Installing a VPN on your router can be a great option under the right circumstances. There are several clear advantages to running a VPN on your router rather on individual devices.
Why install a VPN on your router?
- Protect multiple devices with one VPN connection
- Secure devices that can’t run VPN apps (Roku, AppleTV, Chromecast)
- Always-on protection
I personally have run a VPN on my wifi router for years, and it’s been a great setup. I have my VPN router setup as part of a dual-router configuration with a dedicated VPN router. That way, connecting to the VPN is as easy as switching wifi networks.
Here’s the step-by-step guide that will show you exactly how to set everything up, from scratch.
Steps to install a VPN on your router:
- Choose a compatible route & Firmware
- Flash the Firmware (if necessary)
- Choose a VPN
- Setup the VPN Client
- Test your connection
Let’s quickly cover the basics of how this process works so you can understand everything involved. It’s not overly complicated, but it is important to choose your tools wisely, especially when choosing a vpn-compatible router model to purchase.
Here are all the steps involved:
Choose a Router & Firmware
Not every router can run a VPN. Only a fraction of router models have the CPU power necessary to perform the complex math behind VPN encryption. Fewer still are compatible with VPN-ready firmware, the router operating system that makes it all possible.
In many ways, step #1 (router) and step #2 (firmware) should be done together. You want to choose a router and compatible firmware together.
Personally, I prefer to use router models that meet a few criteria:
- Strong hardware specs (faster speeds)
- VPN-Capable right out of the box (stock firmware)
- Compatible with 3rd-party firmware
This will narrow your list down substantially, while giving you the greatest flexibility after purchase.
Pro Tip: by choosing a router that comes pre-installed with VPN-ready firmware, you avoid the hassle (and risks) of trying to flash a 3rd-party firmware yourself.
Recommended router models:
Flash the firmware (if necessary)
If you’ve opted to go the third-party firmware route (DDWRT, Tomato, OpenWRT) then you’ll need to flash (install) the firmware on your compatible router.
This step does carry some risk of bricking your router, but it’s pretty safe if you’re using a supported model and follow the instructions carefully. I’ve flashed my trusty AC68U to Tomato, DDWRT and back again more than 10 times.
Configure the VPN Connection
In this step you’ll select a VPN protocol to use (OpenVPN is recommended for most routers) and configure the router’s VPN client per your VPN provider’s instructions.
It’s usually as simple as importing and .ovpn configuration file, available from your VPN’s documentation.
Make sure your VPN connection is working as expected, all your devices can access the internet and your IP address is changed to match the VPN location.
Step 1. Choose a VPN Router (and firmware)
Choosing a router model and vpn-ready firmware should be done together. That’s because each firmware only supports a specific list of routers. A small handful (mostly asus router) support multiple firmware.
In my experience, it’s best to choose a router that comes VPN-ready out of the box (the stock firmware includes a VPN client). This way, you don’t void the manufacturer warranty and you have zero risk of bricking the router. You can always flash a 3rd-party firmware later if you need more functionality.
Select from three categories of router:
There are three different approaches to setting up a router on your VPN:
- Routers that come VPN-ready from the factory
- Routers that are compatible with 3rd-party VPN firmware
- Pre-flashed routers
VPN-ready routers (stock firmware)
These routers come pre-installed with factory firmware the includes a VPN client. There’s no need flash the firmware, and your warranty won’t be voided.
- Most asus routers: including AC68U, AC 86U, AX68U, AX86U, AX88U.
- Netgear: r7800
Pro tip: Go with one of these factory-ready VPN routers. It’ll save the headache of flashing the firmware after arrival. You can always opt for a 3rd-party firmware later if necessary.
Flash the router yourself
You can buy any router that runs a VPN-ready firmware version, then flash the router yourself. This is the most cost-effective option but also the riskiest.
I recommend it for cheaper router models such as TP-Link and Buffalo routers.
Related: The best VPN Routers [year]
Buy a Pre-flashed router
If you want open-source firmware like DD-WRT but are concerned about the risks of flashing the router yourself, you can buy one that’s pre-flashed.
Companies like Flashrouters sell pre-configured, pre-flashed routers. They’ll even setup your preferred VPN provider for you.
