If you’ve read a few of our guides you’ll know how strongly we advocate the use of VPNs to protect your online privacy and break down the walls of censorship.
So today we’re going to look at setting up and using a VPN on your router so you can protect every device on your home network through a secure VPN tunnel, and not have to worry about simultaneous device limits, ISP snooping, or dropped VPN connections.
We’ll also have a look at some of the main builds for routers, and their features, so you can make an informed decision as to whether you want to jump into the world of custom router firmware.
Let’s get started.
Take a look at the diagrams below.
In the first we can see a laptop connecting to the internet through a VPN connection. This is the way most consumer VPNs are set up. This system works just fine.
Now we can see how things are set up with a VPN router. Many devices can connect through the same VPN service, which is now being handled by the router itself.
Depending on the router operating system (firmware) used, it can be possible to simultaneously connect certain devices to the VPN, whilst having others connect directly to the internet as normal, without a VPN.
There are several advantages of running a VPN on your router rather than on each device. One of the main things I like is the level of control and customization you have over your entire home network when you’re using the higher end firmware of a VPN router.
With a VPN router you can connect all your WiFi and wired devices to the internet through the VPN, even devices that don’t support a VPN natively. This means that ALL your internet traffic is encrypted by the VPN and the apparent location of your entire network will be that of the VPN server.
What’s more, your ISP will simply see encrypted packets and won’t be able to determine whether you’re torrenting on your laptop, streaming Netflix on your phone, or gaming online through a console.
This set it and forget it method is very good for keeping your home network protected, but I would suggest periodically testing the VPN connection using a tool such as DNSLeakTest, rather than actually forgetting, as VPN connections can go down.
It’s clear that encrypting all your internet activity by default will increase the overall security of your network.
Whilst most websites and services these days actually do encrypt data between the computer and their servers, not all do, and it’s still possible to discover which services you use, even if the attacker can’t actually see what you’re sending and receiving.
This is an often overlooked vulnerability.
Most people will never consider that the services they use could be the first piece of information that an attacker looks for. This could be the beginning of a spear phishing attack, Where a hacker uses social engineering to specifically target an individual. In this case, they would start by learning which online services you use so they can create a fraudulent form of contact from that service, with the aim of stealing confidential information.
Of course, this particular method is impossible if you’re using a VPN.
Do remember though, that simply using a VPN is not a failsafe way to become anonymous online, and anyone who tells you it is, is either lying or has believed a lie someone else has told them. Either way, it’s not true.
There are indeed some disadvantages of VPN routers. The one that will probably put off the most people is the hardware cost.
The basic router you get from your ISP is unlikely to be VPN compatible, nor will you be able to flash it with a firmware that is. The type of router that is compatible with a VPN is generally much more expensive, with the most basic models starting at around $50, but can run way higher than that if you want something with a bit more grunt.
If you have a lot of devices connecting to your WiFi at once, your router will need more processing power in order to keep up with the constant encryption and decryption for the VPN. For most home applications this shouldn’t be an issue, and a consumer grade VPN compatible router should be just fine.
Something else worth bearing in mind is that, when running a VPN on your phone or computer, you get the full feature set of the VPN app, which usually supports several VPN protocols and encryption suites, and allows you to quickly alter the configuration.
A VPN on a router, on the other hand, requires manual configuration, and often only supports OpenVPN (which is the best anyway, at least). It is also more laborious to change the server location on a VPN router.
So how exactly is a VPN router different from a regular router?
A VPN router is just like any other router, but with the capability of running a VPN connection. To do this, a special operating system, known as firmware, is required.
All of the following router firmware options mentioned below offer advanced customization, and give users many options in addition to running a VPN through the router.
QoS (quality of service) is a popular feature, available on most custom firmwares. QoS allows the network administrator to allocate bandwidth based on the type of internet traffic.
You can, for example, make sure your PS4 connection always has preference over someone browsing the internet, or that a specific machine gets more bandwidth than mobile connections, or that P2P downloads are restricted to avoid them slowing down the network.
Some routers such as Netgear, and some D-Link and Linksys models, and most enterprise/ business routers come with VPN compatible firmware straight out of the box, but that firmware is not usually the most powerful in terms of its other features, so many people prefer to install a custom firmware such as Tomato, Sabai OS, or DD-WRT.
DD-WRT is probably the most widely used of any custom router firmware, and it handles VPN connections very well.
It’s a free open source firmware that has a huge online community of helpful DD-WRT users so you can find instructions on how to set up pretty much anything it’s capable of. You do have to do quite a bit of configuration yourself though.
DD-WRT can be installed at home on a wide variety of routers. Flashing a router is pretty simple, but if you do it wrong, you’ll probably end up with an expensive paperweight, so if you’re unsure then it’s best to buy a pre-configured one from Amazon.
Tomato is another free open source firmware that can be installed on a wide variety of routers.
It can handle a lot of very complex processes and has massive customization options, but requires a far greater level of user knowledge as each feature has to be programmed in.
Tomato can’t really be considered a consumer grade option due to the potential difficulty of set up for non-programmers. It is, however, extremely powerful.
For more information, as well as download links, visit the official Tomato firmware website.
Sabai Technology are a small business with a big name. I worked for them for almost two years and can say they’re 100% legit. They really care about their work, and offer some of the best customer support in the industry.
Now onto their VPN router firmware – it’s by far the most user friendly on this list, and is easy to set up and use, but is not free. Sabai OS (the name of their firmware) is based on Tomato but is preconfigured to get your router working quickly and easily, so you don’t need the expert knowledge to make a regular Tomato build work properly.
Sabai OS has a great feature called Gateways that makes it easy to configure which connected devices run through the VPN, and which through the regular internet.
They also sell pre-configured VPN routers that are ready to go straight out of the box. That means there’s no need to risk breaking a router while trying to flash it yourself.
pfsense is a different beast altogether. You can actually install this OS on an old pc and use that as a highly secure VPN router with loads of extra features such as built in anti-virus (at the router level, so malware can’t even get onto your device). Of course using an old PC would end up costing a lot in electricity, so I’d really suggest getting a purpose built box or building one yourself.
There’s a large pfsense community scattered across many forums, with many people who build their own routers and give advice. Get started with pfsense here.
When using one of the router firmware builds described above, setting up a VPN is fairly straightforward.
You’ll need your VPN login credentials from your VPN provider. You do still need a subscription to a VPN service.
Many VPN services provide detailed instructions on how to set up their VPN on a router, and this usually consists of a list of steps to take to set up the VPN connection and DNS, install the encryption certificates, and select a server.
Again, this is more time consuming than simply using the VPN app on your laptop, but it does protect your entire network rather than a single device.
It’s also pretty fun to set up, if your into that kind of thing.