At nearly 5,000 words, this guide takes a deep dive into the world of VPN routers.
In today’s world, a VPN router is one of the most important privacy tools you can own. While a VPN allows you to encrypt and anonymize your traffic, while also give you easy access to content around the world. Combining a VPN with a router is a perfect match to extend these benefits to all the devices in your household.
While it may seem a bit complex to some, the truth is that anybody can use a VPN router – regardless of your experience level. In this VPN router guide, we’ll cover different setup options, the best VPN routers for different situations, as well as configuring a VPN router for policy-based routing and a kill switch.
But before we dive in, perhaps you are asking yourself, why do I need a VPN router? Well, here are a few reasons to consider:
- Protect and secure every device on your network.
- Secure your network against attacks, surveillance, and ISP snooping. Internet service providers often record your browsing history and online activities. And ISPs in the USA can now legally sell that information.
- Easily chain two VPNs at the same time for added security and anonymity (one VPN on the router, another on your computer). This will also protect you in the case that one VPN is compromised.
- Create a backup VPN (fail-safe) on your router in case of leaks, crashes, or problems with the primary VPN on your computer.
- Block ads and tracking on your entire network through the VPN
- Easily access blocked content or restricted websites with all your devices.
This VPN router guide is broken down into the following sections:
- VPN router setup options
- Why most VPN routers are slow
- How to get the best speeds with a VPN router
- Preconfigured VPN routers
- VPN-ready routers
- VPN router firmware options (and flashing a router)
- Policy-based routing (selective routing)
- Kill switch on a VPN router
- Conclusion and final recommendations
So let’s dive in to the topic of VPN routers.
VPN router setup options
You basically have three different options if you want to use a VPN on a router:
- Get a pre-configured VPN router. This is an ideal solution that minimizes hassle. Three great options for preconfigured routers are:
- Get a VPN-ready router that natively supports OpenVPN (no flashing required). There are many different models that support OpenVPN right out of the box. The best lineup of VPN routers (largest selection) comes from Asus, which we will cover below.
- Flash an existing router with firmware to support using a VPN.
We’ll cover each of these setup options in detail below, along with the best VPN routers for each category.
However, before diving into setup options, it’s first important to discuss a potential drawback with VPN routers, which is the speed reduction.
Why most VPN routers are slow
The VPN router’s processor (CPU) is arguably the biggest factor affecting overall speed (assuming you are using a good VPN). Unfortunately, the processors in most consumer-grade routers are underpowered when it comes to handling encryption with a VPN. The processors simply are not up to the task of handling VPN encryption with ease.
But on a positive note, this is starting to change with some of the better routers on the market – see the Asus ASUS RT-AX88U for example.
Sabai Technology has a unique solution for this problem with the Sabai VPN Accelerator, discussed further below.
We’ll examine the fastest VPN routers in more detail below.
How to get the best performance with your VPN router
So how do you get the best performance with your VPN router?
Here is the checklist:
- You will first need a fast internet connection from your internet service provider. (A VPN cannot make your internet faster, unless your ISP is throttling your speeds.)
- Next, you will need a fast VPN service. The fastest VPN we have tested is NordVPN.
- Use a fast VPN router with a powerful processor, such as one of these:
- Connect to a nearby server that has enough bandwidth
- Use a wired ethernet connection for the fastest speeds and strongest security (don’t use WiFi).
Previously, it was very difficult to get above 100 Mbps with a VPN router. However, if you follow the checklist above, you should easily be able to get over 100 Mbps with your VPN router.
Preconfigured VPN routers
If you want to minimize the hassle, risks, and potential frustration of flashing your own router, then a pre-configured VPN router is a good choice. While it will be more expensive than your standard (non-configured) router, a pre-configured router will probably save you time and it also comes with dedicated support.
Here are the best three options for a preconfigured VPN router, which we’ll examine in detail below:
- Vilfo router
- Sabai Technology VPN routers
Let’s examine each of these in more detail.
