A VPN router is an important privacy tool that offers many benefits.
While it may seem a bit complex to some, the truth is that anybody can use a VPN router – regardless of your experience level. In this guide we’ll cover different setup options, the best VPN routers for different situations, as well as configuring a VPN router for policy-based routing and a kill switch.
But before we dive in, let’s cover just a few reasons for using a VPN router:
- Protect and secure every device on your network.
- Secure your network against attacks, surveillance, and ISP snooping (internet providers recording your browsing history and online activities).
- Easily chain two VPNs at the same time for added security and anonymity (one VPN on the router, another on your computer). This will also protect you in the case that one VPN is compromised.
- Create a backup VPN (fail-safe) on your router in case of leaks, crashes, or problems with the primary VPN on your computer.
- Block ads and tracking on your entire network through the VPN (see TrackStop and this guide for instructions).
- Easily access blocked content or restricted websites with all your devices.
Outline – This VPN router guide is broken down into the following sections:
- VPN router setup options
- VPN router speed and performance
- Pre-configured VPN routers
- VPN enabled routers
- Flashing a VPN router
- Best VPN routers
- Policy-based routing
- Kill switch on a VPN router
So let’s dive into the topic VPN routers.
VPN router setup options
You basically have three different options if you want to setup a VPN on a router:
- Get a pre-configured VPN router from Sabai Technology or FlashRouters. This will be the least hassle and save you time and potential frustration. However, pre-configured routers are more expensive, but they also come with support.
- Get a VPN-enabled router that natively supports OpenVPN (no flashing required). There are many different models that support OpenVPN right out of the box. The best lineup of VPN routers (largest selection) comes from Asus, which we will cover below.
- Flash a router with firmware to support using a VPN.
We’ll cover each of these setup options in detail below, along with the best VPN routers for each category.
However, before diving into setup options, it’s first important to discuss a potential drawback with VPN routers, which is the speed reduction.
VPN router speed and performance
A frequent complaint you see with people using a VPN on a router is slow speed. While there are many factors that can affect performance, two key considerations are the VPN router’s processor and the VPN service itself.
VPN router processor
The VPN router’s processor (CPU) is arguably the biggest factor affecting overall speed (assuming you are using a good VPN). Unfortunately, most consumer-grade processors are underpowered when it comes to handling encryption with a VPN. But on a positive note, this is starting to change with some of the newest routers on the market (see the Asus RT-AC86U for example).
Sabai Technology has a unique solution for this problem with the Sabai VPN Accelerator, discussed further below.
And finally, there are also some processors with AES-NI, which is an instruction that accelerates VPN encryption speeds. This can make a huge difference in performance. (Two new routers that have this are the Asus GT-AC5300 and the Asus RT-AC86U.)
If you need more bandwidth for streaming or torrenting, 800 MHz or more is a good idea, but preferably on the higher end.
VPN service for routers
The other key consideration is the actual VPN service you are using on the router. Some VPNs do not offer fast speeds or good reliability. This may be due to overloaded servers, network problems, or cheap (virtual) servers that don’t offer enough bandwidth.
I’ve tested a variety of VPNs on routers and have also created a few different setup guides. Here are the top performers:
- VPN.ac (review) – see VPN router installation guide
- Perfect Privacy (review) – see VPN router installation guide
- ExpressVPN (review) – installation guide and router review forthcoming
- VyprVPN (review) – see VPN router installation guide
Tips to maximize VPN router speed:
- Use a router with 800 MHz or more CPU (note: don’t mix up wireless signal with CPU – both are expressed in Hz)
- Connect to a nearby VPN server with plenty of available bandwidth
- Use a good VPN service
- Keep your router’s firmware updated
Pre-configured VPN routers
If you want to minimize the hassle, risks, and potential frustration of flashing your own router, then a pre-configured VPN router is a good choice. While it will be more expensive than your standard (non-configured) router, a pre-configured router will probably save you time and it also comes with dedicated support.
Two great sources for pre-configured routers are Sabai Technology (review) and FlashRouters.
Both are based in the United States but ship internationally. The key difference here is the firmware. FlashRouters installs free firmware that anybody can get online (DD-WRT and Tomato). Sabai Technology uses their own firmware (Sabai OS), which is regularly updated, user-friendly, and offers great features.
Sabai Technology VPN router
If you are looking for a router that is both user-friendly and also offers great features, Sabai Technology would be an excellent choice. The Sabai OS firmware is based on Tomato, but with more features and regular updates.
One feature I really liked when testing out Sabai OS was the Gateways feature. The Gateways feature allows you to selectively route every device that connects to the network. In other words, you can route certain devices through your VPN and others through your local (unencrypted) connection.
The Gateways feature also functions as a kill switch. In other words, if a specific Gateway drops (such as the VPN router’s connection to a VPN server), traffic will be blocked for all devices assigned to the VPN router. This keeps you safe and helps prevent any IP address leaks.
You can also supercharge your VPN router speed using the Sabai VPN Accelerator, which is a Mini PC that connects directly to the router and handles all encryption for the VPN. I hit speeds over 100 Mbps using 256-bit OpenVPN with the Sabai VPN Accelerator (tests further below).
We’ll cover the VPN Accelerator below, but you can also get more information on the Sabai website here.
I also found the setup and configuration process to be quick and easy. Additionally, Sabai offers great support from helpful and responsive in-house technicians (no third-party support). And lastly, the Sabai OS firmware remains under active development with regular security updates.
Sabai OS Terms:
- One year of direct technical support (phone and email)
- 1-year hardware warranty
- 90-day satisfaction guarantee
- Unlimited Sabai OS firmware updates for the life of the router
Note: extended hardware warranties and support plans are also available for purchase.
FlashRouters VPN router
FlashRouters is another great option that specializes in Tomato and DD-WRT VPN routers.
FlashRouters relies on free and open-source firmware, which you can freely get online, rather than their own custom firmware. While there is a benefit to the firmware being open source, it may also suffer from less active development and fewer security updates.
You can also find routers that are specifically configured for certain VPN providers. Just visit the site and select your VPN service to see the available routers.
The FlashRouters website is also a great (free) information resource if you’re looking to learn more about:
FlashRouters’ Terms:
- Three months of email support
- 90-day hardware warranty
- 30-day satisfaction guarantee
- Updates dependent on open-source community (may or may not be regular)
Note: extended hardware warranties and support plans are also available for purchase.
Conclusion on pre-configured VPN routers
While pre-configured routers are more expensive, they are still a good choice if you don’t want the hassle and risk of flashing your own router. The support is also very helpful for getting everything working correctly.
You can check out both Sabai Technology and FlashRouters to learn more.
VPN-enabled routers
Aside from getting a pre-configured router, the next easiest option is to go with VPN enabled router that can be used with OpenVPN right out of the box.
For VPN enabled routers that natively support OpenVPN, you have three main choices:
- Asus routers – Asus is my favorite option because they offer a large lineup of VPN enabled routers. Not all Asus routers are VPN enabled – see the Asus section below for a complete list of routers and specifications.
- Synology routers – Synology currently offers two routers that can be quickly configured with OpenVPN with little time and effort (no flashing): RT1900AC and the RT2600AC.
- Buffalo routers – Buffalo offers a small selection of DD-WRT routers. Unfortunately, the highest powered router is the Buffalo N600, which is somewhat underpowered for VPN use at only 680 MHz CPU. But for basic web browsing, it may be fine.
Note: there are also a number of smaller (underpowered) VPN router “boxes” being marketed by various companies. In general, these appear to be underpowered for OpenVPN use. Some of these boxes also appear to lock you into subscribing to their VPN service.
In general, I’d recommend going with one of the larger manufacturers and using a firmware that is regularly updated for security fixes.
We’ll take a close look at each option below.
Asus VPN routers
If you’re looking for the best VPN router, you can’t go wrong with Asus. Asus offers a great lineup of VPN-ready routers – from cheap to very high-end.
Even more, Asus is now rolling out new routers with powerful processors that can do exceptionally well with VPN encryption. Based on test reports I’ve seen in forums, the new Asus RT-AC86U can hit speeds over 150 Mbps with OpenVPN.
Here’s the Asus RT-AC86U:
The AsusWRT stock firmware natively supports OpenVPN, L2TP, and PPTP encryption protocols. Setup is a breeze (about 20 minutes or less) and you can load numerous VPN configurations onto your router (which is something you can’t do with DD-WRT).
I have put together three different setup guides using the AsusWRT firmware with different VPN providers:
- VPN Router Setup – Simple Guide (with VPN.ac)
- Ad Blocker on a Router with a VPN (with Perfect Privacy)
- VPN on a Router – Step by Step (with VyprVPN)
You can also easily upgrade your Asus router to the free Asus Merlin firmware, which is arguably more secure (due to regular updates) and also offers more features.
