Whether you want access to video services not available in your country, get better prices on software, or just think the Internet looks finer when viewed through a secure tunnel, a VPN connection at the router level can solve all those problems and then some.
What’s a VPN and Why Would I Want To Do This?
There are a myriad of reasons you might want to use a VPN to route your Internet traffic to a location other than the one you’re actually using the Internet at. Before we dive into how to configure your router to use a VPN network let’s run through a crash course on what a VPN is and why people use them (with helpful links to previous How-To Geek articles on the matter for further reading).
What Is a VPN?
A VPN is a Virtual Private Network. Essentially, it allows you to use your computer as if you were on a network other than your own. As a simple example, let’s say that you and your friend Steve really like playing Command and Conquer, a popular PC game from the 1990s. Command and Conquer can only be played in multiplayer if you’re on the same network as your friend, though–you can’t play over the internet, like you can with more modern games. However, you and Steve could set up a virtual network between your two homes so that, no matter how geographically distant you are, the computers treat each other as if they’re on the same network.
On a more serious note, this is the same technique used by businesses so that their employees laptops can access local resources (like file shares and such) even when the employee and their laptop are hundreds of miles away. All the laptops are connected to the corporate network via VPN so they all appear (and function as if) they were local.
While historically, that was the primary use case for VPNs, people are now also turning to VPNs to help protect their privacy. Not only will a VPN connect you to a remote network, but good VPN protocols will do so through an highly encrypted tunnel, so all your traffic is hidden and protected. When using a tunnel like that, you protect yourself from a wide range of things including the security risks inherent with using a public Wi-Fi hotspot, your ISP monitoring or throttling your connection, or government surveillance and censorship.
What VPNs Should I Use on My Router?
If you’re going to install a VPN on your router, you’re first going to need to get yourself a VPN. These are our favorite choices that actually support being installed on a router:
- ExpressVPN – This VPN server has the best combination of ease-of-use, really fast servers, and supports streaming media and torrenting, all for a cheap price. You can even buy a pre-configured router from them.
- StrongVPN – not quite as easy to use as the others, but you can definitely use them for torrenting and streaming media.
Once you’ve got yourself a VPN, you can proceed to actually setting it up.
Why Configure My VPN at the Router Level?
Now, you could run your VPN straight from your computer, but you can also run it from your router, so all the computers on your network go through the secure tunnel at all times. This is much more comprehensive, and while it involves a bit more work upfront, it means you’ll never have to go through the hassle of starting up your VPN when you want that increased security.
In terms of avoiding censorship, snooping, or someone in your home connecting to a service that draws the attention of local authorities, this also means that even if someone is connected to your home network and they forget to use a secure connection it doesn’t matter as their searches and activity will still pass through the VPN (and to a less dangerous country). In terms of dodging geo-blocking, it means that all devices, even those that don’t support proxies or VPN services, will still have access to the Internet as if they were in the remote location. It means even though your streaming stick or smart TV has no option to enable a VPN, it doesn’t matter because the whole network is linked to the VPN a point where all traffic passes.
In short, if you need the security of network wide encrypted traffic or the convenience of having all your devices routed through another country (so everyone in your house can use Netflix despite its unavailability in your home country) there’s no better way to wrestle with the problem than to set up whole-network VPN access at the router level.
What’s the Downside?
While the upsides are numerous, that doesn’t mean running a whole-house VPN isn’t without a downside or two. First, the most unavoidable effect that everyone will experience: you lose a portion of your total bandwidth to the overhead of running the encrypted VPN tunnel. The overhead typically chews up about 10 percent of your total bandwidth capacity, so your internet will be a little slower.
Second, if you’re running a whole-house solution and you need access to resources that are actually local, then you may either be unable to access them or you’ll have slower access because of the extra leg introduced by the VPN. As a simple example, imagine a British user setting up a VPN so they can access US-only streaming services. Although the person is in Britain, their traffic passes through a tunnel to the US, and if they went to access UK-only areas of the BBC network, the BBC website would think they were coming from the US and deny them. Even if it didn’t deny them, it would introduce a tiny bit of lag to the experience as the server would be sending the files across the ocean and then back again through the VPN tunnel instead of just across the country.
That said, for people considering securing their entire network to gain access it services unavailable in their location, or to avoid more serious concerns like government censorship or monitoring, the tradeoff is more than worth it.
Selecting Your Router
If you’ve come this far and you’ve been nodding the whole time, “Yes, yes. That exactly! I want to secure my entire network and route it through a VPN tunnel!” then it’s time to get serious with a project shopping list. There are two principle elements to this project: a proper router and a proper VPN provider, and there are nuances to selecting both of them. Let’s start with the router.