Vilfo VPN router (fastest VPN router)
The Vilfo VPN router is arguably the best VPN router on the market. It is based on OpenWRT firmware and offers numerous features and customization options. In terms of performance, it is the fastest VPN router we have tested (so far).
Below is a speed test we conducted for the Vilfo router review. It was conducted using a nearby NordVPN server:
Note: While the screenshot above was taken with NordVPN, we’ve also clocked similar speeds when testing out the Vilfo router in our Surfshark review.
The name of this product tells you all you need to know. The Vilfo VPN router, created by Vilfo AB of Sweden, is first and foremost designed to be a top-end VPN router. We’ve seen reports that the router can get 500+ Mbps with OpenVPN encryption. Impressive to say the least.
From the ground up, this router was designed for VPN services. It has support for many of the leading VPN services built right in (including two of our favorites, ExpressVPN and NordVPN), and works with any VPN service that supports OpenVPN and exports their configuration information.
Aside from just speeds, this VPN router also packs in many other impressive features and options:
- Feature-rich dashboard to monitor traffic and manage users, devices, and groups of devices
- Split tunneling to route devices and/or websites outside the VPN tunnel
- Support for multiple simultaneous VPN connections
- Parental controls
- Built-in kill switch to ensure all traffic remains encrypted
The company behind Vilfo is the same team that offers OVPN, one of the best VPN services based in Sweden. They offer live chat support and a generous one year hardware warranty. To find out more about the Vilfo VPN router, check out our in-depth review here. We have an in-depth Vilfo review here – or check out the website below.
Sabai Technology VPN routers
If you are looking for a router that is both user-friendly and also offers great features, Sabai Technology would be an excellent choice. The Sabai OS firmware is based on Tomato, but with more features and regular updates.
One feature I really liked when testing out the Sabai OS device was the Gateways feature. The Gateways feature allows you to selectively route every device that connects to the network. In other words, you can route certain devices through your VPN and others through your local (unencrypted) connection.
The Gateways feature also functions as a kill switch. In other words, if a specific Gateway drops (such as the VPN router’s connection to a VPN server), traffic will be blocked for all devices assigned to the VPN router. This keeps you safe and helps prevent any IP address leaks.
You can also supercharge your VPN router speed using the Sabai VPN Accelerator, which is a Mini PC that connects directly to the router and handles all encryption for the VPN.
With the Sabai VPN router I tested, the setup and configuration process was quick and easy. Additionally, Sabai offers great support from helpful and responsive in-house technicians (no third-party support). And lastly, the Sabai OS firmware remains under active development with regular security updates.
FlashRouters VPN router
FlashRouters is another great option that specializes in VPN routers that run Tomato and DD-WRT firmware.
FlashRouters relies on free and open-source firmware, which you can freely get online, rather than their own custom firmware. While there is a benefit to the firmware being open source, it may also suffer from less active development and fewer security updates.
You can also find routers that are specifically configured for certain VPN providers. Just visit the site and select your VPN service to see the available routers.
The FlashRouters website is also a good information resource if you’re looking to learn more about:
Flashrouters remains one of the most popular sources for a preconfigured VPN router. Check out their site for more info.
Conclusion on pre-configured VPN routers
While pre-configured routers are more expensive than some other options, they are still a good choice if you don’t want the hassle and risk of flashing your own router. The support is also very helpful for getting everything working correctly.
However, there is a cheaper option, and that is with VPN-ready routers.
Aside from getting a pre-configured router, the next easiest option is to go with router that can be used with OpenVPN right out of the box, which I refer to as a VPN-ready router.
For VPN-ready routers that natively support OpenVPN (without any customization or flashing), you have these choices:
- Asus routers – Asus is my favorite option because it offers a huge selection of VPN-ready routers, with very good prices. Not all Asus routers are VPN enabled – see the Asus section below for a complete list of routers and specifications.
- Synology routers – Synology currently offers two routers that can be quickly configured with OpenVPN with little time and effort (no flashing): RT1900AC and the RT2600AC.