Here are the Asus routers that are VPN enabled and can be set up with minimal effort (with the corresponding CPU):
Asus RT-N66U (600 MHz) [Amazon]
Asus AC1750 (RT-AC66U) (600 MHz) [Amazon]
Asus AC1900 (RT-AC68U) (800 MHz, dual core) [Amazon]
Asus RT-AC87U (1,000 MHz – dual core) [Amazon]
Asus RT-AC3200 (1,000 MHz – dual core) [Amazon]
Asus RT-AC3100 (1,400 MHz – dual core) [Amazon]
Asus RT-AC88U (1,400 Mhz – dual core) [Amazon]
Asus RT-AC5300 (1,400 MHz – dual core) [Amazon]
Asus RT-AC86U (1,800 MHz – dual core with AES-NI) [Amazon]
Asus GT-AC5300 (1,800 MHz – quad core with AES-NI) [Amazon]
Note: The fastest VPN routers from the list above are the bottom two options with AES-NI encryption acceleration processors.
I’ve found Asus routers to be very stable with good performance, while also being easy to set up. The stock firmware allows you to setup custom DNS and also block IPv6. Additionally, Asus routers are very versatile and can be used with lots of other firmware, such as Asus Merlin, DD-WRT, Tomato, AdvancedTomato, OpenWRT, and Sabai OS.
Here are some pros and cons of Asus VPN routers based on my experience with testing various models:
+ Pros
- Large VPN router selection (all price ranges)
- Stock firmware (AsusWRT) is very easy to set up
- Can be used with other firmware: Merlin, DD-WRT, Tomato, AdvancedTomato, OpenWRT
- Very durable (difficult to brick)
- Solid performance, especially the newer models
– Cons
- Stock firmware (AsusWRT) has fewer features compared to Merlin
See Available Asus Routers on Amazon >>
Synology VPN routers
Synology offers two routers that natively support VPN use. Synology also does a good job with regular security updates. While the selection isn’t huge, both of the Synology VPN routers appear to be decent options:
Synology RT1900AC (1.0 GHz – dual core) [Amazon]
Synology RT2600AC (1.7 GHz – dual core) [Amazon]
Here is the Synology RT2600AC:
I have not tested Synology routers, but have received feedback from others that the VPN speed is not the best.
You can see the Synology router lineup on Amazon for more details.
Buffalo DD-WRT routers
Buffalo offers a few routers that use open-source DD-WRT firmware. Unfortunately, the selection is limited and the CPU is somewhat underpowered.
Here are the two available Buffalo DD-WRT routers:
Buffalo AirStation N300 (580 MHz) [Amazon]
Buffalo AirStation N600 (680 MHz) [Amazon]
Note: It appears that supplies are limited with the N600.
Conclusion on VPN enabled routers
Setting up a VPN-enabled router should be a fairly straight-forward process. This is particularly the case with the Asus VPN routers. All you need to do is import the OpenVPN configuration files, add your VPN username and password, and then you should be able to connect the router to a VPN server.
The guides below are all for Asus routers using the stock firmware (AsusWRT):
- VPN Router Setup – Simple Guide (with VPN.ac)
- Ad Blocker on a Router with a VPN (with Perfect Privacy)
- VPN on a Router – Step by Step (with VyprVPN)
Another advantage with a VPN enabled router is that it won’t be too expensive. You can get a great model, such as the Asus RT-AC86U without spending a fortune.
Flashing a VPN router
The next option is to flash a router you have with firmware that will support a VPN. This will be more complicated than getting a pre-configured router, or a VPN-enabled router that supports OpenVPN right out of the box. The level of complexity will depend on the firmware and the specific router you are using.
In this section on flashing a router we will discuss the following firmware:
- Merlin AsusWRT
- DD-WRT
- Tomato and Advanced Tomato
- OpenWRT
- pfSense
The first option we’ll discuss is the Merlin AsusWRT firmware, which is relatively easy to install and use with a VPN.
Merlin AsusWRT routers
AsusWRT by Merlin is a third-party open source firmware that builds on and improves the AsusWRT firmware. AsusWRT by Merlin is one of the best options if you want a secure, user-friendly firmware with lots of features for use with a VPN. (It’s also free.)
A Merlin AsusWRT router offers the following benefits:
- Enhanced security – Merlin AsusWRT is regularly updated to fix bugs and security vulnerabilities. You can verify the latest security fixes on the changelog. The developer is active, unlike with some other firmware.
- Policy-based and selective routing – This allows you to select specific devices or destinations to use the VPN, with everything else going through the regular ISP connection. Merlin’s user-friendly policy-based routing feature is a distinguishing factor separating it from other VPN routers. Some people need this for bypassing the VPN, such as with Netflix or other websites.
- Kill switch – A kill switch will block all internet traffic if the VPN connection is lost. Setting up a properly functioning kill switch can be tricky with some VPN routers. With Merlin AsusWRT, this is quite easy.
- Multiple VPN clients and servers – Merlin AsusWRT allows you to configure two VPN servers and up to five VPN clients. You can also use different VPN clients at the same time with different devices (but I would recommend a higher CPU router in this case).
Merlin AsusWRT is a reliable, secure, and feature-rich option for Asus routers.
Combining a high-performance Asus router (such as the Asus RT-C86U) with Merlin firmware and a high-quality VPN service is one of the best options for securing your home network.
Merlin AsusWRT supports the following routers:
Asus RT-N66U (600 MHz) [Amazon]
Asus AC1750 (RT-AC66U) (600 MHz) [Amazon]
Asus AC1900 (RT-AC68U) (800 MHz, dual core) [Amazon]
Asus RT-AC56U (800 MHz, dual core) [Amazon]
Asus RT-AC87U (1,000 MHz – dual core) [Amazon]
Asus RT-AC3200 (1,000 MHz – dual core) [Amazon]
Asus RT-AC3100 (1,400 MHz – dual core) [Amazon]
Asus RT-AC88U (1,400 MHz – dual core) [Amazon]
Asus RT-AC5300 (1,400 MHz – dual core) [Amazon]
Asus RT-AC86U (1,800 MHz – dual core with AES-NI) [Amazon]
Note: You may find slight variations in the Asus router model names, with either the AC number or the RT number appearing first. The router is the same.
Here are some general pros and cons of the AsusWRT Merlin firmware:
+ Pros
- User-friendly interface
- Kill switch and policy-based routing options
- Support for multiple VPN clients
- Active development with regular updates
- Support via the SNB forum
– Cons
- Limited to Asus routers (but with a good selection of models)
Additional resources:
- Official Merlin AsusWRT website
- Official Merlin Github page
- SNB Forums (active community, with the developer offering direct support)
- Great video demonstrating how to setup a kill switch and policy-based routing
DD-WRT routers
DD-WRT is a Linux-based firmware that was developed to enhance the functionalities of wireless routers. It is a popular option mainly because it can be used with many different routers and it offers some good features.
Despite it’s popularity, however, DD-WRT does have some drawbacks. First, you can only load one VPN configuration on the router. This prevents you from easily switching between different VPN server locations.
Another issue I’ve noticed is that the development community seems to be less active. This means fewer updates and regular security patches. DD-WRT can be somewhat tricky to setup if you are flashing your own router. You also run the risk of bricking your router (some models are more durable than others).
For some people, ordering a preconfigured DD-WRT router from FlashRouters may be the best bet – see their lineup of DD-WRT routers here.
Buffalo routers also offer preconfigured DD-WRT routers that are very reasonably priced, although somewhat underpowered.
Flashing a DD-WRT router
You can also try flashing a router you already own with DD-WRT firmware. Here are the two main resources you need:
If you are considering flashing with DD-WRT, just beware of the risks (permanently breaking your router). Also be sure to follow the official DD-WRT guidance for your router model.
+ Pros
- Huge number of routers supported (see here)
- Good Quality of Service (QoS) controls (for bandwidth allocation)
- Ad blocking feature
– Cons
- Only supports one VPN configuration
- Less active development with fewer security updates
- More difficult to install than other firmware options
Additional resources:
Tomato and AdvancedTomato routers
Tomato is another alternative, open source firmware for routers. Tomato firmware has many similarities to the AsusWRT Merlin firmware. It gives you the option to use up to two VPN servers and two VPN clients, while also having features for policy-based routing.
Unfortunately, the original Tomato firmware seems somewhat outdated, especially when it comes to supporting newer routers. One alternative would be AdvancedTomato firmware instead of the original Tomato firmware.
AdvancedTomato offers some good improvements over the original. The overall design is better, which gives you more control over your router’s features.
Sabai OS (based on Tomato) – Finally, the lineup of VPN routers from Sabai Technology all have the Sabai OS firmware, which is based on Tomato. To use Sabai OS on an existing router you own, you would need to purchase a license. However, Sabai OS offers the benefits of regular security updates, great support, ease of use, and good features. See the full lineup of Sabai VPN routers here.