The only downside is the cost, the markup is around $100 above the MSRP.
Choose a Firmware
Your router’s firmware is it’s operating system. It controls everything about how your router hardware functions. This includes managing wifi networks, wifi encryption, bandwidth management, DNS and VPN.
There are a number of open-source router firmwares that can be flashed onto compatible routers. The most popular of these are:
- DD-WRT – The widest range of supported router models. An active support forum and medium level of complexity & functionality.
- Tomato – Limited router support, multiple forks but only one active (FreshTomato). It’s the easiest to flash but has less features than DD-WRT. Functionality is mostly the same as AsusWRT-Merlin.
- OpenWRT – this is the most powerful firmware but also the most complicated to use. Some features require advanced scripting to use. Power users only.
There are also some OEMs with stock firmware that supports VPN. The most notable of these is ASUS. Nearly all of their mid-range (and higher) routers come VPN ready out of the box.
- AsusWRT – The stock firmware on ASUS routers. Supports OpenVPN and PPTP connections.
- AsusWRT-Merlin – 3rd-party firmware for ASUS routers but can be installed with one click and reverting back to stock firmware is simple. Adds a VPN kill-switch and advanced tunneling.
Step 2. Flash the firmware (optional)
If you’re opting to go with a 3rd-party firmware on a factory router, you’ll need to flash it before you can setup the VPN connection.
This is a critical step and can be a bit risky depending on your router model and how stable the firmware build is for this particular router.
Some tips when flashing your router:
- First, set your router to the preferred stock firmware version (if specified in the flashing instructions).
- Make backup of your router settings if your model supports it
- Follow all instructions carefully
Here are the official guides from the documentation for each firmware:
- DDWRT – DD-WRT installation guide
- FreshTomato – Basic installation procedures
- OpenWRT – Installing OpenWRT
Often, an instructional video can be helpful for this process, especially if you can find one for your exact router model. Here some quality video tutorials to consider:
Step 3. Choose a VPN
If you’ve already got an active VPN subscription, great. There’s a good chance that you can get it working on your router as long as your provider supports OpenVPN. Many popular providers have detailed router setup guides in their help documentation and pre-built .ovpn config files to make setup easy. Just contact their support team if you need help.
Selecting the right VPN
If you don’t have a VPN subscription yet, this is a critical step. Not all VPN services are created equal and some will work better on routers that others.
Tips to choose a router-friendly VPN:
- OpenVPN Support: Nearly every provider supports the OpenVPN protocol, but make sure to confirm this before purchasing. Wireguard isn’t widely supported by routers yet and older protocols like PPTP are insecure.
- Speed: Since you’re going to be routing multiple devices through the VPN tunnel (via the router) you’ll want a provider that has decent speeds. 50+ Mbps is a good baseline. If you’re using an older dual-core router, 30Mbps may be enough because your router CPU will max out before the VPN connection.
- Encryption Strength: Many VPN providers are forcing 256-bit tunnels for OpenVPN, but 128-bit encryption is still considered extremely secure and will effectively double your throughput on router with a less-powerful CPU. Private Internet Access is a great option with flexible encryption strength.
- Support Quality: choose a VPN that excellent documentation and an active support team that can help you if you run into trouble configuring the VPN connection. ExpressVPN, NordVPN and PIA are great examples.
Best VPN Services for your Router
There are my preferred VPN services to install on a router. They stand out from the crowd with better support, superior speeds, excellent documentation and industry-leading security.
1. Private Internet Access
Private Internet Access has been a zero-log industry leader for more than a decade. They offer adjustable encryption strength, router-specific .ovpn config files and variety of setup guides for multiple firmware a router combinations. Price: from $2.03/month
ExpressVPN isn’t the cheapest VPN on the block, but it has the most features. Impressively, they’ve even built a custom VPN router app which lets you run ExpressVPN software directly on your compatible router model.
The only reason it’s in 3rd place is the lack of 128-bit OpenVPN configs, so it won’t be quite as fast when installed on your router.