Note: There are also a number of smaller VPN router “boxes” being marketed by various companies. In general, these appear to be underpowered for OpenVPN use. Some of these boxes also appear to lock you into subscribing to their VPN service.
Tip: I’d recommend going with one of the larger manufacturers and using a firmware that is regularly updated for security fixes.
We’ll take a close look at each option below.
Asus VPN routers
If you’re looking for the best VPN router that you can use right away, then Asus is tough to beat.
Asus offers a great lineup of VPN-ready routers – from cheap to high-end. They offer several routers with powerful processors that can do exceptionally well with VPN encryption. As a matter of fact, NordVPN strongly recommends Asus routers for the best performance.
The fastest Asus router available now is the Asus RT-AX88U. It can hit speeds over 200 Mbps with OpenVPN.
Here is the best Asus router that supports OpenVPN encryption, the RT-AX88U AX6000:
One drawback with this router, however, is that it is one of the most expensive routers from Asus that supports VPN encryption right out of the box. You can see the current prices on Amazon here.
Easy to setup Asus VPN routers
The AsusWRT stock firmware natively supports these VPN protocols: OpenVPN, L2TP, and PPTP. Setup is a breeze (about 20 minutes or less) and you can load numerous VPN configurations onto your router (which is something you can’t do with DD-WRT).
TIP: I would recommend upgrading your Asus router to the Asus Merlin firmware, which will improve speeds, security, and include more features. (We’ll discuss this more below.)
All Asus routers you can use with OpenVPN
Here are the Asus routers that are VPN-ready (support OpenVPN right out of the box) and can be set up with minimal time and effort:
- ASUS RT-AC66U (AC1750)
- Asus RT-AX56U AX1800
- Asus RT-AX3000
- Asus AC-1900 (RT-AC68U)
- Asus AC2900 (RT-AC86U)
- Asus RT-AC3200
- Asus RT-AC87U AC2400
- ASUS RT-AC88U
- Asus RT-AC5300
- Asus RT-AX88U AX6000
- Asus RT-AX92U AX6100
Important Note: Do not be confused by the numbers, they do not always correspond to speed and performance (bigger number does not mean faster). A big factor with speeds is the specific processor the router is using, and whether it supports accelerated speeds for VPN encryption (AES-NI).
The fastest Asus routers from the list above are:
- Asus AC2900 (RT-AC86U) [Best value router, speeds of 150+ Mbps]
- Asus RT-AX88U AX6000 [Fastest router with most features, speeds of 200+ Mbps]
I’ve found Asus routers to be very stable with good performance, while also being easy to set up. The stock firmware allows you to set up custom DNS and also block IPv6. Additionally, Asus routers are very versatile and can be used with lots of other firmware, such as Asus Merlin, DD-WRT, Tomato, AdvancedTomato, OpenWRT, and Sabai OS.
Here are some pros and cons of Asus VPN routers based on my experience with testing various models:
- Large VPN router selection (all price ranges)
- Stock firmware (AsusWRT) is very easy to use with VPNs
- Router be used with other firmware: Asus Merlin, DD-WRT, Tomato, AdvancedTomato, OpenWRT
- Very durable (difficult to brick)
- Solid performance, especially the newer models
- Stock firmware (AsusWRT) has fewer features compared to Asus Merlin
Conclusion on Asus VPN routers
Asus routers are one of the best values you will find for a VPN router that you can unbox and use within minutes. With the models noted above, you can get many features and blazing fast speeds, which were previously not possible with consumer-grade routers. To get the most out of your Asus router, I would strongly recommend upgrading to the (free) Asus Merlin firmware.
If you are looking for the best-value VPN router, go with the Asus AC2900 (RT-AC86U), which is cheaper than many other models, but still offers amazing speeds.
Synology VPN routers
Synology offers two routers that natively support VPN use. Synology also does a good job with regular security updates. While the selection isn’t huge, both of the Synology VPN routers appear to be decent options:
The fastest of these two VPN routers is the Synology RT2600AC:
In comparison to similarly-priced Asus router models, Synology is not quite as fast.