Pros and cons of Tomato and AdvancedTomato firmware:
+ Pros
- User-friendly layout (especially with AdvancedTomato)
- Supports 2 VPN servers and 2 VPN clients
- Quality of Service (QoS) options for bandwidth control
– Cons
- Original Tomato firmware outdated
- Installation can be more complex
- Many of the supported routers are outdated and/or underpowered for VPNs
Overall, Tomato is a decent option for VPN routers, although AdvancedTomato seems to be the better option.
Additional resources:
- Original Tomato website
- AdvancedTomato website
- AdvancedTomato supported devices
- Preconfigured Tomato routers
- Sabai OS VPN routers (based on Tomato)
OpenWRT routers
OpenWRT is another open source firmware to enhance and secure wireless routers. It has many great features while also supporting a large number of devices. Unfortunately, the development of OpenWRT seems to be less active than in previous years. The OpenWRT website also appears to be outdated.
OpenWRT does offer some nice features, however. Aside from VPN capability, it also provides QoS options, BitTorrent client configuration, server software, and traffic analysis features.
ExpressVPN has a great router app that is based on OpenWRT. You can get more information from the routers section of the ExpressVPN website.
+ Pros
- Support for many devices
- Good Quality of Service (QoS) controls
- BitTorrent client configuration
– Cons
- Less active development with fewer security updates
- Limited support for newer routers
Additional resources:
pfSense routers
A PC router running pfSense will be more complicated to setup, but it does offer some great features. pfSense is an open source firewall/router computer software distribution based on FreeBSD. Unlike some router firmware, pfSense continues to gain popularity with active development and new features being added.
While pfSense gives you very powerful tools and features, setup can be difficult if you lack the necessary technical and security background. Ultimately, these complex and powerful features can end up being worse than less secure options that are easy for anyone to set up. It all depends on the user.
pfSense router performance with OpenVPN
With a very basic and cheap PC that is properly configured with pfSense, you could get a high-performance router.
The main difference here is processing power (CPU). Nearly any PC will outperform even the high-end router models. Two popular options when using a PC for a router include:
- A mini-PC with pfSense (often called a pfSense box)
- An old PC (see this video)
With these two options, you will still need an access point for devices to access the network. This usually means your PC will be hooked up to a regular router, which will serve as the access point for the PC.
The pfSense forums are a good resource for VPN router setup advice. But be careful: if you lack the background in this area, setting up a pfSense VPN router can be especially difficult, frustrating, and time-intensive.
+ Pros
- Very secure
- Numerous features
- Highly configurable
- Solid performance
– Cons
- More difficult to setup
- With PC routers, you will also need an access point for the wireless
Additional resources:
- pfSense official site
- pfSense forums
- List of pfSense features
- pfSense wiki
- r/pfsense (reddit)
- Great video series introduction to pfSense
Best VPN routers
It’s difficult to recommend the best VPN router because everybody has different needs.
There’s no one-size-fits-all.
Nonetheless, here are some of the best VPN routers for different situations.
Best preconfigured VPN router: Sabai Technology
If you want to minimize the hassle and potential frustration, Sabai Technology is a great option. All of their routers come with top-notch customer support (one year), a 1-year hardware guarantee, and a 90-day customer satisfaction guarantee.
I would also say that Sabai OS is the most user-friendly VPN firmware I’ve tested.
You can learn more at the Sabai Technology website >>
FlashRouters is another great source for preconfigured routers.
The two main differences between FlashRouters and Sabai are:
- Firmware – Sabai routers come with Sabai OS and FlashRouters come with DD-WRT or Tomato.
- Terms – Sabai offers a 1-year hardware warranty and a 90-day satisfaction guarantee. FlashRouters offers a 90-day hardware warranty and a 30-day satisfaction guarantee.
You can get more information on the respective websites (FlashRouters here and Sabai Technology here).
Best VPN enabled router: Asus RT-AC86U
Asus offers the best lineup of VPN-enabled routers you will find – from inexpensive models (RT-N66U) to high end (GT-AC5300).
The Asus RT-AC86U is my overall top recommendation as the best VPN router for the following reasons:
- Easy to set up and use with OpenVPN right out of the box
- Powerful processor: 1.8 GHz dual core with AES-NI encryption acceleration
- Can be upgraded to AsusWRT Merlin firmware (more features, kill switch, regular security updates)
I have not personally tested this model but have read reports that it does very well with OpenVPN.
Best value VPN router: Asus RT-AC68U (AC1900)
If you’re tight on cash and are looking for a cheaper alternative, the Asus RT-68U is still a great option for under $150.
This router offers good overall performance, excellent wireless range, and can be used with AsusWRT Merlin firmware.
Check out the specs on Amazon here.
Fastest VPN router: Sabai VPN Accelerator
Technically, the VPN Accelerator is not a VPN router. Instead, it is a Mini PC that connects to a Sabai OS router and handles all the encryption. This means that you can choose between the VPN on your regular router, or select the VPN Accelerator (this is easy to configure with the Gateways feature in Sabai OS).
Here is a Netgear Nighthawk R7000 router along with the VPN Accelerator I tested, both from Sabai Technology:
Using the VPN Accelerator as my primary gateway, I was able to achieve speeds over 100 Mbps with 256-bit OpenVPN, making this the fastest VPN router I’ve tested.
For more of a discussion of the VPN Accelerator, setup, and tests results, check out the Sabai Technology review or visit their website here.
Best DD-WRT VPN router
One router that you will often see recommended in the DD-WRT community is the Netgear Nighthawk R7000 (AC 1900).
This router sports a 1.0 GHz dual-core processor and is very reasonably priced at around $150.
I tested this router out and found it to perform pretty well with 256-bit OpenVPN:
However, for some people this may not be the best DD-WRT VPN router.
There are higher-performance options currently available that will give you better speeds with a VPN.
One such example is the NETGEAR Nighthawk X6S AC4000 (R8000P). This router boasts a 1.8 GHz dual-core processor.
Asus DD-WRT routers
As noted above, you can use the DD-WRT firmware on a huge variety of routers.
Asus also offers many routers that will work well with DD-WRT and a VPN. One good option would be the Asus RT-AC5300, which has a 1.4 GHz dual-core processor.
Best Linksys VPN router
Unlike with Asus, Linksys does not currently offer routers that support OpenVPN right out of the box. This means you will need to flash your Linksys router with one of the firmware options above.
The best Linksys VPN router would have to be the Linksys WRT AC3200.
The Linksys WRT AC3200 has a 1.8 GHz dual-core processor. This should do very well with OpenVPN.
Tip: One very easy way to use this router with a VPN would be buy installing the ExpressVPN router app. The app is very user-friendly and also supports selective routing (which they refer to as split tunneling) for different devices on the network.
Check out the router section of the ExpressVPN website >>
Policy-based routing (selective routing)
One issue that often comes up with VPN routers is policy-based routing. This entails routing specific clients (devices) or connecting to certain websites outside the VPN tunnel. This is usually important for accessing sites that block VPNs, such as banking websites or perhaps Netflix.
How to set up policy-based routing depends on the firmware you are using.
Sabai OS – As mentioned above, all Sabai OS VPN routers have the option to selectively route each device that connects to the network. This can be simply controlled through the Gateways feature.
AsusWRT Merlin – Another easy option for policy-based routing is to use the Merlin firmware on a compatible Asus router. This video clearly explains creating a kill switch and policy-based routing for your VPN with AsusWRT Merlin:
AsusWRT Merlin with a VPN.
Tomato and AdvancedTomato – AdvancedTomato firmware provides policy-based routing support. Instructions for standard Tomato firmware come from VPN.ac. Their TomatoUSB Policy-Based Routing guide includes detailed instructions for different scenarios.
DD-WRT – Setting up policy-based routing with DD-WRT is relatively straightforward. FlashRouters put together an excellent guide for DD-WRT routers, see Dual Gateway VPN Blacklist by Device for more information.
Dual VPN router – Another option for separating traffic between your VPN tunnel and regular ISP connection is to use a dual VPN router setup. With this, you will be able to easily switch back and forth. The main drawbacks, however, are increased power consumption and the possibility of wireless interference.
For an example of a double VPN router setup, see this guide.
Kill switch on a VPN router
A kill switch is an important feature to block internet traffic if your VPN connections drops. This prevents your real IP address from being exposed.
Sabai OS – The Sabai OS firmware includes a built-in kill switch when you set up the Gateways feature. This is probably the easiest option available for a VPN router kill switch.
Merlin AsusWRT – The video above covers setting up a kill switch.
Tomato and AdvancedTomato – Setting up a kill switch for Tomato VPN routers just requires creating a rule. Using the rule below, traffic will only be forwarded through an active VPN connection.
In Administration > Scripts > Firewall tab, add the following rule:
iptables -I FORWARD -i br0 -o `nvram get wan_iface` -j DROP
Save the rule and reboot your router.
DD-WRT – Just like with Tomato, to add a kill switch on a DD-WRT router you just need to add a rule. Again, this only allows traffic if the VPN connection is active.
