What This Comparison Covers
You've got an ARM SBC with two Ethernet ports and you want to use it as a router. The question is: OpenWrt or a full Linux distribution like Debian or Ubuntu?
Both work. Neither is universally better. This guide gives you the concrete differences that determine which one to pick for a specific use case. It is not a setup guide — see the OpenWrt One setup guide for OpenWrt deployment, or the Debian 13 install guide for a full Linux approach.
Side-by-Side Comparison Table
| Feature | OpenWrt | Debian/Ubuntu |
|---|---|---|
| Target use case | Dedicated router/AP | General-purpose server that also routes |
| Base RAM usage | ~40-60 MB | ~150-300 MB |
| Minimum storage | 16 MB NOR / 128 MB NAND | 2 GB (practical: 4-8 GB) |
| Init system | procd | systemd |
| Package manager | opkg | apt (dpkg) |
| Available packages | ~6,000 | ~60,000+ |
| Config system | UCI (/etc/config/*) | Mixed (per-daemon config files) |
| Web interface | LuCI (built-in) | None default (Webmin, Cockpit optional) |
| Firewall | fw4 (nftables wrapper) | Raw nftables or iptables/ufw |
| Kernel | Patched, router-optimized | Distribution kernel or custom |
| Sysupgrade | Atomic image replacement | Rolling package updates |
| Wi-Fi management | Integrated (hostapd built-in) | Manual hostapd/wpa_supplicant |
| Container support | Limited (LXC possible) | Full Docker/Podman support |
Resource Overhead: RAM and Storage
OpenWrt is built for devices with 128 MB of RAM and 16 MB of flash. Everything is stripped to the minimum. A fresh OpenWrt install with LuCI, dnsmasq, and firewall uses ~50 MB of RAM.
Debian 13 with systemd, apt, journald, and a minimal package set starts at ~180 MB. Add Docker and it goes past 300 MB before you run anything useful.
# Check memory usage on either system
free -h
# OpenWrt typical output:
# total used free
# Mem: 1.0G 52M 900M
# Debian typical output:
# total used free
# Mem: 1.0G 185M 700MOn a 1 GB board like the Banana Pi or OpenWrt One, this difference matters if you're running VPN + DNS + DHCP + a monitoring stack. On a 4 GB board, it doesn't.
Package Management: opkg vs apt
opkg is lightweight but has critical limitations:
- Packages are compiled against a specific kernel version — if you update the kernel via sysupgrade, all manually installed kernel modules break until you reinstall them
- No dependency resolution for conflicts — it will install conflicting packages without warning
- Installed packages are wiped on sysupgrade unless you script reinstallation
- Repository size is ~6,000 packages, heavily focused on networking
apt handles all of this gracefully but needs more disk space and RAM:
- Full dependency resolution with conflict detection
- Rolling upgrades preserve installed packages
- 60,000+ packages covering everything from routing to machine learning
- Security updates via unattended-upgrades (see the hardening guide)
opkg list-installed | cut -d' ' -f1 > /etc/config/my-packages.txt and back it up before upgrading.
Firewall Management
OpenWrt's fw4 is a high-level nftables wrapper managed entirely through UCI:
# OpenWrt: create a firewall zone
uci set firewall.myzone=zone
uci set firewall.myzone.name='iot'
uci set firewall.myzone.input='DROP'
uci set firewall.myzone.forward='DROP'
uci set firewall.myzone.output='ACCEPT'
uci commit firewall
/etc/init.d/firewall restartOn Debian, you work with nftables directly (or UFW as a wrapper):
# Debian with UFW:
sudo ufw default deny incoming
sudo ufw allow 22/tcp
sudo ufw enable
# Debian with raw nftables:
sudo nft add table inet filter
sudo nft add chain inet filter input { type filter hook input priority 0 \; policy drop \; }
sudo nft add rule inet filter input tcp dport 22 acceptOpenWrt's approach is more structured and less error-prone for standard router tasks (zones, forwarding, NAT). Debian's approach gives you full nftables power but requires more manual effort for things like inter-VLAN forwarding rules. The VLAN segmentation guide shows how OpenWrt's zone model simplifies multi-VLAN firewall management.