You can see the Synology router lineup on Amazon for more details.
Conclusion on VPN-ready routers
Setting up a VPN-ready router should be a fairly straight-forward process. This is particularly the case with Asus VPN routers. All you need to do is import the OpenVPN configuration files, add your VPN username and password, and then you should be able to connect the router to a VPN server. If you need
Another advantage with VPN-ready routers is that they are usually cheaper than preconfigured VPN routers. You can get a great model, such as the Asus AC2900, without spending a fortune.
VPN router firmware options (and flashing a router)
The next option is to flash a router you have with firmware that will support a VPN. This will be more complicated than getting a pre-configured router, or a VPN-ready router with native VPN support. The level of complexity will depend on the firmware and the specific router you are using.
In this section on flashing a router, we will discuss the following firmware:
- Merlin AsusWRT
- Tomato and Advanced Tomato
The first option we’ll discuss is the Merlin AsusWRT firmware, which is relatively easy to install and use with a VPN.
Merlin AsusWRT routers
AsusWRT by Merlin is a third-party open source firmware that builds on and improves the AsusWRT firmware. AsusWRT by Merlin is one of the best options if you want a secure, user-friendly firmware with lots of features for use with a VPN. (It’s also free.)
A Merlin AsusWRT router offers the following benefits:
- Enhanced security – Merlin AsusWRT is regularly updated to fix bugs and security vulnerabilities. You can verify the latest security fixes on the changelog. The developer is active, unlike with some other firmware.
- Policy-based and selective routing – This allows you to select specific devices or destinations to use the VPN, with everything else going through the regular ISP connection. Merlin’s user-friendly policy-based routing feature is a distinguishing factor separating it from other VPN routers. Some people need this for bypassing the VPN, such as with Netflix or other websites.
- Kill switch – A kill switch will block all internet traffic if the VPN connection is lost. Setting up a properly functioning kill switch can be tricky with some VPN routers. With Merlin AsusWRT, this is easy.
- Multiple VPN clients and servers – Merlin AsusWRT allows you to configure two VPN servers and up to five VPN clients. You can also use different VPN clients at the same time with different devices (but I would recommend a higher CPU router in this case).
Merlin AsusWRT is a reliable, secure, and feature-rich option for Asus routers.
Combining a high-performance Asus router (such as the Asus RT-AX88U or Asus AC2900) with Merlin firmware and a high-quality VPN service is one of the best options around. You will be able to secure your home network without sacrificing performance.
Merlin AsusWRT supports the following routers:
- RT-AC66U_B1 (same firmware as the RT-AC68U)
- RT-AC68U (including revisions C1 and E1)
- RT-AC68P (same firmware as RT-AC68U)
- RT-AC68UF (same firmware as RT-AC68U)
- RT-AC1900 (same firmware as RT-AC68U)
- RT-AC1900P (same firmware as RT-AC68U)
- RT-AC86U (starting with version 382.1)
- RT-AC2900 (same firmware as RT-AC86U)
- RT-AX3000 (same firmware as RT-AX58U)
Note: The U, R and W variants are all supported, as they are the exact same hardware and firmware, only different marketing SKUs or different case color.
Here are some general pros and cons of the AsusWRT Merlin firmware:
- User-friendly interface
- Kill switch and policy-based routing options
- Support for multiple VPN clients
- Active development with regular updates
- Support via the SNB forum
- Limited to Asus routers (but with a good selection of models)
- Official Merlin AsusWRT website
- Official Merlin Github page
- SNB Forums (active community, with the developer offering direct support)
- Youtube video demonstrating how to setup a kill switch and policy-based routing
DD-WRT is a Linux-based firmware that was developed to enhance the functionalities of wireless routers. It is a popular option because it can be used with many different routers and it offers some good features.
Despite it’s popularity, however, DD-WRT does have some drawbacks. First, you can only load one VPN configuration on the router. This prevents you from easily switching between different VPN server locations.