In Administration > Commands > add the following rule:
iptables -I FORWARD -i br0 -o `nvram get wan_iface` -j DROP
Select “Save Firewall” to save the rule and reboot router.
Conclusion on VPN routers
While there are many reasons for using a VPN router, security and privacy are two of the most important factors.
Replacing your router’s stock firmware with one of the alternatives in this guide is a good idea from a security perspective. There have been many articles written lately about how authorities (CIA) have exploited security vulnerabilities in routers to spy on people.
Another tip for securing your network is to simply stop using wireless and go back to wired-only connections. Aside from increased security, a wired connection with a high-quality ethernet cable can outperform wireless by a wide margin (much faster).
Need another reason to start using a VPN router?
One of the biggest privacy developments in the past year has been the legislation allowing internet service providers to monitor and record your browsing history. This is now legal in the United States, United Kingdom, Australia, and parts of Europe. Securing your home network with a good VPN router is the best solution to this growing problem.
All traffic on your network will be secured and encrypted between the router and the VPN server.
And finally, there’s also the convenience factor.
Using a VPN on your router will extend the benefits of a VPN to all your devices, without having to download VPN software on each device.
As you can see in this guide, a VPN router is a powerful solution that anyone can implement. Whether you’re a tech newbie or a super geek, using a good VPN router is a smart choice to protect all of your devices.
You can also check out the best VPN list for some of the top VPN services to use on your VPN router.
Amazon disclaimer: Restore Privacy is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to amazon.com.
1. Million dollar question: Do you feel this 2017 article is still up-to-date for 2019?
2. Important question: a) Are two-in-one ‘router modems’ (modem with the router built-in) being taken into consideration?
b) Are they more or less secure than a seperate modem and router setup and why?
c) What is your reccomendation?
3. Do you feel ASUS still makes good routers?
4. Would you still reccomend the routers you listed in this article?
5. What newer 2019 ASUS routers would you reccomend?
6. What current alternative router would you reccomend instead of ASUS?
Hi Glynn, I still think the Asus 86U is a great all-around router. I’m planning on updating the guide soon and will answer all these questions with the next update.
Will I still need to subscribe to a VPN service like Nord or expressvpn to use the VPN on the router? My use case is that I now have a expressvpn subscription that I use with my desktop laptop and mobile phone. Since there are other devices on my home like smart TV tablets etc which I’d also like to route through VPN will getting a ac86u work ?
If you have an existing subscription to ExpressVPN, you can use the VPN on your router, which will count as one connection. Note: you can use ExpressVPN on as many devices as you want, but only three simultaneous connections are permitted. Once you get ExpressVPN loaded on your router, it will protect every device that you use on your network, from tablets to smart TVs – a good idea.
>Stock firmware (AsusWRT) less secure due to irregular updates (solution: upgrade to Merlin)
With respect, frequent updates do NOT increase security; in fact, just the opposite. It takes time to carefully design, implement, and test firmware properly. Plus there is the issue of the user time it takes to properly test and qualify new firmware releases. Stable releases of Merlin are not demonstrably more secure than stock ASUS. For every bug fixed, there’s a substantial risk of introducing other bugs, yet another case of the Law of Unintended Consequences. As a networking and security professional, all my ASUS deployments are stock firmware. I would only use Merlin for an essential feature not in stock ASUS, and only after careful testing and qualification.
Hi John, good points, every new update can create new issues and vulnerabilities.
Hi Sven,
I am really tempted by either the AC86u or the AX88u (the AX mainly because I do not like that the AC needs to stand up). But: Both do not support WPA3 even though the AX88 is a very new router and very expensive also. Would you consider this a major drawback down the line for personal use or not so much?
Thanks.
Well, I’m not a fan of using WiFi at all due to security risks, and instead just using ethernet cables, which also give you better speed.
All great comments Sven (& from commentators). Trouble is, many (most?) of us on here don’t have the Net/Security skills/experience of some, so grateful if the recommendations also always take that into account. Tks. all for this invaluable knowledge exchange.
Since this was published has there been a update concerning the following portion of this web site,
• ExpressVPN (review) – installation guide and router review forthcoming ?
Hi Michael, thank you for the reminder. I need to get the router and write up an installation account on that, I’ll add that back to the content schedule.
I want to bypass clixsense with a VPN and I found out that clixsense still dectect am using VPN and block me and I want to prevent clixsense from dectecting me what should I do
What about Vilfo.
Hi Sven
After reading your excellent articles i decided to purchase the ASUS RT-AC86u and took out a supscription to VPN.AC. I can easily hit speeds of 50 MPS using 128 bit Open VPN with selective routing enabled using Merlin Firmware. It has been a fantastic piece of kit and i can stream HD Netflix and Amazon Prime through the VPN without issue.
One thing to note though and one i would like your opinion on. The ASUS RT-AC86u router comes with Trend Micro Air Protection enabled as standard. This might be a privacy concern as the only way Trend Micro can be providing this service on this router is sending the DNS results of your internet usage to their DNS malware database. There is an option to opt out of this service but when enabled it will still work regardless of if you have the Open VPN client setup or not. Same goes for the parental DNS blocking as well which is actually good as you can have a secure VPN connection and AI protection in tandem.
It’s actually a pretty useful and powerful security feature and while i am happy for it protect my devices behind the VPN Router not everyone will be.
I think the only way to bypass the Trend Micro AI protection (while not constantly turning it on and off) is to have a seperate VPN client enabled on a device. So for example my Smartphone would go through the router VPN tunnel and then its own seperate VPN tunnel using the VPN app software.
Would you think this is a good set up?
Hi Matt, the Trend Micro issue is interesting. I’m looking into this more – no clear answer yet.
Hi Matt.
I do not agree on Trend Micro services. It’s an Opt-In feature, thus not enabled by default. Once you try and enable any of the services, it will ask you to accept the terms and conditions. I bought the device in Spring 2018, and still haven’t enabled any of the services, and it works fine with VPN (also VPN.ac by the way).
Regarding the feature itself, I would not put much trust in it if I were you (or in Trend Micro whatsoever). One of the reasons why can be seen here:
Here is a more detailed view:
Better make good use of Firewall section of the router instead, which allows you to basically block traffic for specific IPs on your LAN to specific services. The only thing is, you’d have to either populate that list in time, or search for one on the net. It might be easier to simply use some kind of ad-blocker. I’d suggest either using AB-Solution, designed specifically for some ASUS routers, or buy some IoT device like Raspberry Pi and install Pi-hole on it. The drawback of AB-Solution is the fact that you’ll need to set DNS servers explicitly, so it’s somewhat leaking DNS (though you can set it to VPN provider’s DNS servers), whereas the drawback of Pi-hole is very minor delay due to the fact that the router will have to make a cyclic call (Router -> PI (to block certain domains) -> Router -> VPN DNS). In both cases, traffic will be routed through VPN.
Hope that helps =)
PS: When I was looking into routers, I was choosing between ASUS RT-86AC and LinkSys WRT3200ACM and due to lack of actual VPN speed tests between the two, ended up buying the one that had more reviews and somewhat better reviews on Amazon. The biggest advantage of LinkSys is OpenWRT support, where you can “science (configure) the shit out” of it and forget about the bloatware which is present on Asus. I might actually end up buying LinkSys for the sake of VPN speed tests, if I don’t end up configuring some mini PC with pfSense (which is basically the best solution in terms of speed, security and privacy IMHO).
Great article very informative, yet, I’m still puzzled.
My router LinkSys WRT3200ACM has a VPN Client option, it can also be flashed with DD-WRT and OpenVPN *server*.
Now, I want to prevent my ISP from snooping, blocking content, hide my IP and son on; what I dont undertstand is if I’m running a VPN *Server* on the Router, why do I need a VPN Server in the cloud (a VPN “Service”)? Isnt the VPN Server on the router doing this? If not then what’s the difference between Server on the Router and Client on the Router?
If i do need a VPN Service, in the cloud, would it not be better for me to have a small hosted server in the cloud, something like Digital Ocean’s “droplets” and install OpenVPN server in that. This way I’d have a VPN of *my own* AND be able to have static IP and so on. The cheapest way would be 1GB RAM, 1xCPU, 25GB SSD, 1TB transfer droplet at $0.007 per/hour. I only use it maybe 8 hrs a day.
What this guide is discussing is using the router as a VPN client. In other words, the router is establishing an encrypted connection to a VPN server (one of the servers in your VPN’s network, such as in New York for example). Then, any device that connects to your router on your home network will go through that encrypted VPN tunnel and utilize the IP address and location of the VPN server in New York, for example. The graphic in this guide shows this.
Using your router as an independent VPN server is something different. That feature allows you to connect back to your home router/VPN server from other locations outside of your home network. That’s not the subject of this guide, however.
I think static IP is quite a drawback from the point of view of privacy.
Moreover, the number of devices connected to this host is going to be limited to your personal devices, thus “hiding in the crowd” won’t apply.
