At nearly 5,000 words, this guide takes a deep dive into the world of VPN routers.
In today’s world, a VPN router is one of the most important privacy tools you can own. While a VPN allows you to encrypt and anonymize your traffic, while also give you easy access to content around the world. Combining a VPN with a router is a perfect match to extend these benefits to all the devices in your household.
While it may seem a bit complex to some, the truth is that anybody can use a VPN router â regardless of your experience level. In this VPN router guide, weâll cover different setup options, the best VPN routers for different situations, as well as configuring a VPN router for policy-based routing and a kill switch.
But before we dive in, perhaps you are asking yourself, why do I need a VPN router? Well, here are a few reasons to consider:
- Protect and secure every device on your network.
- Secure your network against attacks, surveillance, and ISP snooping. Internet service providers often record your browsing history and online activities. And ISPs in the USA can now legally sell that information.
- Easily chain two VPNs at the same time for added security and anonymity (one VPN on the router, another on your computer). This will also protect you in the case that one VPN is compromised.
- Create a backup VPN (fail-safe) on your router in case of leaks, crashes, or problems with the primary VPN on your computer.
- Block ads and tracking on your entire network through the VPN
- Easily access blocked content or restricted websites with all your devices.
Outline
This VPN router guide is broken down into the following sections:
- VPN router setup options
- Why most VPN routers are slow
- How to get the best speeds with a VPN router
- Preconfigured VPN routers
- VPN-ready routers
- VPN router firmware options (and flashing a router)
- Policy-based routing (selective routing)
- Kill switch on a VPN router
- Conclusion and final recommendations
So letâs dive in to the topic of VPN routers.
VPN router setup options
You basically have three different options if you want to use a VPN on a router:
- Get a pre-configured VPN router. This is an ideal solution that minimizes hassle. Three great options for preconfigured routers are:
- Get a VPN-ready router that natively supports OpenVPN (no flashing required). There are many different models that support OpenVPN right out of the box. The best lineup of VPN routers (largest selection) comes from Asus, which we will cover below.
- Flash an existing router with firmware to support using a VPN.
Weâll cover each of these setup options in detail below, along with the best VPN routers for each category.
However, before diving into setup options, itâs first important to discuss a potential drawback with VPN routers, which is the speed reduction.
Why most VPN routers are slow
The VPN routerâs processor (CPU) is arguably the biggest factor affecting overall speed (assuming you are using a good VPN). Unfortunately, the processors in most consumer-grade routers are underpowered when it comes to handling encryption with a VPN. The processors simply are not up to the task of handling VPN encryption with ease.
But on a positive note, this is starting to change with some of the better routers on the market – see the Asus ASUS RT-AX88U for example.
Sabai Technology has a unique solution for this problem with the Sabai VPN Accelerator, discussed further below.
Lastly, the Vilfo router also solves the speed problem. We were able to get 268 Mbps using a Vilfo router with NordVPN.
We’ll examine the fastest VPN routers in more detail below.
How to get the best performance with your VPN router
So how do you get the best performance with your VPN router?
Here is the checklist:
- You will first need a fast internet connection from your internet service provider. (A VPN cannot make your internet faster, unless your ISP is throttling your speeds.)
- Next, you will need a fast VPN service. The fastest VPN we have tested is NordVPN.
- Use a fast VPN router with a powerful processor, such as one of these:
- Connect to a nearby server that has enough bandwidth
- Use a wired ethernet connection for the fastest speeds and strongest security (don’t use WiFi).
Previously, it was very difficult to get above 100 Mbps with a VPN router. However, if you follow the checklist above, you should easily be able to get over 100 Mbps with your VPN router.
Preconfigured VPN routers
If you want to minimize the hassle, risks, and potential frustration of flashing your own router, then a pre-configured VPN router is a good choice. While it will be more expensive than your standard (non-configured) router, a pre-configured router will probably save you time and it also comes with dedicated support.
Here are the best three options for a preconfigured VPN router, which we’ll examine in detail below:
- Vilfo router
- Sabai Technology VPN routers
- Flashrouters
Let’s examine each of these in more detail.
Vilfo VPN router (fastest VPN router)
The Vilfo VPN router is arguably the best VPN router on the market. It is based on OpenWRT firmware and offers numerous features and customization options. In terms of performance, it is the fastest VPN router we have tested (so far).
Below is a speed test we conducted for the Vilfo router review. It was conducted using a nearby NordVPN server:
Note: While the screenshot above was taken with NordVPN, we’ve also clocked similar speeds when testing out the Vilfo router in our Surfshark review.
The name of this product tells you all you need to know. The Vilfo VPN router, created by Vilfo AB of Sweden, is first and foremost designed to be a top-end VPN router. We’ve seen reports that the router can get 500+ Mbps with OpenVPN encryption. Impressive to say the least.
From the ground up, this router was designed for VPN services. It has support for many of the leading VPN services built right in (including two of our favorites, ExpressVPN and NordVPN), and works with any VPN service that supports OpenVPN and exports their configuration information.
Aside from just speeds, this VPN router also packs in many other impressive features and options:
- Feature-rich dashboard to monitor traffic and manage users, devices, and groups of devices
- Split tunneling to route devices and/or websites outside the VPN tunnel
- Support for multiple simultaneous VPN connections
- Parental controls
- Built-in kill switch to ensure all traffic remains encrypted
The company behind Vilfo is the same team that offers OVPN, one of the best VPN services based in Sweden. They offer live chat support and a generous one year hardware warranty. To find out more about the Vilfo VPN router, check out our in-depth review here. We have an in-depth Vilfo review here – or check out the website below.
https://www.vilfo.com
Sabai Technology VPN routers
If you are looking for a router that is both user-friendly and also offers great features, Sabai Technology would be an excellent choice. The Sabai OS firmware is based on Tomato, but with more features and regular updates.
One feature I really liked when testing out the Sabai OS device was the Gateways feature. The Gateways feature allows you to selectively route every device that connects to the network. In other words, you can route certain devices through your VPN and others through your local (unencrypted) connection.