Selecting a router is the absolute trickiest part of the entire process. Increasingly, many routers support VPNs but only as a server. You’ll find routers from Netgear, Linksys, and the like that have built in VPN servers that allow you to connect to your home network when you’re away, but they offer zero support for bridging the router to a remote VPN (they can’t act as a client).
That’s extremely problematic, as any router that cannot function as a VPN client can’t link your home network to the remote VPN network. For our purposes, secure access from afar to our home network does absolutely nothing to help protect us from snooping, throttling, or geo-blocking when we’re already on our home network. As such, you either need a router that supports VPN client mode out of the box, to take an existing router and flash a custom firmware on top of it, or to purchase a pre-flashed router from a company that specializes in such endeavors.
In addition to ensuring your router can support a VPN connection (either through the default or third-party firmware), you’ll also want to consider how beefy the router’s processing hardware is. Yes, you can run a VPN connection through a 10-year-old router with the right firmware, but that doesn’t mean you should. The overhead of running a continuous encrypted tunnel between your router and the remote network is not insignificant, and the newer/more powerful your router is the better your performance will be.
All that said let’s run through what to look for in a good VPN-friendly router.
Option One: Look for a Router That Support VPN Clients
While we’ll do our best to recommend a router for you that will save you the headache of digging through the feature lists and terminology yourself, it’s best to know what terminology to look for when shopping so you end up with exactly the product you need.
The most important term is “VPN client” or “VPN client mode”. With no exception, you need a router that can function as a VPN client. Any mention of “VPN server” is no guarantee at all that the device also has a client mode and is completely irrelevant to our goals here.
Secondary terms to be aware of that are related, but not directly relevant, to VPN functionality are terms identifying types of VPN passthrough. Typically the firewall/Network Address Translation (NAT) components of routers play very poorly with VPN protocols like PPTP, L2TP, and IPsec, and many routers have “PPTP Pass-Through” or similar terms listed under the VPN category in their marketing materials. That’s a nice feature and all, but we don’t want any sort of pass-through, we want actual native VPN client support.
Unfortunately, there are very few routers on the market that include a VPN client package. If you have an ASUS router, you’re in luck as most newer ASUS routers from their premium RT-AC3200 all the way down to the more economical RT-AC52U support VPN client mode (but not necessarily at the level of encryption you might wish to use, so be sure to read the fine print). If you’re looking for a no-fuss solution because you don’t want the hassle (or aren’t comfortable) flashing your router to a new firmware it’s a very reasonable compromise to pick up an ASUS router that has the support baked right in.
Option Two: Flash DD-WRT on Your Router
If you already have a firmware, there’s a third, but slightly more involved DIY option. DD-WRT is a third-party firmware for dozens upon dozens of routers that has been around for years. The appeal of DD-WRT is that it’s free, it’s robust, and it adds a huge amount of versatility to routers big and small–including a VPN client mode, in many cases. We’ve run it on the venerable old Linksys WRT54GL, we’ve flashed newer flagship routers like the Netgear R8000 to DD-WRT, and we’ve never been unhappy with it.
As scary as flashing your router with new firmware seems to someone who hasn’t done it before, we assure you that it’s not as scary as seems and in years of flashing our own routers, routers for friends and family, and so on, we’ve never had a bricked router.
To see if your router (or the router you’re interested in purchasing) is DD-WRT compatible, check out the DD-WRT router database here. Once you put in your router name you’ll find the entry, if it exists, for the router, as well as additional information.
The above screenshot is an example featured the available DD-WRT builds for the iconic Linksys WRT54GL router. There are really only two important things to consider when flashing. First, read the “additional information” section to learn more about how to flash DD-WRT to any given router (this is important and where you’ll find useful information like “In order to flash this router to to the full package, you first need to flash the Mini version”). Second, make sure you flash the version identified at VPN or Mega (depending on what your router can support) as only those two packages have the full VPN support included. Smaller packages for less powerful routers, like the Micro and Mini save space and resources by not including the more advanced features.
While you’ll find step-by-step instructions for each router (and special adaptations and steps for specific firmware) in the DD-WRT database, if you want a general overview of the process to calm your nerves definitely read over our guide to flashing a router with DD-WRT here.
Option Three: Buy a Pre-Flashed Router
If you want the power of DD-WRT but you’re really uncomfortable doing the ROM flashing process yourself there are two alternatives. First, the Buffalo network and storage company has a line of routers that actually use DD-WRT right out of the box. Routers in the AirStation line now ship with DD-WRT as the “stock” firmware, including the AirStation AC 1750.