VPN Performance
WireGuard is in-tree on both platforms. Performance depends on hardware, not the OS. Measured on a Banana Pi (Allwinner A20, single-thread crypto):
| OS | WireGuard throughput | CPU usage | Notes |
|---|---|---|---|
| OpenWrt (kernel 6.6) | ~80 Mbps | 55% | Slightly leaner kernel, marginally faster |
| Debian 13 (kernel 6.6) | ~75 Mbps | 60% | systemd overhead during transfers |
| Armbian (kernel 6.12) | ~82 Mbps | 52% | Optimized kernel config for sunxi |
The difference is marginal. On boards with hardware crypto offload (not the A20), both platforms achieve the same line rate. For detailed VPN benchmarking, see the WireGuard throughput guide.
Update and Upgrade Workflows
OpenWrt
Updates are atomic: download a sysupgrade image, flash it, reboot. The entire root filesystem is replaced. Configuration in /etc/config/ is preserved (if you choose), but packages are not. Major version upgrades (23.05 → 24.xx) sometimes change UCI schema, requiring manual config migration.
Debian/Ubuntu
Updates are rolling: apt update && apt upgrade patches individual packages in place. Everything is preserved. Major version upgrades (Bookworm → Trixie) are done with apt dist-upgrade and usually work, but kernel changes can break SBC boot. See the Ubuntu 26.04 LTS guide for what to expect during a major upgrade on ARM.
Wi-Fi Driver Availability
This is where OpenWrt often wins decisively. OpenWrt carries patched Wi-Fi drivers (mac80211, mt76, ath11k) that are tested specifically for AP mode. The hostapd integration is seamless — you configure Wi-Fi through UCI and it works.
On Debian, you install hostapd manually, configure it via text files, and pray the kernel's Wi-Fi driver supports AP mode for your specific chipset. Many Wi-Fi chipsets that work as clients refuse to work as APs on stock Debian kernels because the required driver patches haven't been backported.
Custom Application Deployment
If your router also runs Home Assistant, a monitoring stack, a self-hosted DNS resolver like Pi-hole, or custom Python scripts — Debian wins. Docker support alone makes this a non-contest for multi-service deployments.
OpenWrt can run LXC containers and some custom applications, but the limited package repository and musl libc (instead of glibc) mean many Linux applications don't work without recompilation.
| Application | OpenWrt | Debian/Ubuntu |
|---|---|---|
| WireGuard VPN | Native | Native |
| Pi-hole / AdGuard Home | AdGuard available via opkg | Both available, Docker or native |
| Home Assistant | Not practical | Docker or native install |
| Prometheus + Grafana | Not practical | Docker or native |
| Custom Python/Node.js apps | Limited (musl, small disk) | Full support |
| Samba file sharing | Available but minimal | Full featured |
Decision Matrix
| Use Case | Pick This | Why |
|---|---|---|
| Dedicated router/firewall | OpenWrt | Purpose-built, lower overhead, better Wi-Fi AP support |
| Wi-Fi access point | OpenWrt | Integrated hostapd, tested drivers, UCI config |
| VLAN router with IoT isolation | OpenWrt | fw4 zones make this trivial |
| VPN gateway (WireGuard only) | Either | Identical performance, OpenWrt slightly simpler config |
| Router + NAS + services | Debian/Ubuntu | Docker, apt, full glibc ecosystem |
| Development/testing platform | Debian/Ubuntu | Full toolchain, package availability |
| Router + monitoring stack | Debian/Ubuntu | Prometheus/Grafana need glibc + storage |
| Minimal headless appliance | OpenWrt | Smallest footprint, atomic upgrades |
| Board with <256 MB RAM | OpenWrt | Debian barely fits; OpenWrt runs comfortably |
| Board with 2+ GB RAM and SATA | Debian/Ubuntu | Enough resources for full Linux; see SATA root guide |
Related Reading
- OpenWrt One setup guide — complete OpenWrt deployment walkthrough
- Debian 13 Trixie install guide — base Debian installation on Banana Pi
- Armbian image selection guide — choosing the right Armbian build for your hardware
- Network segmentation with VLANs — practical VLAN setup on OpenWrt
- ext4 vs F2FS — filesystem choices for both OpenWrt overlay and Debian root
- Banana Pi product overview — hardware specifications