The Gateways feature also functions as a kill switch. In other words, if a specific Gateway drops (such as the VPN routerâs connection to a VPN server), traffic will be blocked for all devices assigned to the VPN router. This keeps you safe and helps prevent any IP address leaks.
You can also supercharge your VPN router speed using the Sabai VPN Accelerator, which is a Mini PC that connects directly to the router and handles all encryption for the VPN.
With the Sabai VPN router I tested, the setup and configuration process was quick and easy. Additionally, Sabai offers great support from helpful and responsive in-house technicians (no third-party support). And lastly, the Sabai OS firmware remains under active development with regular security updates.
https://www.sabaitechnology.com
FlashRouters VPN router
FlashRouters is another great option that specializes in VPN routers that run Tomato and DD-WRT firmware.
FlashRouters relies on free and open-source firmware, which you can freely get online, rather than their own custom firmware. While there is a benefit to the firmware being open source, it may also suffer from less active development and fewer security updates.
You can also find routers that are specifically configured for certain VPN providers. Just visit the site and select your VPN service to see the available routers.
The FlashRouters website is also a good information resource if youâre looking to learn more about:
Flashrouters remains one of the most popular sources for a preconfigured VPN router. Check out their site for more info.
https://www.flashrouters.com
Conclusion on pre-configured VPN routers
While pre-configured routers are more expensive than some other options, they are still a good choice if you donât want the hassle and risk of flashing your own router. The support is also very helpful for getting everything working correctly.
However, there is a cheaper option, and that is with VPN-ready routers.
VPN-ready routers
Aside from getting a pre-configured router, the next easiest option is to go with router that can be used with OpenVPN right out of the box, which I refer to as a VPN-ready router.
For VPN-ready routers that natively support OpenVPN (without any customization or flashing), you have these choices:
- Asus routers â Asus is my favorite option because it offers a huge selection of VPN-ready routers, with very good prices. Not all Asus routers are VPN enabled â see the Asus section below for a complete list of routers and specifications.
- Synology routers â Synology currently offers two routers that can be quickly configured with OpenVPN with little time and effort (no flashing): RT1900AC and the RT2600AC.
Note: There are also a number of smaller VPN router âboxesâ being marketed by various companies. In general, these appear to be underpowered for OpenVPN use. Some of these boxes also appear to lock you into subscribing to their VPN service.
Tip: Iâd recommend going with one of the larger manufacturers and using a firmware that is regularly updated for security fixes.
Weâll take a close look at each option below.
Asus VPN routers
If youâre looking for the best VPN router that you can use right away, then Asus is tough to beat.
Asus offers a great lineup of VPN-ready routers â from cheap to high-end. They offer several routers with powerful processors that can do exceptionally well with VPN encryption. As a matter of fact, NordVPN strongly recommends Asus routers for the best performance.
The fastest Asus router available now is the Asus RT-AX88U. It can hit speeds over 200 Mbps with OpenVPN.
Here is the best Asus router that supports OpenVPN encryption, the RT-AX88U AX6000:
One drawback with this router, however, is that it is one of the most expensive routers from Asus that supports VPN encryption right out of the box. You can see the current prices on Amazon here.
Easy to setup Asus VPN routers
The AsusWRT stock firmware natively supports these VPN protocols: OpenVPN, L2TP, and PPTP. Setup is a breeze (about 20 minutes or less) and you can load numerous VPN configurations onto your router (which is something you canât do with DD-WRT).
To show how easy this is, I have put together this setup guide using the AsusWRT firmware, Ad Blocker on a Router with a VPN (with Perfect Privacy).
TIP: I would recommend upgrading your Asus router to the Asus Merlin firmware, which will improve speeds, security, and include more features. (We’ll discuss this more below.)
All Asus routers you can use with OpenVPN
Here are the Asus routers that are VPN-ready (support OpenVPN right out of the box) and can be set up with minimal time and effort:
- ASUS RT-AC66U (AC1750)
- Asus RT-AX56U AX1800
- Asus RT-AX3000
- Asus AC-1900 (RT-AC68U)
- Asus AC2900 (RT-AC86U)
- Asus RT-AC3200
- Asus RT-AC87U AC2400
- ASUS RT-AC88U
- Asus RT-AC5300
- Asus RT-AX88U AX6000
- Asus RT-AX92U AX6100
Important Note: Do not be confused by the numbers, they do not always correspond to speed and performance (bigger number does not mean faster). A big factor with speeds is the specific processor the router is using, and whether it supports accelerated speeds for VPN encryption (AES-NI).
The fastest Asus routers from the list above are:
- Asus AC2900 (RT-AC86U) [Best value router, speeds of 150+ Mbps]
- Asus RT-AX88U AX6000 [Fastest router with most features, speeds of 200+ Mbps]
Iâve found Asus routers to be very stable with good performance, while also being easy to set up. The stock firmware allows you to set up custom DNS and also block IPv6. Additionally, Asus routers are very versatile and can be used with lots of other firmware, such as Asus Merlin, DD-WRT, Tomato, AdvancedTomato, OpenWRT, and Sabai OS.
Here are some pros and cons of Asus VPN routers based on my experience with testing various models:
+ Pros
- Large VPN router selection (all price ranges)
- Stock firmware (AsusWRT) is very easy to use with VPNs
- Router be used with other firmware: Asus Merlin, DD-WRT, Tomato, AdvancedTomato, OpenWRT
- Very durable (difficult to brick)
- Solid performance, especially the newer models
â Cons
- Stock firmware (AsusWRT) has fewer features compared to Asus Merlin
Conclusion on Asus VPN routers
Asus routers are one of the best values you will find for a VPN router that you can unbox and use within minutes. With the models noted above, you can get many features and blazing fast speeds, which were previously not possible with consumer-grade routers. To get the most out of your Asus router, I would strongly recommend upgrading to the (free) Asus Merlin firmware.
If you are looking for the best-value VPN router, go with the Asus AC2900 (RT-AC86U), which is cheaper than many other models, but still offers amazing speeds.