Pricing: NordVPN starts at $3.99/m
Step 4. Configure the VPN Client
Once you’ve got a compatible firmware installed, its time to configure the VPN connection. This is the toughest step for most people and your VPNs support documentation can really come in handy here.
What you’ll need:
- .OVPN Config File (for a specific server)
- CA Certificate Authority (usually bundled with the .ovpn configs)
- Router-specific settings
The exact steps will vary depending on which firmware you’re running, but the end configuration will be pretty similar (if not identical).
Here are the basic steps for popular firmwares:
ASUSWRT VPN Setup
Read the Full Guide: How to setup OpenVPN on ASUSWRT
- Log in to the router interface using the routers Network IP address, then click on Advanced Settings > VPN
- Choose ‘VPN Client’ from the tabs
- Click ‘Add Profile’
- Choose ‘OpenVPN’ as the protocol
- Give the VPN Connection a name
- Add your Username/Password
- Click ‘Browse’ to add an .ovpn file
- Click Upload
- Add a CA Certificate if required
ASUSWRT VPN Setup Video
DDWRT VPN Setup
DD-WRT doesn’t let you import premade config files, so you have to do the setup 100% manually. Make sure to consult your VPN provider for the exact configuration.
- Go to Services > VPN and enable the openVPN Daemon
- Set Start OpenVPN Client to Enable
- Adjust the OpenVPN client configuration to match your VPN provider’s profile
- Copy & Paste the Certificate Authority key into the CA Certificate field
Here’s an example config from NordVPN
Install VPN on Tomato Router
Like DD-WRT, you can’t simply import your .ovpn file. You have to configure the VPN tunnel manually per your provider’s specs.
- Login to the router admin panel. By default this is 192.168.1.1
- Click ‘VPN’ on the admin menu
- Select ‘OpenVPN client’
- Configure the tunnel settings
Start with wan: yes
Protocol: UDP (recommended for faster speeds)
The rest of the settings will need to match your VPN provider’s exact configuration. Contact support for setup instructions.
Tomato installation guides for popular VPNs
Test the VPN Connection
Perhaps the most important step of the entire process is to test and validate your connection is working properly.
What to test:
- Does your IP address & Location match the VPN server
- Can your devices access the internet
- Are there any errors in the router log
- How fast is your VPN connection
Check your IP address and location
Use an IPLocation tool to check your spoofed IP address and Geolocation. Ensure that your IP address has changed and your location (approximately) matches the VPN server location.
Ensure all your devices can access the internet when connected to the VPN-enabled router. If some (or all) devices are having issues, try adding a DNS server in your router’s DNS settings. These serve as a fallback to your VPNs DNS servers.
You can use any of the free DNS servers found here.
Check the Logs
View your router logs to make sure there aren’t any critical errors during the VPN handshake process. An improper configuration could theoretically cause an issue where your router is connected to the VPN server but your connection isn’t encrypted.
Test your Speed
It’s worth testing your speed to what your max throughput is going to be. If you have a dual-core router, the router CPU will likely be the limiting factor. New quad-core routers can max out above 100mbps on VPN connections, which may be faster than your VPN provider’s max speed.
If your speed is lower than expected, try tweaking the VPN configuration to improve speeds. You can choose a closer location, lower the encryption strength or select UDP instead of TCP for faster speeds.
Learn more: What affects VPN speed?
- Use a powerful device like PC or recent smartphone. Ethernet connections are ideal for testing (no wifi packet loss).
- Use a reliable testing tool like speedof.me
Add flexibility with a second router
My preferred setup is to use two different wifi routers. This setup allows you to route some devices through the VPN while others use your normal internet connection, while still leaving the VPN tunnel permanently active.
Here’s how it works:
Primary (non-VPN):The primary router is my non-encrypted router, and is connected directly to my ISP’s modem/access point. You can use any router for this including a modem/router combo provided by your ISP.
Secondary (vpn-enabled):The secondary router is the VPN-enabled router. This will be placed on a different subnet than the primary (e.g. 192.168.2.xxx). The WAN port of the VPN router is connected to a LAN port on the primary router.
Full Guide: For complete setup instructions, read our dedicated VPN router tutorial.
Let’s cover some of the most frequently asked questions and troubleshooting tips.