Short of flashing your own router, purchasing a Buffalo router that ships with DD-WRT is your safest bet and doesn’t void any warranties because it ships with the firmware already on.
The other alternative is to purchase a router that has been purchased and flashed by a third-party to the DD-WRT firmware. Given how easy it is to flash your own router (and that there are routers on the market like the AirStation that come with DD-WRT) we can’t really endorse this option; especially given that the companies that provide this pre-flashed service charge a significant premium. That said, if you don’t feel comfortable flashing your own router and want to leave it to the professionals you can purchase pre-flashed routers at FlashRouters. (But seriously, the premium is insane. The highly rated Netgear Nighthawk R7000 is currently $165 on Amazon but $349 on FlashRouters. At those prices you can buy an entire backup router and still come out ahead.)
Selecting Your VPN
The best router in the world isn’t worth anything if you don’t have an equally good VPN service to connect it to. Fortunately for you, we have a detailed article devoted just to the topic of selecting a good VPN: How to Choose the Best VPN Service for Your Needs.
While we’d strongly urge you to read over that entire guide before proceeding we understand you might be in a let’s-just-get-this-done mood. Let’s quickly highlight what to look for in a VPN intended for home router use and then highlight our recommendation (and the VPN we’ll be using for the configuration portion of the tutorial).
What you’re looking for in a VPN provider intended for use on your home router, above and beyond other VPN considerations is this: their terms of service should allow for installation on a router. They should offer unlimited bandwidth with no general throttling or service-specific throttling. They should offer multiple exit nodes in the country you are interested in appearing as if you are from (if you want to look like you’re in the US, then a VPN service specializing in European exit nodes is of no use to you).
To that end, our recommendation in the Best VPN Service article remains our recommendation here: VPN provider StrongVPN. This is the service we recommend, and this is the service we’ll be specifically using in the next section to configure a DD-WRT router for VPN access.
How to Configure StrongVPN on Your Router
There are two ways to go about configuring your router: the automated way and the manual way. Configuring your router the manual way isn’t horrendously complicated (you won’t be writing any arcane IPTABLES code for your router by hand or any such thing), but it’s time consuming and tedious. Rather than walk you through every minute setting for StrongVPN’s OpenVPN configuration on your router, we’re instead going to walk you through using the automated script (and, for those if you who wish to do it manually, we’ll point you at their detailed step-by-step guides).
We’ll be completing the tutorial using a DD-WRT flashed router and VPN service provided by StrongVPN. Your router needs to be running DD-WRT revision 25179 or higher (that revision was released way back in 2014, so this tutorial aside you really should update to a newer release) in order to take advantage of the automatic configuration.
Unless otherwise specified, all the following steps occur within the DD-WRT administrative control panel and all instructions like “Navigate to the Setup tab” refer directly to the control panel.
Step One: Back Up Your Configuration
We’re about to make some not-so-minor (but safe and reversible) changes to your router’s configuration. Now would be an excellent time to take advantage of your router’s configuration backup tool. It’s not that you can’t manually undo all the changes we’re about to make, but who would want to when there’s a better alternative?
You can find the backup tool in DD-WRT under Administration > Backup, as seen in the image below.
To create a backup, simply click on the large blue “Backup” button. Your browser will automatically download a file entitled nvrambak.bin. We’d encourage you to give the backup a more recognizable name like “DD-WRT Router Pre-VPN Backup 07-14-2015 – nvrambak.bin” so you can easily locate it later.
The backup tool comes in handy at two places in this tutorial: creating a clean backup of your pre-VPN configuration, and creating a backup of your working post-VPN configuration after you’ve finished the tutorial.
If you find that you don’t want your router to run a VPN client and wish to revert to the state the router was in before this tutorial, you can navigate back to the same page and use the “Restore Configuration” tool and the backup we just created to reset your router to the state is in now (before we make the VPN-related changes).
Step Two: Run the Configuration Script
If you manually configure your StrongVPN connection, there are dozens of different settings to toggle and configure. The automatic configuration system takes advantage of the shell on your router to run a small script which changes all these settings for you. (For those of you that want to manually configure your connection, please see advanced setup tutorials for DD-WRT, found at the bottom of this page.)
To automate the process, you need to log into your StrongVPN account and, in the customer dashboard, click on the “VPN Accounts” entry in the navigation bar.
There are two areas of interest to us here. First, if you want to change your server (the exit point for your VPN), you can do so by selecting “Change Server”. Second, you need to click on the “Get Installers” link to get the DD-WRT installer.
In the Installers section, click on the entry for DD-WRT.