In addition, VPN service security is going to be a burden.
But hey, it’s your choice =)
Hello Sven. Comprehensive and insightful review.
I installed a ASUS RT-AC5300 router and configured VPN with ExpressVPN. Using OpenVPN protocol my download speed degrades from 500mbps (from fiber ISP) to 25mbps. The speed degradation is less severe with L2TP protocol. In your opinion would i achieve better OpenVVN performance from one of these options below:
1. Switch to ASUS RT-AC86U that supports AES-NI
2. Add a VPN server like pFsense on a standalone PC with a AES-NI processor to offload VPN processing.
3. Add a VPN accelerator like Sabai Technology.
Which of these above options may yield the most performance gains.
Hi Sabyasachi, all three options should give you better speeds. I hit over 100 Mbps with the Sabai VPN accelerator (see review) – essentially maxing out my internet provider connection. Their newer VPN Accelerator model is more powerful than the one I tested last winter. I’ve also heard that performance with the Asus RT-AC86U is quite good (over 100 Mbps).
Thanks for this review as I found it really informative. I am quite green about VPN’s so I got one question for you all. I just subscribed Surfshark and thinking of using VPN through my router. Would that Linksys router would work on my VPN? Thanks in advance for everyone 🙂
Yep, just upload the OpenVPN configuration files for the server locations you want. ExpressVPN has a good router app for a few of the Linksys models. This will allow you to use their split tunneling feature and also easily switch server locations within the app.
Hi Sven, have a question. What can you recommend – lower price router and better VPN service, premium router and any VPN service or router with integrated VPN service? What combination is safer, faster for home network and 5+ devices?
If you don’t have a good VPN that offers adequate bandwidth and reliability, the router won’t matter and the performance will still suffer. For what you describe with a home network and multiple users, the Linksys WRT AC3200 with the ExpressVPN router app may be the best fit. This allows you to selectively route devices to either go through the VPN or not. And with ExpressVPN, you will also get top performance.
Greetings. Loving your site. One question though. You seem to rate Sabai routers quite highly. One thing that bothers me is thier track record with regards to security and feature updates to their routers. I can’t seem to find anything related to that on their website. We’re getting all sorts of vulnerabilities with routers these days, mainly due to their OEMs running outdated/vulnerable libraries or kernels. Even the most security minded corporate routing providers often have to release monthly firmware updates to keep their users safe. How does Sabai fare on that front? What has their track record been like (like how fast they move to fix vulnerabilities) relative to open source projects like OpenWRT/LEDE/etc or corporate/commercial providers like UBNT?. Have Sabai communicated any of these support promises in writing on their site?
I asked Sabai about this topic before and they said they typically update their Sabai OS firmware 3-4 times per year, as necessary, depending on any security issues they become aware of.
Hi Sven,
I’m looking at the Asus RT-AC68U Router x 2, one as a VPN server at my house and one as a VPN client at my daughters house.
My WAN is a standard ADSL 2+ router running a DHCP server.
My question is that once the tunnel is established, will the devices (a camera and laptop) that will be plugged into the AC68U at my daughters house automatically be assigned IP addresses in my LAN’s range therefore become part of my home LAN or will a form of NAT be applied across the tunnel?
Thanks for your time.
Jase
Hi Sven
I’m completely new to all this so I probably need vpn for idiots help. Having read your best vpn guide I’m considering using expressvpn. My dilemma is Due to my location I have pathetic internet speed (about 6 mbps download) so would I be better just using Mac app or going for something like Asus RT-AC68U router to minimise any loss of speed?
Hi Marty, I would recommend using the Mac OS app because it will give you more features, better speed, and easy server selection, as compared to using the VPN on a router. ExpressVPN is also offering a coupon for three months free (applied on checkout page). The RT-AC68U is a decent model, but if speed is your primary concern, I’d recommend using ExpressVPN’s Mac OS app instead.
Great farticle, but you didnt mention the fact that none of these routers come with a vdsl modem, so all will need one?
You can run any of these routers behind the modem or router you need for your ISP.
Is this in bridged mode as I have read that my ISP vodaphone router cannot be run in bridged mode
Thanks for the reply
Also (sorry for the two questions), it’s hard to find a computer these days with a PCMCIA slot, so what is the alternative so that one can have that extra NIC connected?
Thanks.
I’ve never gone with the old computer/pfSense router option, but for adding a second NIC, this article may be of assistance…
Hi.
The video about setting up the PfSense router is very good. The only problem with this method is that all devices need to be plugged into the switch.
Is there another way – while still using PfSense – to securely access the internet while using our wireless devices?
Thanks.
You would need to add a wireless access point to the switch. I see in the comments that these guys recommend Ubiquiti Unifi devices for an access point.
> Therefore, with a VPN, a 1.0 GHz dual-core router (500 MHz per core) may be faster than a 1.4 GHz quad-core processor (350 MHz per core).
I believe this is incorrect. All of the cores run at the stated clock speed. So in the single-treaded VPN case, a 1.4 GHz processor will run the VPN faster than a 1.0 GHz processor, regardless of the number of cores.
Hi John, agreed, I have removed that sentence. OpenVPN can only be single threaded with one core, and QOS also affects performance, but raw CPU is still the determining factor, regardless of the number of cores. The guide is now updated.
Has anyone tested Linksys WRT3200ACM with OpenWrt or or Netgear X8000S a VPN service on it?
What are the results?
As far as I see, the both have a 1.8GHz dula-core CPU (as ASUS RT-86AU has), so the performance should be similar I guess… Netgear has additional load-off CPUs…
Thanks.
Hi George.
My choice was between Asus RT-86AC and Linksys WRT3200ACM, because Netgear X8000S was rather expensive in comparison with the 2 mentioned above.
I ended up buying Asus just because it seemed to be more durable judging from the reviews on Amazon and Linksys seemed to be dying out after 6 months, and I wouldn’t be able to apply for warranty, as I bought it in US, and I left US without being sure I’d come back =)
Big advantage for Linksys is OpenWRT support, which gives you freedom to configure everything. Asus is nowhere near that flexible with either stock or Merlin firmware.
Hey Sven,
Very informative article! I had a question.
I have an Asus AC-68U router and wanted to run vyprvpn through it. was wondering if it’s possible to create 2 different separate wireless networks on same router: 1 network running through vpn and other network running without vpn?
I don’t want every device running through the vpn. Phones and smart devices around the house are not necessary to run through vpn. Computers/laptops and streaming devices like NVIDIA Shield are the essential things I need running through vpn (due to obvious reason – kodi). There are more than 5 devices so I am at the limit if I was to run each device separately through the vpn.
I thought about putting vpn on router itself and running everything through the vpn. The problem with running everything through router vpn is that things like banks are somehow able to detect I’m using a vpn & deny access so I can’t run everything through the vpn. I need to have a secondary network without vpn I can switch my device to and bypass the vpn.
Would I need 2 separate routers to accomplish that? Is that the only way?
Thanks!
Hi HS, you could do this by flashing your router with Merlin firmware, and then configuring which devices go through the VPN and which do not.
I see. Is it this firmware?: Asuswrt-Merlin from https://asuswrt.lostrealm.ca/
Thanks!
Yes.
Hi Sven.
I was sitting here, wondering…
VPNArea is now supporting IKEv2, however, they mention that OpenVPN is the safer choice whereas IKEv2 offers 50-100% faster speeds.
OpenVPN already seems rather fast, but…
What would you recommend yourself, and why?
I also think that this would be a good idea to write a blogpost about for future reference, however, for now a quicker answer would be awesome.
Thank you in advance 🙂
Hi Patrick, thanks for the feedback. Each protocol has pros and cons, but I agree that OpenVPN is probably the best all-around option. IKEv2 can be a good choice with mobile devices, particularly iOS, because you can configure it to be “always-on” and leak-proof without any VPN apps. IKEv2 can also be used natively without apps on Windows and Mac OS. Both OpenVPN and IKEv2 appear to be very secure VPN protocols, but OpenVPN has the advantage because it is an open source project.
Hi Sven,
Thanks for this incredible website, and your blog as well, which is essential reading.
I have an Asus GT-AC5300 and want to set up the Rapture Fusion VPN. I also have the RT-AC5300 in a box on the floor, not using it. I am familiar w/the setup for that, but have not set up a VPN.
When I got the new router I signed up w/NordVPN and paid for several years, without calling them first, When I called them, they told me they don’t support the GT-AC5300. They seemed to be saying it wasn’t possible to set up a VPN w/them w/this router, yet a couple of other VPN providers told me they could do it. I also called Asus, who said it is possible, but they wouldn’t walk me through it. 😉
Since I had already paid NordVPN, I was persistent, certainly it must be possible, right? It got pretty nasty and that was that. I gave up for months after tinkering more with it myself. But I have a NordVPN login, their servers, and I’ve paid, so I want to just log in with the VPN and if they challenge me I will point out that I’ve paid (or bite the bullet and sign up w/a different VPN provider).