Synology VPN routers
Synology offers two routers that natively support VPN use. Synology also does a good job with regular security updates. While the selection isnât huge, both of the Synology VPN routers appear to be decent options:
Synology RT1900AC (1.0 GHz â dual core processor)
Synology RT2600AC (1.7 GHz â dual core processor)
The fastest of these two VPN routers is the Synology RT2600AC:
In comparison to similarly-priced Asus router models, Synology is not quite as fast.
You can see the Synology router lineup on Amazon for more details.
Conclusion on VPN-ready routers
Setting up a VPN-ready router should be a fairly straight-forward process. This is particularly the case with Asus VPN routers. All you need to do is import the OpenVPN configuration files, add your VPN username and password, and then you should be able to connect the router to a VPN server. If you need
This guide covers setting up VPN enabled Asus routers using the stock firmware (AsusWRT): Ad Blocker on a Router with a VPN (with Perfect Privacy).
Another advantage with VPN-ready routers is that they are usually cheaper than preconfigured VPN routers. You can get a great model, such as the Asus AC2900, without spending a fortune.
VPN router firmware options (and flashing a router)
The next option is to flash a router you have with firmware that will support a VPN. This will be more complicated than getting a pre-configured router, or a VPN-ready router with native VPN support. The level of complexity will depend on the firmware and the specific router you are using.
In this section on flashing a router, we will discuss the following firmware:
- Merlin AsusWRT
- DD-WRT
- Tomato and Advanced Tomato
- OpenWRT
- pfSense
The first option weâll discuss is the Merlin AsusWRT firmware, which is relatively easy to install and use with a VPN.
Merlin AsusWRT routers
AsusWRT by Merlin is a third-party open source firmware that builds on and improves the AsusWRT firmware. AsusWRT by Merlin is one of the best options if you want a secure, user-friendly firmware with lots of features for use with a VPN. (Itâs also free.)
A Merlin AsusWRT router offers the following benefits:
- Enhanced security â Merlin AsusWRT is regularly updated to fix bugs and security vulnerabilities. You can verify the latest security fixes on the changelog. The developer is active, unlike with some other firmware.
- Policy-based and selective routing â This allows you to select specific devices or destinations to use the VPN, with everything else going through the regular ISP connection. Merlinâs user-friendly policy-based routing feature is a distinguishing factor separating it from other VPN routers. Some people need this for bypassing the VPN, such as with Netflix or other websites.
- Kill switch â A kill switch will block all internet traffic if the VPN connection is lost. Setting up a properly functioning kill switch can be tricky with some VPN routers. With Merlin AsusWRT, this is easy.
- Multiple VPN clients and servers â Merlin AsusWRT allows you to configure two VPN servers and up to five VPN clients. You can also use different VPN clients at the same time with different devices (but I would recommend a higher CPU router in this case).
Merlin AsusWRT is a reliable, secure, and feature-rich option for Asus routers.
Combining a high-performance Asus router (such as the Asus RT-AX88U or Asus AC2900) with Merlin firmware and a high-quality VPN service is one of the best options around. You will be able to secure your home network without sacrificing performance.
Merlin AsusWRT supports the following routers:
- RT-AC66U_B1 (same firmware as the RT-AC68U)
- RT-AC68U (including revisions C1 and E1)
- RT-AC68P (same firmware as RT-AC68U)
- RT-AC68UF (same firmware as RT-AC68U)
- RT-AC87
- RT-AC3200
- RT-AC88U
- RT-AC3100
- RT-AC5300
- RT-AC1900 (same firmware as RT-AC68U)
- RT-AC1900P (same firmware as RT-AC68U)
- RT-AC86U (starting with version 382.1)
- RT-AC2900 (same firmware as RT-AC86U)
- RT-AX88U
- RT-AX56U
- RT-AX58U
- RT-AX3000 (same firmware as RT-AX58U)
Note: The U, R and W variants are all supported, as they are the exact same hardware and firmware, only different marketing SKUs or different case color.
Here are some general pros and cons of the AsusWRT Merlin firmware:
+ Pros
- User-friendly interface
- Kill switch and policy-based routing options
- Support for multiple VPN clients
- Active development with regular updates
- Support via the SNB forum
â Cons
- Limited to Asus routers (but with a good selection of models)
Additional resources:
- Official Merlin AsusWRT website
- Official Merlin Github page
- SNB Forums (active community, with the developer offering direct support)
- Youtube video demonstrating how to setup a kill switch and policy-based routing
DD-WRT routers
DD-WRT is a Linux-based firmware that was developed to enhance the functionalities of wireless routers. It is a popular option because it can be used with many different routers and it offers some good features.
Despite itâs popularity, however, DD-WRT does have some drawbacks. First, you can only load one VPN configuration on the router. This prevents you from easily switching between different VPN server locations.
Another issue Iâve noticed is that the development community seems to be less active. This means fewer updates and less-regular security patches. DD-WRT can be somewhat tricky to setup if you are flashing your own router. You also run the risk of bricking your router (some models are more durable than others).
For some people, ordering a preconfigured DD-WRT router from FlashRouters may be the best bet â see their lineup of DD-WRT routers here.
Flashing a DD-WRT router
You can also try flashing a router you already own with DD-WRT firmware. Here are the two main resources you need:
If you are considering flashing with DD-WRT, just beware of the risks (permanently breaking your router). Also be sure to follow the official DD-WRT guidance for your router model.
+ Pros
- Huge number of routers supported (see here)
- Good Quality of Service (QoS) controls (for bandwidth allocation)
- Ad blocking feature
â Cons
- Only supports one VPN configuration
- Less active development with fewer security updates
- More difficult to install than other firmware options
Additional resources:
Tomato and AdvancedTomato routers
Tomato is another alternative, open source firmware for routers. Tomato firmware has many similarities to the AsusWRT Merlin firmware. It gives you the option to use up to two VPN servers and two VPN clients, while also having features for policy-based routing.
Unfortunately, the original Tomato firmware seems somewhat outdated, especially when it comes to supporting newer routers. One alternative would be AdvancedTomato firmware instead of the original Tomato firmware.