You won’t find an installer, in the traditional sense (there’s no file to download). Instead, you’ll find a command that is tailored specifically for your account and configuration. The command will look like this:
eval `wget -q -O - http://intranet.strongvpn.com/services/intranet/get_installer/[YourUniqueID]/ddwrt/`
[YourUniqueID] is a long alphanumeric string. Copy the entire command to your clipboard.
While logged into your DD-WRT router’s control panel, navigate to Administration > Commands. Paste the command into the “Commands” box. Confirm that the text matches and includes the single quotation marks around the wget command and subsequent URL. Click “Run Commands”.
If you’ve entered the command correctly, you should immediately see an output like the following:
Your router will then reboot. When it’s finished, you can navigate to Status > OpenVPN to check the status. While there will be a detailed output log at the bottom, the important thing is if the client state is connected, like so:
If everything looks good on the router side of things, open a web browser on any device on your network and perform a simple Google query “what is my ip”. Check the results.
That is most definitely not our normal IP address (since our ISP, Charter Communications, uses a 71.-block address). The VPN is functioning, and as far as the outside world is concerned, we’re actually browsing the Internet hundreds of miles from our current location in the US (and with a simple address change we could be browsing from a location in Europe). Success!
At this point, the script has successfully changed all the necessary settings. If you’re curious (or want to check over the changes) you can read over the advanced setup tutorial for newer versions of DD-WRT here.
In summary, the installer script turned on the OpenVPN client in DD-WRT, toggled the numerous settings to work with StrongVPN’s setup (including importing security certificates and keys, tweaking, setting the encryption standard and compression, and setting the IP address and port of the remote server).
There are two settings relevant to our needs, however, that the script doesn’t set: DNS servers and IPv6 utilization. Let’s take a look at them now.
Step Three: Change Your DNS
Unless you have specified otherwise at some point in the past, your router most likely uses your ISPs DNS servers. If your goal in using the VPN is the protect your personal information and reveal as little about yourself to your ISP (or anyone snooping on your connection), then you want to change your DNS servers. If your DNS requests are still going to your ISP server at best nothing happens (you just have to deal with the usually subpar response time from ISP provided DNS servers). At worst the DNS server can censor what you see or malicious log the requests you make.
To avoid that scenario, we’ll change the DNS settings in DD-WRT to use large and public DNS servers instead of whatever our ISP defaults to. Before we jump into the setup (and our recommended DNS servers), we want to highlight that while StrongVPN does offer an anonymous DNS service (with zero logging) for approximately $4 a month, we don’t recommend that particular service as strongly as we recommend their great VPN service.
It isn’t that their DNS servers are bad (they aren’t), it’s that totally anonymous log-free DNS service is overkill for most people. A good VPN provider coupled with Google’s speedy DNS services (which engage in very minimal and reasonable logging) is just fine for anyone short of the extremely paranoid or those with serious concerns about an oppressive government.
To change your DNS servers navigate to Setup > Basic and scroll down to the “Network Setup” section.
You need to specify static DNS servers. Here are some well known and secure public DNS servers you can use as alternatives to your ISP’s default servers.
Level 3 DNS
In our screenshot above, you can see that we filled the three DNS slots with 2 Google DNS servers and one Level 3 DNS server (as a fallback in case, by some very rare chance, the Google DNS servers are down).
When you’re done make sure to click “Save” and then “Apply Settings” at the bottom.
Step Four: Disable IPv6
IPv6 might be important to the general future of the Internet in that it ensures there are enough addresses for all the people and devices, but from a privacy standpoint it’s not so great. IPv6 information can contain the MAC address of the connecting device, and most VPN providers don’t use IPv6. As a result, IPv6 requests can leak information about your online activities.
While IPv6 should be disabled by default on your DD-WRT installation, we’d encourage you to double check that it actually is by navigating to Setup > IPV6. If it isn’t already disabled, turn it off and then save and apply your changes.
Turning The VPN Off
While you might want to leave your VPN service on 24/7, it’s actually very easy to turn the service off without having to reverse every configuration option we tinkered with above.
If you wish to turn the VPN off permanently or temporarily you may do so by navigating back to Services > VPN and then, back in the “OpenVPN Client” section, switching the “Start OpenVPN Client” section to “Disable”. All your settings will be preserved and you can return to this section to turn the VPN back on at any time.
Although we had to do some relatively serious digging in the DD-WRT settings menus, the end result is a whole-network VPN that secures all our traffic, routes in anywhere in the world we want to send it, and offers us significantly increased privacy. Whether you’re trying to watch Netflix from India or to keep the local government off your back by pretending to be from Canada, your new VPN-toting router has you covered.
Have a question about VPNs, privacy, or other tech matters? Shoot us an email at email@example.com and we’ll do our best to answer it.