My question: How do I set the GT-AC5300 up as a (Fusion) VPN? Can you provide as much detail as possible and links if you have them? Thanks very much.
Hi Theodore, this looks like an interesting case because one of the product features for the Asus GT-AC5300 is VPN support. However, it looks to be different from other routers and is not supported by Merlin firmware.
Perhaps this support page may help, but unfortunately I do not have this router and can’t offer any concrete tips.
So, if we take the price range of 200$ (relative mid-high-end), and the advice of having greater clock speed with less cores (encryption), I found a battle between 3 routers:
1. Asus RT-AC86U
2. Linksys WRT3200ACM
3. NETGEAR Nighthawk X6S AC4000 (or even lower-end Nighthawk X4S AC2600)
I also haven’t found any confirmation that Asus has AES-NI encryption acceleration. Moreover, haven’t found any descriptive info about the processor those models have. Netgear says it has 64-bit Dual-Core 1.8GHz Processor with 3 Offload Processors, which seems like it should outperform the rest, but who knows.
Speaking of the VPN, I have VPN.ac (but I’ll probably be switching to NordVPN on next subscription).
Speaking of my current router, it’s TP-Link Archer C7 with OpenWRT on it (not goot vor VPN client with OpenVPN)
In these circumstances, what do you suggest?
Hi Josh, yes it is annoyingly difficult to get processor information on different routers. Even the official site for Asus is lacking in regard to these details.
I was mainly going off the Merlin firmware developer who works with Asus and knows the specs. His early testing of the Asus RT-AC86U when it first came out was surprising with the speeds. Many others have confirmed similar speeds with different VPN providers – see this forum thread.
Since the VPN performance and killswitch functionality are the only features which matter to me, I was hoping to find a comparison chart showing which models support this feature and the OpenVPN throughput for each model using strong and efficient encryption algorithms, for example:
How to correctly secure your OpenVPN connection
https://gist.github.com/pwnsdx/8fc14ee1e9f561a0a5b8
____
Relative throughput, 8k blocks with AES-NI enabled
aes-256-cbc – 407
aes-256-gcm – 870
____
With regard to the Sabai “VPN Accelerator”, if you are going to buy a desktop PC for a VPN gateway, you are better off running pfSense or Untangle than Sabai OS.
Will I get speeds up to 100 Mps using Nordvpn and ASUS ROG AC5300?
Hi Ulysses, I can’t say for sure because I have not tested that router, but from what I have seen (speed tests from Merlin developer), both the RT-AC86U and the ROG AC5300 have the power to handle 100+ Mbps with OpenVPN. When using it with NordVPN, I’d recommend connecting to a nearby server with low server loads, and you should be able to be at the higher end of the 70-100 Mbps range.
Hi Sven,
I was wondering – can you do some tests for us.
Here is my scenario and why I am requesting the tests
My AC68U has two WAN Port Capability.
Ideally I would like
All IP addresses to run through a VPN which would be on WAN0
Selected IP addresses eg. 13.82.28.61 to run through WAN1 (LAN1 on the device) without VPN.
This would mean I could have a routing table that says application A which uses ip address x should not go via VPN, while the rest of the apps via the VPN.
I would also then be able to apply some QoS and reserve bandwidth for the VPN
For this I would recommend flashing your AC68U with the Merlin firmware and implementing the routing rules as you described. You can get more info on this in the SNB forum.
I am trying to get VPN up on my router using NordVPN and an Asus RT-AC86U with Merlin and I can get it to work sometimes however if I turn the VPN on and my router gets reset for some reason then all of my devices lose connection to the internet for some reason. I have my RT-AC86U as the VPN router then it forwards through another router for access to the WAN (Asus RT-AC66U) Any reasons why this might happen. It is very frustrating as all my devices lose access to the internet and the family can’t do anything until I get home.
Hi Matt, I’m not sure if this is an issue with the router or with NordVPN to be honest. I’m currently using VPN.ac on a Netgear router that’s running SabaiOS firmware and I’ve found that the VPN will automatically reestablish if the router resets or reboots. This has been a good setup over the past few months. I’d send this question to NordVPN, and perhaps also check out the smallnetbuilder forums for questions regarding Merlin firmware.
Nice list of routers. I would recommend Asus RT-AC88U with following Specifications:
8 Ethernet ports
2.0 and 3.0 USB ports
4 external antennas
512 MB RAM
1400 MHz dual-core processor
Which is best VPN router I have this router purchase from Amazon. It provides great speed so streaming videos will be fun.
Hi – thanks for this very informative article which has really helped.
I am moving into an apartment building with shared wifi and no physical access point to connect a router to. I want to set up my own VPN router so that any connections I have are more secure. The speed of the wifi network is reasonable and I want to retain as much of this speed as possible in order to stream movies etc.
I have seen very cheap “Travel Routers” designed with hotel travel in mind that will do this but other than for viewing a bit of email these would not make a permanent solution. My other option is to consider using a wireless repeater in AP mode to provide a cable connection for the router but this would cost speed.
Is there a better option than either of these? Thanks
Hi Russel, you probably won’t get the performance you want with these mini routers running OpenVPN. Perhaps try out the other option and see how it works.
The results from Sabai VPN Accelerator, look very promising, but to do important things, can we rely on products from the US? As it does not have the best reputation for the public’s privacy. Maybe it has a back door in the OS? (A bit paranoid)
However, for watching movies, this seems like a good option.
I think Sabai would be a more secure alternative to any stock firmware, which is generally not updated frequently. Backdoors are always a concern, but you can also use one VPN on a router and then connect through another VPN on your computer (double encryption) for important matters when you want more privacy.
Dear Sven Taylor,
I love your website ! I used to come here often and look for newer articles, This article is perfect. I am using Asus AC1900 (RT-AC68U) (800 MHz, dual core) router running on AdvancedTomato (https://advancedtomato.com/).
Last time I asked you a question about VPN.Asia, but I forgot in which thread I have asked you about this VPN. It is working pretty well with OpenVPN in China too. Could you please do a review of this VPN if possible. Thanks 🙂
Hi FerdinCrypto, yep, I’ll hopefully get to it in the coming months.
Loved your article Sven, but all the routers you mention are wi-fi stuff. I banned that in my home when WEP was cracked, and now that WPA got nailed, I have no desire to test my luck with WPA2, so I only buy wired models. Can you recommend good wired-only VPN router? I guess it must be fast for watching online TV shows and movies. I would rather not spend more than $250, and less would be better. Right now I have cheap Microtik, but only got it because I could not figure out what to buy. I was thinking of Edge Router, but still not sure what to buy…please advise me! Thanks for any help.
Hi Chau, no problem – you can simply disable the WiFi and use ethernet cables with all of these routers. I also do not use wireless at home for the same reasons – it’s a bad idea from a security perspective, and you will get better performance with high-quality ethernet cables. You do not have to choose between WiFi or wired-only – just disable the wireless directly in the router admin area for the firmware. Most routers will have LED lights that show whether the wireless is on or not.
I think the new Asus RT-AC86U would probably give you the best performance based on what I’ve seen with OpenVPN tests. It’s also under $200 at the moment. All Asus routers can be used with wired-only connections and WiFi completely disabled.
Hi Sven,
I have just purchased a HK ac1900 R7000 and flashed with dd-wrt(openvpn) to NordVPN. I have done a lot of testing and only getting about 20MBPS which is a 60% hit without. I have found the best NorVPN servers and there support has been good. But they are stating that dd-wrt and OpenVpn are single threaded. I have tried altering Qos, NAT and the firewall but no more performance. Idea’s or comments? Might advance tomato give better performance or your other suggestions. I can take the router back and which out as necessary.
Thank you for your time and reply.
wc
Hi WC, that is correct. OpenVPN is single-threaded, which means that only one core from the router can handle VPN encryption. I tested this router out last week with the Sabai OS firmware and was able to hit 41 Mbps with 256-bit OpenVPN on a nearby server (see review). I think the Sabai firmware is allocating all of the non-VPN processor activity to one core, which leaves the other core entirely free for VPN encryption. I know the Merlin firmware also does this to optimize VPN speed. However, I don’t think you’ll be able to get much higher than 40 Mbps with this processor and OpenVPN – the processor just can’t do it. You could upgrade to a higher-powered router, or use a VPN Accelerator, which I found would give me 104 Mbps (see tests here). I’m currently updating this entire guide with this information – should be finished very soon.
Thank you Sven,
Can I flash my HK r7000 with Sabai OS firmware or do I need to purchase a new HK r7000 with the Sabai OS firmware already installed. I am not seeing a flash option on there site but I might be missing something. I assume this replaces dd-wrt correct?
Thank you,
wc
Hi WC, if you go to the Sabai website and click on “Shop” you will see the “Sabai Passport” option. This is the Sabai OS firmware license that comes with upgrades (security updates) for the life of the router, although it’s fairly expensive at about $150. Correct, this will replace the DD-WRT.