AdvancedTomato offers some good improvements over the original. The overall design is better, which gives you more control over your routerâs features.
Sabai OS (based on Tomato) â Finally, the lineup of VPN routers from Sabai Technology all have the Sabai OS firmware, which is based on Tomato. To use Sabai OS on an existing router you own, you would need to purchase a license. However, Sabai OS offers the benefits of regular security updates, great support, ease of use, and good features.
See the full lineup of Sabai VPN routers here.
Pros and cons of Tomato and AdvancedTomato firmware:
+ Pros
- User-friendly layout (especially with AdvancedTomato)
- Supports 2 VPN servers and 2 VPN clients
- Quality of Service (QoS) options for bandwidth control
â Cons
- Original Tomato firmware outdated
- Installation can be more complex
- Many of the supported routers are outdated and/or underpowered for VPNs
Overall, Tomato is a decent option for VPN routers, although AdvancedTomato seems to be the better option.
Additional resources:
- Original Tomato website
- AdvancedTomato website
- AdvancedTomato supported devices
- r/TomatoFTW (reddit)
- Sabai OS VPN routers (based on Tomato)
OpenWRT routers
OpenWRT is another open source firmware to enhance and secure wireless routers. It has many great features while also supporting a large number of devices.
Development of new versions of OpenWRT continues, although not at a rapid pace. The OpenWRT forums are likewise still active, with around 200 messages a week in total.
OpenWRT offers some nice features. Aside from VPN capability, it also provides QoS options, BitTorrent client configuration, server software, and traffic analysis features.
ExpressVPN has a great router app that is based on OpenWRT. You can get more information from the routers section of the ExpressVPN website.
+ Pros
- Support for many devices
- Good Quality of Service (QoS) controls
- BitTorrent client configuration
â Cons
- Less active development with fewer security updates
- Limited support for newer routers
Additional resources:
pfSense routers
A PC router running pfSense will be more complicated to setup, but it does offer some great features. pfSense is an open source firewall/router computer software distribution based on FreeBSD.
Unlike some router firmware, pfSense continues to gain popularity with active development and new features being added.
While pfSense gives you very powerful tools and features, setup can be difficult if you lack the necessary technical and security background. Ultimately, these complex and powerful features can end up being worse than less secure options that are easy for anyone to set up. It all depends on the user.
pfSense router performance with OpenVPN
With a very basic and cheap PC that is properly configured with pfSense, you could get a high-performance router.
The main difference here is processing power (CPU). Nearly any PC will outperform even the high-end router models. Two popular options when using a PC for a router include:
- A mini-PC with pfSense (often called a pfSense box)
- An old PC (see this video)
With these two options, you will still need an access point for devices to access the network. This usually means your PC will be hooked up to a regular router, which will serve as the access point for the PC.
The pfSense forums are a good resource for VPN router setup advice. But be careful: if you lack the background in this area, setting up a pfSense VPN router can be especially difficult, frustrating, and time-intensive.
+ Pros
- Very secure
- Numerous features
- Highly configurable
- Solid performance
â Cons
- More difficult to setup
- With PC routers, you will also need an access point for the wireless
Additional resources:
- pfSense official site
- pfSense forums
- List of pfSense features
- pfSense wiki
- r/pfsense (reddit)
- Great video series introduction to pfSense
Policy-based routing (selective routing)
One issue that often comes up with VPN routers is policy-based routing. This entails routing specific clients (devices) or connecting to certain websites outside the VPN tunnel. This is usually important for accessing sites that block VPNs, such as banking websites or perhaps Netflix.
How to set up policy-based routing depends on the firmware you are using.
Vilfo VPN router â This router takes policy-based routing to a new level. You can have 10 simultaneous groups, each of which is connected to its own separate VPN service, or none at all. Within a group, you can disable the VPN connection temporarily giving you total control over routing.
Sabai OS â As mentioned above, all Sabai OS VPN routers have the option to selectively route each device that connects to the network. This can be simply controlled through the Gateways feature.
AsusWRT Merlin â Another easy option for policy-based routing is to use the Merlin firmware on a compatible Asus router. This video clearly explains creating a kill switch and policy-based routing for your VPN with AsusWRT Merlin:
Tomato and AdvancedTomato â AdvancedTomato firmware provides policy-based routing support. Instructions for standard Tomato firmware come from VPN.ac. Their TomatoUSB Policy-Based Routing guide includes detailed instructions for different scenarios.
DD-WRT â Setting up policy-based routing with DD-WRT is relatively straightforward. FlashRouters put together an excellent guide for DD-WRT routers, see Dual Gateway VPN Blacklist by Device for more information.
Dual VPN router â Another option for separating traffic between your VPN tunnel and regular ISP connection is to use a dual VPN router setup. With this, you will be able to easily switch back and forth. The main drawbacks, however, are increased power consumption and the possibility of wireless interference.
Kill switch on a VPN router
A kill switch is an important feature to block internet traffic if your VPN connections drops. This prevents your real IP address from being exposed.
Vilfo VPN router â The Vilfo router has a built-in kill switch that is active for all devices, and controlled from the OpenVPN settings page.
Sabai OS â The Sabai OS firmware includes a built-in kill switch when you set up the Gateways feature. This is probably the easiest option available for a VPN router kill switch.
Merlin AsusWRT â The video above covers setting up a kill switch.
Tomato and AdvancedTomato â Setting up a kill switch for Tomato VPN routers just requires creating a rule. Using the rule below, traffic will only be forwarded through an active VPN connection.
In Administration > Scripts > Firewall tab, add the following rule:
iptables -I FORWARD -i br0 -o `nvram get wan_iface` -j DROP
Save the rule and reboot your router.
DD-WRT â Just like with Tomato, to add a kill switch on a DD-WRT router you just need to add a rule. Again, this only allows traffic if the VPN connection is active.
In Administration > Commands > add the following rule:
iptables -I FORWARD -i br0 -o `nvram get wan_iface` -j DROP
Select âSave Firewallâ to save the rule and reboot router.