Another issue I’ve noticed is that the development community seems to be less active. This means fewer updates and less-regular security patches. DD-WRT can be somewhat tricky to setup if you are flashing your own router. You also run the risk of bricking your router (some models are more durable than others).
For some people, ordering a preconfigured DD-WRT router from FlashRouters may be the best bet – see their lineup of DD-WRT routers here.
Flashing a DD-WRT router
You can also try flashing a router you already own with DD-WRT firmware. Here are the two main resources you need:
If you are considering flashing with DD-WRT, just beware of the risks (permanently breaking your router). Also be sure to follow the official DD-WRT guidance for your router model.
- Huge number of routers supported (see here)
- Good Quality of Service (QoS) controls (for bandwidth allocation)
- Ad blocking feature
- Only supports one VPN configuration
- Less active development with fewer security updates
- More difficult to install than other firmware options
Tomato and AdvancedTomato routers
Tomato is another alternative, open source firmware for routers. Tomato firmware has many similarities to the AsusWRT Merlin firmware. It gives you the option to use up to two VPN servers and two VPN clients, while also having features for policy-based routing.
Unfortunately, the original Tomato firmware seems somewhat outdated, especially when it comes to supporting newer routers. One alternative would be AdvancedTomato firmware instead of the original Tomato firmware.
AdvancedTomato offers some good improvements over the original. The overall design is better, which gives you more control over your router’s features.
Sabai OS (based on Tomato) – Finally, the lineup of VPN routers from Sabai Technology all have the Sabai OS firmware, which is based on Tomato. To use Sabai OS on an existing router you own, you would need to purchase a license. However, Sabai OS offers the benefits of regular security updates, great support, ease of use, and good features.
See the full lineup of Sabai VPN routers here.
Pros and cons of Tomato and AdvancedTomato firmware:
- User-friendly layout (especially with AdvancedTomato)
- Supports 2 VPN servers and 2 VPN clients
- Quality of Service (QoS) options for bandwidth control
- Original Tomato firmware outdated
- Installation can be more complex
- Many of the supported routers are outdated and/or underpowered for VPNs
Overall, Tomato is a decent option for VPN routers, although AdvancedTomato seems to be the better option.
- Original Tomato website
- AdvancedTomato website
- AdvancedTomato supported devices
- r/TomatoFTW (reddit)
- Sabai OS VPN routers (based on Tomato)
OpenWRT is another open source firmware to enhance and secure wireless routers. It has many great features while also supporting a large number of devices.
Development of new versions of OpenWRT continues, although not at a rapid pace. The OpenWRT forums are likewise still active, with around 200 messages a week in total.
OpenWRT offers some nice features. Aside from VPN capability, it also provides QoS options, BitTorrent client configuration, server software, and traffic analysis features.
- Support for many devices
- Good Quality of Service (QoS) controls
- BitTorrent client configuration
- Limited support for newer routers
Unlike some router firmware, pfSense continues to gain popularity with active development and new features being added.
While pfSense gives you very powerful tools and features, setup can be difficult if you lack the necessary technical and security background. Ultimately, these complex and powerful features can end up being worse than less secure options that are easy for anyone to set up. It all depends on the user.
pfSense router performance with OpenVPN
With a very basic and cheap PC that is properly configured with pfSense, you could get a high-performance router.
The main difference here is processing power (CPU). Nearly any PC will outperform even the high-end router models. Two popular options when using a PC for a router include:
- A mini-PC with pfSense (often called a pfSense box)
- An old PC (see this video)
With these two options, you will still need an access point for devices to access the network. This usually means your PC will be hooked up to a regular router, which will serve as the access point for the PC.
The pfSense forums are a good resource for VPN router setup advice. But be careful: if you lack the background in this area, setting up a pfSense VPN router can be especially difficult, frustrating, and time-intensive.