Cool, yes expensive. might tomato provide better basic performance over dd-wrt? Or any other options that are not $150.00 🙂
Thank you,
wc
I haven’t tested it, but you might want to check out AdvancedTomato. It looks like it supports the router you are using – see here.
Hi Sven,
I just wanted to say thank you for your help and efforts. I have read a bunch of your writings and have gone with the following. I was on HK r7000 and dd-wrt and NordVPN. Based on your information, I have moved to Asus RT-ac86u with the standard asuswrt and canceled my NordVPN. I could never get more than about 20 mbps down with either router. I have tested many different ways. It had nothing to do with CPU’s on the routers but I am keeping the Asus based on features and flexibility. I am now getting 40 to 60 mbps downloads with Asuswrt and ExpressVPN. While the customer service at NordVPN as great and Express is not nearly as good but the service is better 🙂
So is it really worth now going to merlin? Will I get any more pure speed? Also any more down falls with ExpressVPN and should I test another service?
You are a great resource and thank you.
wc
Hi wc, that’s great to hear you’re getting those speeds after switching to ExpressVPN. Indeed, choosing the right VPN to use on your router is probably the most important factor. ExpressVPN has made some big improvements over the past few months (explained further in the review) so I think that is a good choice.
Regarding switching to Merlin, I’d say if your current setup works well for you, I’d just stick with it. AsusWRT is a well-designed firmware that is easy to use with VPNs. Glad to hear it’s working well for you.
Hello Sven,
Really appreciate the in-depth and detailed effort you and all involved offer on this website. I too purchased the Asus RT-ac86u
and am trying to get it to work with ExpressVPN. I wish WC could
reveal how he did it (tried custom install because ExpressVPN said the Asus RT-ac86u was not supported…did not work for me). searched the web and couldn’t find any help, maybe the router is still to new. I would be very grateful for any suggestions.
Thanks
ExpressVPN should work perfectly fine on this router. The support rep was probably saying “not supported” because they do not offer a direct app for the router. But you don’t need an app for this router, because you con simply import the OpenVPN config file directly onto the router, add your username and password, then connect. You can download the OpenVPN config you want for a specific server directly in the ExpressVPN members area.
They have a guide explaining this, or you can follow the steps in this guide I created (either way it will be the same).
I see that OpenWRT has a disadvantage in the face of absence of active development.
What about LEDE Project (Linux Embedded Development Environment). It has been forked of OpenWRT, development is there, and it’s basically quite awesome (assuming you have the time to play around with the setup), Would you mind giving it a review as well?
Hi LEDE user, thanks for the comment – I’ll check it out.
Hi Sven, great site. I learnt a lot and you helped me to pick up my router and vpn service.
I bought an ASUS and loaded Merlin into it.
I am struggling to find in the web the right blog to help me route through the vpn client the traffic of the Download master app that is running in the router.
I have seen old comments but I am struggling to get a simple, for not very knowledgeable people, step by step explanation.
Or even if it is possible to do it.
Thanks for your help, your blogs are extremely good.
Hi Juan, thanks for the feedback on the site. Regarding your question, I don’t think I have an answer to that at the moment, but if I come across anything I will update this comment.
Thank you for this great article.
It looks from the first tests by Merlin and others on SNB that the RT-AC86U finally has a CPU that supports AES (and running 1.8Ghz), and therefore has VPN speeds > 100mpbs.
Did you test it already ?
Wow, that is very impressive. Looks like Merlin ran some tests and hit speeds over 200 Mbps on the router with OpenVPN. I need to get one of those and test it out. Thanks for the heads up!
You’re welcome, please post your test results when you get one 🙂
Will do!
FYI I bought one and I’m easily doing 100mbps using VPNac (AES 256 UDP).
That’s awesome! Thanks for the update.
Hi. Does the AsusWRT Merlin method also work for a Netgear R7000 with AsusWRT Merlin firmware installed?
Hi William, Merlin only works on certain Asus routers. That Netgear router will work with DD-WRT however.
Also, I’m currently testing that exact router out right now with Sabai OS, which is a custom firmware based on Tomato. Sabai OS gives you a kill switch and the option to route certain devices through the VPN, and others through the regular (non-VPN) connection. It’s not free, but it’s a great firmware (article/review is forthcoming).
Hello,
I see that the ASUS Merlin not support any Asus router which have a DSL modem integrated, even when the router software and hardware seems to be the same as the version without DSL.
Make it sense to keep the old VDSL Router and put the normal ASUS behind or is it better to replace and buy an ASUS with VDSL RT-AC68U?
Hi Hampi, yes, that makes sense. I explained a double-router setup in this VPN router guide. This also gives you the option of connecting to your old router (unencrypted) or your new VPN router.
Hi sven. I am looking into getting the Asus rt-ac88u i have looked on Flashrouter and they stoped selling this router. Now that’s where my trouble begains. I am new to the whole VPN world. and now that i am entering that world, I don’t want to waste time nor money. On to my question i really like the spec’s of the Asus rt-ac88u out of the box. and want to jump right in with both feet. But now I am woundering if it would be worth it if i can’t use a VPN out of the box per some of the research i have done. ie. with Flashrouter and other sites. because of issues like configuration, stability, security. I guess my question is have you had any experience with the Asus rt-ac88u or do you know of any issues? Does it need merlin or does it have it already? Thanks in advance.
Hi Jubal, yes, the RT-AC88u is an excellent model with good CPU and overall performance. You can actually just use the default ASUSWRT firmware. This is simple and will work well with a VPN right “out of the box”. You should make sure that the ASUSWRT firmware is updated to the latest version. For a simple guide to getting a VPN on your Asus router, see the VPN Router Setup Guide. (Note: setup will be the same with your model.)
You can upgrade the firmware to Merlin (see here), which does have some advantages and more settings/options, but for a basic, user-friendly setup, the default ASUSWRT firmware is good.
I have contacted Ipvanish and they have all 3 times refered me to flash the router. Also have responded with i needed to download DD-WRT onto my router on one occasion not asuswart. Very confusing. I don’t want to brick my router When i get it. Thanks for the info Sven it will come in handy.
Hi Jubal, you can use the OpenVPN config files from IPVanish with AsusWRT. You don’t have to flash your router with DD-WRT – IPVanish doesn’t know what they’re talking about. Your Asus router is compatible with VPNs right out of the box without flashing anything.
Two questions:
1) I’ve heard of wireless bridging & the reason I ask is, my router is issued by my cable provider & I cannot receive internet without their router, so…is it possible to connect a VPN router (essentially like a wireless extender), but connect to the VPN router with my device(s)?
2) Mobile: While obviously VPN’s work with mobile, the mobile masts will still connect using your phone number, to which you could instead, use a portable 4G router, however, the only company out there is this one that seems to provide such a device with “VPN” built in:
link
Not sure exactly what they provider here i.e whether they load it with their own custom software to provide OpenVPN or whether a config file from NordVPN (whoever) could be loaded.
I realise of course you could take 1 mobile & use it as a hotspot, with everything google signed out, but I’m not sure any VPN software would work then.
Hi Richard, regarding your first question, you can just connect a second VPN router through one of the LAN ports on your existing (cable provider) router. Then you can connect to your VPN router network, or your existing router (non-VPN) network. (See setup instructions here.)
Regarding the second question, these little router boxes are usually cheap, underpowered, and do not handle VPNs well. The one in your link has only 400 Mhz CPU. That is underpowered for encrypting/decrypting VPN traffic.
Due to “logistics”, I’m not able to connect another router to the existing router, am looking at a wireless solution, as it’s the only option available to me & I can’t remove the existing one, without changing the existing router…the wife refuses to do that, as it’ll mean changing the cable provider, plus it has 18 months of contract to run.
Yeah I was looking at the 400Mhz power, they do look cheap & nasty, but it’s something I’m serious about. I was wondering if there is a solution to flash a Haewei or equivalent 4G portable router, as they seem to be the best ones. I’ve looked around, but nothing leaps out at me.
The solution is to have the router of the provider in bridge mode set by the provider
I did that too and it works perfectly
Thanks for the articles Sven! Your deep dives into the pros and cons of various VPNs is *very* helpful.
At home, I use Untangle (untangle.com) installed on a small PC, similar to the Zotac you mentioned above. I chose Untangle mostly for its web-filtering and reporting features, but I’m considering setting up a VPN on it. Have you ever used Untangle’s VPN features? Can you share any thoughts about it?
Thanks!
Hi Mark, thanks for the comments. I haven’t looked into Untangle, but I’ll keep it in mind for the next update to this guide.
Hi Sven,
just changed ISP and got a new ASUS router and I also have an ExpressVPN account
I came here following search link for “ASUS RT-AC3200+VPN client to specific devices”
Wow, now been on here for 2 hours – what a fantastic informative site. completely sidetracked by masses of useful information – almost forgot why I came here :))
looks like I need to upgrade to Merlin Software on the router to get open vpn specifically to certain devices.