Conclusion on VPN routers
While there are many reasons for using a VPN router, security and privacy are two of the most important factors.
If you have a standard (non-VPN) router now, replacing its stock firmware with one of the alternatives in this guide is a good idea from a security perspective.
An even better idea would be to replace your current router with a VPN router such as the Vilvo VPN router, or one of the many offerings from FlashRouters or Sabai Technology.
Over the last few years there have been endless articles written about how intelligence organizations like the CIA have exploited security vulnerabilities in routers to spy on people.
Another tip for securing your network is to simply stop using wireless and go back to wired-only (ethernet) connections. Ethernet connections are vastly more secure than WiFi, and a connection using a high-quality ethernet cable can be much faster than a wireless connection.
In the era of COVID-19, many of us are working from home (perhaps permanently). That often means things like connecting to the company network from your living room, and downloading proprietary information rather than just cat videos. This make the information running through your home internet connection vastly more valuable to hackers and other creeps than it used to be.
Failure to secure your network and personal internet connection with a VPN could have major consequences.
And finally, thereâs also the convenience factor.
Using a VPN on your router will extend the benefits of a VPN to all your devices, without having to download VPN software on each device.
As you can see in this guide, a VPN router is a powerful solution that you can implement. Whether youâre a tech newbie or a super geek, using a good VPN router is a smart choice to protect all of your devices.
This VPN router guide was last updated on February 17, 2022.
I would add VyOS as a replacement for pfsense for two reasons:
1. pfsense forums won’t help anyone unless you buy one of their hardware boxes with pfsense pre-installed (same with OPNsense)
2. VyOS is much easier to configure, if you are used to command line configurations, like Cisco IOS routers, and since VyOS runs on Debian linux, that’s a huge plus.
I’ve just discovered your site and thank you for providing your services to people like me who just want to use my computers with my privacy protected. My old router is a linksys EA6300 I used with Avast antivirus and Nord vpn. I haven’t had any problems for years downloading movies, using bitlord and Nord. Now my isp spectrum (buffalo NY) has been spying on me. sending me warnings about copyright infringement. I bought a Asus RT-AX3000 vpn router. I want to ditch Avast and buy a antivirus to work with Nord. I want to configure the new router correctly. I have been hesitant because i didnt set up the old EA6300 properly. i used the default admin and password. I know not to do that now. I tried to login to the old router and the isp or Avast won’t allow me to login to my own linksys EA6300 router. is their away around it. Can you help me to set up use the RT-AX3000 with my isp
All you need to do is plug the VPN router into one of the ports of your old router. You can use both together, but just connect to the VPN router when you want full encryption, and the regular router when you don’t. It’s pretty simple. You don’t need to even get rid of your old router.
Great article and you are right about pfsense not being for the faint of heart. Anyone up to the challenge click here. (scroll through it before you commit )
Hats off to [https://nguvu.org/] who provided this for us….thank you
[https://nguvu.org/pfsense/pfsense-baseline-setup/] –
Have you had the chance to check Invizbox 2? Would you recommend it?
No, but last I checked, these were all underpowered.
Ok, so I set up my VPN router. I’m satisfied with my speed. Having FTTH 300Mb/s connection to the router. Using pc, laptop, android. all Wifi. Having ~110Mb/s connection via WiFi. Using Wifi 5.
No problems with VPN (OpenVPN protocol), running stable.
Router: Asus RT-AC86U + Asuswrt-Merlin firmware (newest)
VPN: NordVPN
Hi Sven,
I was also going to ask you to test the Gl.iNet routers for your loyal readers – I see that Jon above has beat me to it. They are very VPN friendly (preconfigured), and very reasonable in cost. I wonder how these little routers compare in performance and privacy credentials with the much more expensive heavy-weights?
One complaint I have is that access to router admin window is http, not https.
Look forward to you including these routers and any test results in your future reviews!
Thank you!
OpenWRT 21.02.0 – First Stable Release – 4 September 2021
OpenWrt Just got a new version release. It’s nice to see that it’s still being actively maintained and improved:
https://openwrt.org/releases/21.02/notes-21.02.0
First thanks for the information Iâm now more comfortable than before but Iâm still worried from my router from the first day I brought it my iOS device non stop warning from the wifi router for huge tracking numbers & how Iâm at risk! Plus I canât use wire for my iOS iPhone, iPad
My router is expensive & provided from the communication company by contract for 2 years . They give me two lines/chips, one to use it in the router the other is data share which I used in my iPhone as a second number.
The router is: Obri 750 by NETGEAR
they offer an application to control of my router + they not stopping offer me their armor (web protection) by Bitdefender & a (VPN) FOR NETGEAR – Bitdefender I used then I deleted for some security issues I discovered which I couldnât write about it. So I want your advice please if I should continue use this router with perfect vpn or something else or it wonât help with this router + the vpn from Bitdefender I checked their privacy & I donât feel comfortable with it.
One more question: do you think iCloud emails is safer than gmail? Because Iâm worried about google company.
Iâm writing this long comment đ at duckduckGo & I changed the search from google to DuckDuck.
My regards,
From Kuwait
Hello Sven Taylor,
Hope you are in good health!
How about do some reviews on TRAVEL ROUTERS? Have a look at: https://www.gl-inet.com/
Runs OPENWRT and supports both WireGuard and OpenVPN protocol.
I looked at these a few years ago. They were very much under-powered for day-to-day use. But we can take a closer look with the next update.
Dear Sven,
I completely agree with you, however they are travel routers and I’m using Beryl router from gl-inet and it performs very well over WireGuard protocol (Tested it with Mullvad, VPN.AC and TrustZone VPN).
Interesting read: [https://goconnectinc.com/5-reasons-to-have-a-travel-router]
I will look forward to seeing your future update regarding travel routers.
Hello Sven
I have 1.1.1.1 w/ warp installed on my android smartphone
which i’m using for tethering with my home desktop.
Looks like it improves my browsing speed.
What is your opinion about this arrangement ?
How is this affecting my desktop privacy or
any other aspect of accessing the web ?
