Sounds doable, but we’ll need to check the firmware on that router first. Old stock often comes with vulnerable defaults, so flashing OpenWrt or a similar lightweight OS is a must. Then set up a full‑mesh VPN and end‑to‑end encryption on every link. For the PCs, run a clean audit, remove any unnecessary services, and lock down the OS. Let me know what models you’ve got so we can plan the exact stack.

R7000 is a solid base, but the stock firmware is pretty locked down. First grab the latest stable OpenWrt for that model – the 18.06 or 19.07 builds still support it, though you’ll need to flash the 64‑bit bin. Once that’s on, disable all unneeded services, set up a strong WPA3‑ish passphrase on the LAN, and configure the router as a pure VPN gateway with OpenVPN or WireGuard. For the XPS 15s, run a minimal Linux distro, strip the bootloader to prevent boot‑kits, and set the BIOS to lock down USB boot. Then install a lightweight firewall like nftables, enable full‑disk encryption with LUKS, and let the NUC run as a dedicated DHCP/DNS server with DNS‑over‑TLS. Keep everything off‑network for firmware checks, use a live USB to test before deploying. That should give you a clean, privacy‑first setup.

Debian minimal will give you a clean base with the package manager you can lock down, but if you want a rolling release feel you can go Arch – just remember to disable the initramfs hooks that enable network during boot. For the NUC, set the boot order to internal only, lock the BIOS to a strong password, and keep the recovery USB in a locked compartment – never plug it in unless you’re patching. Once the BIOS is tight, you can move on to hardening the OS. Let’s keep the chain short.