- Very secure
- Numerous features
- Highly configurable
- Solid performance
- More difficult to setup
- With PC routers, you will also need an access point for the wireless
- pfSense official site
- pfSense forums
- List of pfSense features
- pfSense wiki
- r/pfsense (reddit)
- Great video series introduction to pfSense
Policy-based routing (selective routing)
One issue that often comes up with VPN routers is policy-based routing. This entails routing specific clients (devices) or connecting to certain websites outside the VPN tunnel. This is usually important for accessing sites that block VPNs, such as banking websites or perhaps Netflix.
How to set up policy-based routing depends on the firmware you are using.
Vilfo VPN router – This router takes policy-based routing to a new level. You can have 10 simultaneous groups, each of which is connected to its own separate VPN service, or none at all. Within a group, you can disable the VPN connection temporarily giving you total control over routing.
Sabai OS – As mentioned above, all Sabai OS VPN routers have the option to selectively route each device that connects to the network. This can be simply controlled through the Gateways feature.
AsusWRT Merlin – Another easy option for policy-based routing is to use the Merlin firmware on a compatible Asus router. This video clearly explains creating a kill switch and policy-based routing for your VPN with AsusWRT Merlin:
Tomato and AdvancedTomato – AdvancedTomato firmware provides policy-based routing support. Instructions for standard Tomato firmware come from VPN.ac. Their TomatoUSB Policy-Based Routing guide includes detailed instructions for different scenarios.
DD-WRT – Setting up policy-based routing with DD-WRT is relatively straightforward. FlashRouters put together an excellent guide for DD-WRT routers, see Dual Gateway VPN Blacklist by Device for more information.
Dual VPN router – Another option for separating traffic between your VPN tunnel and regular ISP connection is to use a dual VPN router setup. With this, you will be able to easily switch back and forth. The main drawbacks, however, are increased power consumption and the possibility of wireless interference.
Kill switch on a VPN router
A kill switch is an important feature to block internet traffic if your VPN connections drops. This prevents your real IP address from being exposed.
Vilfo VPN router – The Vilfo router has a built-in kill switch that is active for all devices, and controlled from the OpenVPN settings page.
Sabai OS – The Sabai OS firmware includes a built-in kill switch when you set up the Gateways feature. This is probably the easiest option available for a VPN router kill switch.
Merlin AsusWRT – The video above covers setting up a kill switch.
Tomato and AdvancedTomato – Setting up a kill switch for Tomato VPN routers just requires creating a rule. Using the rule below, traffic will only be forwarded through an active VPN connection.
In Administration > Scripts > Firewall tab, add the following rule:
iptables -I FORWARD -i br0 -o `nvram get wan_iface` -j DROP
Save the rule and reboot your router.
DD-WRT – Just like with Tomato, to add a kill switch on a DD-WRT router you just need to add a rule. Again, this only allows traffic if the VPN connection is active.
In Administration > Commands > add the following rule:
iptables -I FORWARD -i br0 -o `nvram get wan_iface` -j DROP
Select “Save Firewall” to save the rule and reboot router.
Conclusion on VPN routers
While there are many reasons for using a VPN router, security and privacy are two of the most important factors.
If you have a standard (non-VPN) router now, replacing its stock firmware with one of the alternatives in this guide is a good idea from a security perspective.
Another tip for securing your network is to simply stop using wireless and go back to wired-only (ethernet) connections. Ethernet connections are vastly more secure than WiFi, and a connection using a high-quality ethernet cable can be much faster than a wireless connection.
In the era of COVID-19, many of us are working from home (perhaps permanently). That often means things like connecting to the company network from your living room, and downloading proprietary information rather than just cat videos. This make the information running through your home internet connection vastly more valuable to hackers and other creeps than it used to be.
Failure to secure your network and personal internet connection with a VPN could have major consequences.
And finally, there’s also the convenience factor.
Using a VPN on your router will extend the benefits of a VPN to all your devices, without having to download VPN software on each device.
As you can see in this guide, a VPN router is a powerful solution that you can implement. Whether you’re a tech newbie or a super geek, using a good VPN router is a smart choice to protect all of your devices.
This VPN router guide was last updated on February 17, 2022.