Cloudflare is a US corporation, which is not recommended for privacy reasons. US VPN and email services have been forced to log user data for government authorities.
That aside, you are only encrypting DNS. This means your IP address remains exposed with everything you do, and even your ISP can see and log every website you visit, even while sending Cloudflare your DNS requests. So for more privacy, go with a full VPN on your Android phone.
Hello everyone!
Please test the older models of routers from Russian developers, the older models are of interest: Keenetic Giga, Keenetic Ultra, Keenetic Giant. In Russia, they have been the most optimal for the last 5 years. Previously, this division of developers worked as part of a single brand Zyxel, but the guys won a resounding success, overtaking American and Chinese manufacturers for many years to come, now exists as a separate brand and surpasses all well-known brands combined in terms of profitability. The devices have support for all known languages ââand a mobile application that has no analogues in the world. I myself use an old router with Apple HDD and Keenetic, I have not tested it yet, but I have plans to go to VPN, because the idiot in the Kremlin is following us.
Hi Sven;
Thank you for your great website and its invaluable content.
I wanted to ask do you know any routers capable of inclusive split-tunneling?(i.e. making some websites or apps to go through the VPN tunnel and others don’t.) I will be thankful if you suggest some. Also Speed is important for me but keep in mind that the baseline speed my ISP gives is 80Mbits/s so going beyond that is impossible for me.
So is there any VPN router(preferably ASUS or Linksys) that I can buy which have the Split-Tunneling feature? (and of course one which that can handle speeds around 80Mbits/s)?
Thanks in advance.
The Vilfo router meets those requirements.
Thank you Sven, But Vilfo router isn’t available in my country, can you suggest one from the ASUS or Linksys line of routers.
Regards.
Perhaps one from the Asus lineup described above in the article, but I have not tested the latest firmware to see if it is capable of “inclusive split-tunneling” as you describe.
You could also go with an Asus router from above, and then flash it with the Merlin firmware, which has policy-based routing.
https://www.asuswrt-merlin.net/features
That would probably be your best option if you can’t get the Vilfo.
This is partially a comment in appreciation of the great info you & others have shared but also for those looking for a lil’more speed if they don’t mind getting into the command line interface (CLI) to get everything they’re paying for out of their VPN provider (I read your review of Surfshark… _very_ impressive results though my ISP is only ~1/3rd of your results (120 Mbps)):
Simon MOTT published his benchmarks of IPSec/IKEv2 rates for Ubiquitiâs EdgeRouter entry-level business/SOHO/’prosumer’ routers, ER4, ER-Lite, ER-X. Posted to his blog 2018 Aug 29, I can only imagine his results of ~200 Mbps on the 59.00USD ER-X (via store.ui.com) would be about the same or better with Wireguard. He’s benchmark the ER-4 @ ~445 Mbps w/ IPSec/IKEv2.
These routers feature both TCP *and* IPSec offloading. I expect to have quite the fun to get my LAN just as I want it!
https://www.simonmott.co.uk/2018/08/ubiquiti-edgerouter-ipsec-performance/
As always, YMMV… but still, perhaps it can be the subject of a future review, eh, Taylor?
Hello,
Does anyone have any info on the speed of the ASUS RT-AX92U? I like the idea of the triband mesh capabilities but if it can’t handle expressVPN then probably not the best option.
I live in a 3 story house and wanted a good router and 2x nodes for decent coverage.
Thanks, any advice would be much appreciated
Hi,
*Update to question*
After doing some more research, would the 2 or 3 RT-AX88U (with Merlin) give better WiFi performance as a mesh system than the RT-AX92U?
Basically for the price difference, is the possible gains worth it?
3x RT-AX92U are about ÂŁ530 (350 for a pair + 180)
3x RT-AX82U are about ÂŁ900
Planning to run expressVPN
I’m a bit of a noob and getting confused with the duelband Vs triband and also the fact that WiFi 6 won’t be available on the 92U as I will have to have wireless backhaul. So not sure what system will give me the best performance in my house which is on 3 level’s. Mainly streeming Netflix, youtub and also working from home with some occasional gaming.
Any advice would be appreciated
Thanks
UPDATE FROM 2021
For people thinking of purchasing Asus RT-AC86U, I have some recommendations.
Choose a VPN provider that offers 128-bit encryption OpenVPN configuration files, because those are the only ones that offer stable performance.
256-bit encryption causes decryption errors and subsequent packet drops. This was tested with most VPNs in this resource’s top VPN services list and the most advertised solution, playing with the MTU to be more precise, on 256-bit connection doesn’t help at all.
FYI: VPN.ac offers 128-bit encryption configuration files, but it has connection logs, which people consider a privacy issue for some reason. I don’t think it is, because your ISP will still see what IP address you were connected to. In other words, if someone would want to see what server you were connected to (3 letter agencies for example), they would have this info either way. Their browser extension seems more superior to others as well.
And another update: VPN.ac told me they stopped keeping the 24 hour connection logs and will be updating their site with this and other new information later this year.
Vilfo privacy is a major concern. From their privacy policy:
âVilfo does log license code information to ensure that a valid license code is used. IP address and email address used is also stored to prevent potential abuse and troubleshooting assistance.â
The main reasons we use NordVPN and ExpressVPN is for the security and especially privacy â No Logs policies and Anonymity. Vilfo violates this with their logging.
No, thank you. Iâll stick with Asus and Merlin. With Vilfo, their speeds, ease of use and convenience are outstanding though.
BTW, you should add Asus RT-AX86U to your Recommended list. It has the same processor, flash and RAM as the RT-AX88U, but with WPA3-Personal already available, and is on the Merlin compatibility list. There are 2 downsides to it though: it stands up like the old RT-AC86U and lacks a button to turn off WiFi.
Hi Sven,
what is your take on invizbox router? It could be configured to natively support several VPN providers and the cost is reasonable. You don’t have it mentioned in your review and wondering if there is a reason.
Hi Sven,
I really like this site and the articles.
I am using the Linksys WRT3200 router with ExpressVPN app for routers, latest version 2.6.4
ExpressVPN is the only VPN provider with a easy to use router app with a clean and simple interface.