I may have missed it but can you point me to a link on how to upgrade to Merlin on the router and also how to get specific devices to connect to the vpn side of the router.
Many thanks
Alan
Hello, thanks for the feedback. Yes, Merlin is the way to go for selective routing with an Asus router. To get you started:
I’m looking for a cheap, ready to use VPN router and Buffalo N600 WZR-600DHP seems to be fine. My only concern is: does it have a VPN kill switch?
Hi, you just need to add a rule to create a kill switch. Here are the instructions for DD-WRT:
===============
In Administration > Commands > add the following rule:
iptables -I FORWARD -i br0 -o `nvram get wan_iface` -j DROP
Select “Save Firewall” to save the rule and reboot router.
Test after reboot if you can reach the internet by having the VPN enabled or disabled.
Nice write up. I would add BlackHoleCloud and TinyHardwareFirewall to the list. They are fast, private, secure and stealthy.
Hi Glynn, I’m not so sure about these. The page states, “VPN servers built for and dedicated to you. You get your own VPN server(s) with no logging, setup in countries and cities that you choose. Only you will ever use these servers.”
For privacy and online anonymity, I would never go with a server that “only you will ever use”. Instead, you’d want a shared IP address on a dedicated server that is being used by others, thereby allowing you to blend in with other traffic. There are some other questions here, such as what kind of servers are they using (virtual servers most likely, given the cheap price) and how exactly is this being implemented. Anybody can get a cheap virtual server at a random data center, but that’s not a good choice for privacy or security.
The refund policy is also interesting: “Refunds are available only in cases where the VPN service is not available due to the negligence of WiFiConsulting, inc..” – which sounds like “no refunds” to me.
I hope you can offer a solution to this very perplexing problem –
All I want to do is to have just one ip network security camera on my home LAN that we can view remotely with our windows phones when we are away from our home WIFI and need to use our data plan. Sounds simple right ?, but further down you’ll see what obstacles I am running into !
Here is our equipment:
Windows Phones: Nokia Lumia 1520 and Microsoft Lumia 640 LTE (both running Windows mobile 8.1)
VPN Router: ASUS RT-ACRH13 https://www.asus.com/us/Networking/RT-ACRH13/specifications/
IP Camera: HIKVISION DS-2CD2342WD-I http://www.hikvision.com/us/Products_1_10508_i7593.html
The easy and simple solution would be if there was a windows phone client for OpenVPN but as far as I know there is not any yet.
Now (unless I’m mistaken) I’m finding out the windows phones vpn option “L2TP over IPsec” requires the vpn router to have a “L2TP over IPsec” server and it seems consumer class vpn routers only have OpenVPN servers which windows phones can’t connect to and the business class vpn routers that do have a “L2TP over IPsec” server are way too expensive (over $200 and up) for the average home user on a budget and especially for me being retired on social security.
I have been asking for help on an ip camera forum but so far the only safe solutions offered were switching to android phones (not an option as our windows phones are fairly new) or getting a very expensive business class router, also not an option being on a budget on social security.
The other options that would work other than what I just mentioned were said to be very unsafe security-wise, and that is either port forwarding or using Hikvision P2P camera viewing service.
I’m somewhat tech savvy in general, but ip cameras and VPN is a new area for me and I’m quickly finding out the tech industry does not make it easy when it comes to compatibility options with windows phones.
Wow this is by far the best explanation I have seen online about this subject. Thank you so much for the lesson in VPN routing. Few questions what if I only want some devices to be on a VPN and others to the regular internet?. 2 – What is this about tunneling and while going thru a vpn am i going to be able to watch Netflix, kodi, Amazon video ect?.
Hi Leo, using a VPN with Netflix and other streaming services can be a bit challenging. You may want to go with a double router setup, which allows you to connect through the VPN router or regular (non-VPN) router. This is explained more in this guide.
I would like to thank you, for an excellent explanation of vpn.
One issue that I like clarification is: once a router vpn is set up we still have to setup vpn client for mobile devices, how does one select which vpn client will be used when using a mobile device at home? Do one needs a client for all the wired devices or one has to log into the router first? Many thanks
Ernest
Hi Ernest, glad to help.
If you are running a VPN on a router, you will not have to setup a VPN client for mobile devices that use the network. In other words, when you connect your mobile device to your VPN router, the traffic will still be encrypted and you will be using the VPN server’s IP address (even though you are not running a VPN client on your mobile device). This is one of the main advantages of a VPN router.
Regarding wired devices (your second question) – it depends. If the device is wired through the VPN router ethernet port, it will utilize the router’s VPN connection – so no need for a client. If the device is wired to a non-VPN router, then yes, you would need a VPN client in that case (or anytime you connect your computer to some other network, such as public WiFi).
You might find this VPN Router Setup guide useful. It illustrates a basic double router setup – a VPN router together with a regular (non-VPN) router, which gives you the option to go through the VPN or not.
O yeah forgot to mention also have a Netduma R1 router for lag for games and did mention having Netgear R7000. Does the netduma good for vpn or no
Hi Kevin, not sure on the Netduma R1 – but setting up VPN.ac on the Netgear R7000 with DD-WRT firmware may be the best option.
I appreciate a lot for your advice helping me out and my family. I got a 1 yr of VPN.ac today as well a service plan w/ Flashrouters. What will change speed, performance or wifi connection with the firmware. Maybe I only care about privacy, but my family used google web browsers or emails etc. My question is when the day flashrouter setup everything w/ vpn. If my family’s used google, facebook, instagram etc will we be protected from privacy.
Hi Kevin, using a good VPN will go a long ways for your privacy. You may also want to consider blocking ads and tracking, which you can achieve with some simple browser add-ons, such as privacy badger. You’re on the right path – good work.
I’m using Tor browser w/o vpn should I still used it. Tor browser legal/illegal to use. Should I get my family to switch used Tor or proton mail.
I’d say either Perfect Privacy or VPN.ac. I have found VPN.ac to be slightly faster, although they don’t offer as many advanced features (NeuroRouting, ad-blocking, or self-configurable multi-hop VPN chains).
Hi Sven
So If I was thinking getting my router flash vpn from flashrouters Netgear R7000 and I don’t need to purchase a vpn service like perfectprivacy. But I should get it included correct.
Hi Kevin, Flashrouters is a good resource if you want to purchase a new VPN router, or if you want to purchase a support plan, where they can help you setup an existing router.
Also, you will need to purchase VPN subscription separately, in order to use the VPN on a router. For a VPN service, VPN.ac is a great value and it worked very well when I tested it on routers (see this guide for setup instructions with an stock Asus router). VPN.ac is a lower-priced VPN but it’s still very secure and fast.
Sven,
Incredible site and a big thank you for all the detailed information! I really appreciate all you have done here. Again, thank you.
I had a question regarding mesh systems and specifically the Orbi from Netgear. I’m in need of a new router as my current Asus RT-N66U Black Knight with Merlin is not cutting it. We have a ranch with the router in the middle, but the far have issues dropping all the time. One end is still bedroom and the other the garage with a business. I know the Orbi is only 800 mhz, so it’s on the slower end version vpn use, but I hear it solves the coverage issue.
Can you comment on the Orbi or mesh systems? What Asus router would provide better coverage than what I’m currently using?
Thanks!
Hi Steve, thanks for your comments. Unfortunately I haven’t tested any mesh routers, so I can’t really comment on that.
However, for your situation, your best option may simply be a small wireless repeater (under $40). I’ve tested a few of these and the range and performance was excellent.
Additionally the AC5300 is rated for up to 5,000 square feet.
Hi Sven,
Firstly I would like to thank you and commend you on this site, it has opened my eyes to many things I would not have otherwise known. Secondly, I wanted to know if you had any recommendations for mesh networks as it looks like the last time you were asked was in 2017. I have had bad luck with routers as they cannot span the distance I require to get signal throughout. I used to use TP-Link Powerline adapters at one point, they delivered consistently good speeds, but connections were unstable and dropped frequently. I was then gifted Google WiFi which was a blessing because it solved my connectivity issues… However, knowing what I know now, I am in the market for a new mesh. I’m not sure if this is paranoia or an actual concern based on my reading. Thanks and keep up the good work
Hi Xavier, I honestly can’t give you a straight answer on wireless networks. I gave up completely on wireless a few years ago due to concerns over security and I have never looked back. I still use a VPN router, but with ethernet connections only. Wired connections offer more speed and better security.
Great article, however you talked more about firmware than router.
It would have been nice to compare Asus to others like Netgear X10 or TPlink 7200.
Thanks for the feedback Pete! I’ll keep that in mind for future updates.
What is your recommendation for VPN serves for online gaming were ping is a big deal.
Hi Stephen, you might try a VPN that offers more server locations, which may help you reduce ping, depending on your location and other variables. Two VPNs with large server networks are VPNArea and IPVanish.
Great article.
Thanks Andy.