle.

This is outside the scope of most home users — but it exists, and if your budget allows it and you take the risks seriously, it’s the honest recommendation.

The order that matters

If you don’t know where to start:

Today, free: change router password + update firmware + switch DNS to Quad9
This week, ~€80: GL.iNet Beryl AX — VPN on router, DNS filtering
Later, when needed: Firewalla or Protectli + OPNsense depending on your threat level

The hardware wallet protects your seed phrase. The router protects the connections you make every day. Both are necessary.

Connection to your other security layers

Network security is one layer. The others:

Hardware wallet — seed phrase offline, you sign transactions on the device itself, never through software. A compromised network can’t empty a hardware wallet — but it can send you to a fake website.
Device isolation — ideally use a separate device for crypto transactions. Not the laptop you also torrent on, install games on, or receive work email on.
Software wallet on GrapheneOS — if you manage crypto on mobile, GrapheneOS provides sandboxing and network isolation per app.

A strong network doesn’t protect you if the device itself is compromised. And a clean device doesn’t help if you’re connecting through a hacked router. The layers reinforce each other.

Next step

Go further

Setting up a GL.iNet travel router — enforce DNS, VPN, and guest-network rules centrally
Which network setup fits your profile? — complete overview of all options
VPN: what it does and what it doesn’t — honest overview of VPN limitations

Profiles

Profile: small business owner — if you manage crypto as a business

Reviews

Trezor Safe 3 review — hardware wallet
NerdMiner ESP32 review — solo Bitcoin mining

← Back to guides