I am located in Norway and I have a 300/300 fiber connection.
When connected to Expressvpn server in Norway or Sweden I get between 120-150 mbps download and upload speed, ping is between 13-20 ms.
This is on WiFi and using the new lightway protocol which still is in beta.
What do you think about the speed I get ?
I recently was told by the Nordvpn chat that they are working on some router app.
I think configuration and use of VPN should be made easy.
And should I use multi or single measurement method at Speedtest.net/Speedtest app when testing the vpn speed?
Expressvpn also donât have the greatest speeds.
I had the Netgear Nightgawk R7000 before and it did give only about 25-30 mbps.
In my opinion the Linksys WRT3200 is a good vpn router if flashed with the expressvpn app for routers.
Our top router recommendation remains the Vilfo router. And the fastest VPN speeds we were able to get with it was when using NordVPN. See our Vilfo review.
Hello Sven,
Iâve been reading your information on VPN options and all things related. I went ahead and signed up for NordVPN to get their promotional price offer. We operate our small business on Apple still centered around our Time Capsule. Is it true that we canât set up router based VPN on Time CapsuleâŚ.if so, does that mean it’s time to put it out to pasture?
Your comment to Erik on 12/3/20 states your top choice would be the Vilfo router. Would that work with our Apple network? And last, under âConclusion on VPN routersâ you mention that another option is âsimply stop using wireless and go back to wired-only ethernet connectionsâ. That makes sense, but doesnât the router still need to be the âblockadeâ (point of entry) to prevent any outsider from getting in? Thanks.
Hi John, sorry but I’m not up on Time Capsule (never used it) or Apple networking devices. I do use the Vilfo every day and really like it.
Sven,
I’m really appreciating your website. I’m trying to implement some changes based on your recommendations and I’m stuck at the VPN. I was hoping to get a UniFi Dream Machine because of its features, but it doesn’t seem to have the feature set to run a VPN server natively (there seems to be a work around but I’m not savvy enough: https://github.com/tusc/wireguard )
I’m wondering if you saw this? https://www.indiegogo.com/projects/world-s-1st-decentralized-vpn-firewall-for-life#/
Nope, I haven’t seen that. Let’s see if it makes it beyond Indigogo.
It’s not their first product but there seem to be delays.
Have you any experience with the Firewalla Gold?
No.
Sven,
Thanks for the article, very interesting and helpful read
I have just changed to an ISP that is capable of delivering 300 MBS and I use NordVPN
My existing Asus router is only capable of about 20 MBS with NordVPN activated
I have had discussions with both Asus and NordVPN and the conclusion is that my existing router is not up to the job
– which is essentially what your article is saying
For me it looks like a choice between the Wilfo router and the Asus RT-AX88U AX6000
With the Wilfo router, you say the speed was achieved connecting to a nearby NordVPN server
– did that change with other NordVPN routers ?
Apart from the nearby NordVPN server, did you have to do anything special to get the 268 MBS download speed ?
As regards the RT-AX88U AX6000, did you have to do any particular tweaks to get the 200+ MBS speed ?
Does changing the firmware for Merlin AsusWRT or DD-WRT enhance the speed or do they just add extra features ?
So I guess the choice comes down to:
1) a relatively unknown router developer with the best speed – Wilfo
2) a well known router developer with adequate speed – Asus
Do you have any other comments which might help make the decision ?
Thanks
Geoff
Hi Geoff,
No, I did not do any tweaks to the routers. I just used the stock firmware. With Vilfo, NordVPN is already supported and the configuration files are on the router, which runs the open source OpenWRT firmware, which is great. I’m still using my Vilfo every day, it does the job, is easy to use, and gives you more features and options than you will find with the standard Asus lineup. I tested out a few different VPN services with the Vilfo router, but found that NordVPN performed the best by far.
Awesome article and website, thanks a lot!
Have you had the chance to take a look at the products from the Hong Kong based company GL-iNet (https://www.gl-inet.com) such as the Edge Computing Gateway GL-MV1000 (aka Brume, https://www.gl-inet.com/products/gl-mv1000/)? They’ve also equipped it with a quite powerful processor that allows up to 97Mbps. Works quite well.
Not yet, but looks interesting, thanks.
Hi Sven,
First of all, I appreciate the content you have created on this website! I believe in a decade, not taking care of your privacy will be treated as smoking is treated in 2020.
Is it possible to estimate potential internet speeds depending on specific router`s processor when running VPN on the router? Maybe a suggestion for a future article/experiment? đ
You mentioned some top range Asus routers that cost ÂŁ350+ that they could handle 200 Mbps. In my case, it would be an overkill as I only can get 80 Mbps form my ISP.
What would be the most suitable (cheapest) Asus router for a 80 Mbps connection?
Or what speeds I could expect from a and VPN client ready ASUS router range costing ÂŁ120?
I would like to get at least 5 MB/s download speeds, and not spend much more than ÂŁ120.
Any help would be appreciated.
Thanks,
Abs
Hey Abs, I think the best value is still the ASUS AC2900 at under $200 (today’s price in the US). This will give you plenty of speed (over 100 Mbps).
One option that is cheaper is the ASUS RT-AC68U, which could give you speeds around 30 to 40 Mbps with the processor it has.
Thank you for the reply, Sven!
Hi,
Comcast is my ISP with 1 Gb plan.
Sending back my monthly rental XB7 modem/router/access point.
Humbly buying hardware for each part of my network. Beyond the ISP signal from Comcast.
Question: Modem: Zoom technologies Motorola 8600 Zoomâs Motorola MB8600 DOCSIS 3.1. Do I buy this hardware for my network? Or, since I see Zoom, do I avoid?
Arris SURFboard SB8200 is also supported by Comcast. At the end of the day, might they want my data as much as Zoom?
Both seem to meet current and coming standards and also communicate with a high performance VPN router.
I want to be consistent on each device to not be on the bleeding edge, yet consistent in their processor abilities to avoid bottlenecks.
I will leave a VPN refig router Q for another day. Also a VM Q.
Kind regards.
Sven,
Going with Vilfo based on your recommendation! Love the site, please keep up the good work.
Bill T.
Thanks Bill.
Hi Sven,
I Have a Asus rapture GT-AC-2900 router. I think I read that it has hardware encryption/decryption. My VPN speeds in MBit/s are like this:
PPTP 128 : R=170, S=3
PPTP 40 : R=70, S=70
OpenVPN AES-128-CBC : R=25, S=72
OpenVPN CAMELLIA-128-CBC : R=30, S=70
OpenVPN AES-256-CBC,komp : R=32, S=70
OpenVPN none : R=28, S=70
So with PPTP 128 I get very good receive rate of 170, but amazing send rate of 3 MBit/s. With OpenVPN rates seem independent of encryption method.
My max send rate over cable modem is 72MBit/s btw.
Did Asus really make such poor product? I would like to configure it do run R=170 and S=72.
Thanks for good article!
Best Morten
Hi Sven,
ASUS doesn’t list which of their routers have the AES-NI encryption acceleration processors; or at least I haven’t been able to locate this information. I see that ASUS has some new routers listed. However one of them I’m interested in is the RT-AX88U, with its quad core processor and LOTS of RAM. But I can’t verify if it has a AES-NI encryption acceleration processor. I don’t know why ASUS doesn’t list this information.
https://www.asus.com/us/Networking/RT-AX88U/
I need to get a router soon, as I installed NordVPN on my PC and it slows down my connection quite a bit, from around 112 Mbps down to 62 to 72 Mbps. I’ve worked with their tech support, and we’ve exhausted all of our options. I believe the problem lies with the ISP-supplied modem/router combo I’m using. I’m going to change it out for a better modem-only model, which means I need a router before I can do that.
If the RT-AX88U has an AES-NI encryption acceleration processor, that will be my choice. If not, the RT-AC86U will be my choice as it does have that processor. I know this processor isn’t an outright necessity, bout every little bit helps.
Either way, I plan to eventually flash whichever I get with AsusWRT Merlin, as they are both compatible.
Sven, if know if the RT-AX88U has the AES-NI encryption acceleration processor, could you please let me know, at at least where I need to look to find this information?
Thanks,
Dave
Hi Dave, you could see what processor the router is using and then look up the info on that processor, which should answer your question.
Hi Sven,
I did a whole lot of internet research on the RT-AX88U. It has a Broadcom BCM49408 CPU. Even though ASUS nor Broadcom say anything about it, from all of the research I have done, I fully believe that the RT-AX88U does indeed have AES-NI encryption acceleration, and from what I have read, it makes a huge difference in the VPN internet speed, with almost no reduction in speed all. I have decided this is the router I am going to buy.
You might consider adding it to your Amazon links above.
Thanks,
Dave
After looking into it more, this model is a great option and we’ve added it with this most recent update.
What do you suggest for VPN with a cable only modem (no wifi) with a network switch? It seems that I have to put VPN on each individual device. Is there a more elegant and easy solution?
Hi Vicki, a VPN may or may not be supported by your cable modem. But if it is, then any good VPN should be fine. If you can’t use a VPN on your modem, then you can plug a VPN router into your modem (WiFi disabled) and then plug the switch into the VPN router to cover all your devices.
Thank you, Sven, I will do some router searching. I prefer components without WiFi capability in the home – was not able to find a modem/router combo without WiFi and opted for the cable modem years ago. If you know of any VPN compatible, cable-only (no WiFi) routers or modem/router combos, please let me know. I might consider a unit with WiFi capability if it has a manual kill switch but haven’t found that either. Thanks for your work!
Sorry I didn’t clarify this better: I mean a manual kill switch just for the WiFi, while wired connection works. đ
Hello someone could help me ? I want to know if I keep my privacy by keeping aiProtection on or what the recommendation is about this feature in RT-AC86U , thanks.
I got ZTE II multifunction WiFi router.It supports connection by duplex VDSL to 100/50 Mbps, 24/1 Mbps in mode ADSL2+, ADSL2./slovak telecom under Deutche telekom/ on VDSL line.Will be VPN router Linksys E2500 powered by Sabai OS run perfectly
on this line,please ?Or which of Asus routers will be suitable for VDSL line?
Stefan
Hi
I wonder which of routers/Asus,Sabai os and so on/are can fight against ” Intelâs Active Management Technology (AMT) Management Engine (ME) and AMDâs Secure Technology both present a massive threat to user privacy and computer security “and how.
Stefan
Very good question Stefan, no simple answers when you go down that rabbit hole, unfortunately.
Hi Sven
I think that these sentences are interesting:
Permalink: [https://12bytes.org/37768]
Intelâs Active Management Technology (AMT) Management Engine (ME) and AMDâs Secure Technology both present a massive threat to user privacy and computer security.
On the Intel side, this highly controversial technology is integrated in nearly every processor the company has produced since 2008 and it can be difficult or impossible to disable it. These chips within chips, which run their own operating system, can access, and be accessed from, the network. Intelâs AMT/ME apparently has access to all of the hardware in the chain above it, including storage, cameras and microphones. Furthermore, the Intel AMT subsystem remains powered on even when the machine is âoffâ.
In the video, âGEOSHIFTERâ provides the port numbers he believes are used by the Intel AMT/ME system. You can block the ports in your router since it is apparently not possible to block them on the machine itself, however he also warns that doing so may not be effective if the router also uses an Intel chipset. In my case i use a Linksys WRT 1900 ACS which does not use an Intel or AMD processor and which has plenty of horsepower to handle VPN encryption. I replaced the stock firmware on the router with DD-WRT. The better option however would be to buy a Turris Omnia.
I believe the following is the correct code to block the ports on routers/devices which use the iptables firewall. On version 3 of DD-WRT, you can manage the firewall from Administration > Commands. Note that iâm blocking a few extra ports based on my own research of this issue:
iptables -I FORWARD -p all -m multiport –dport 623,664,5900,9971,16992-16995 -j DROP
Hi stevetoll, thanks for the info.