Why Set Up a VPN on Your Router?
Running a VPN client on each individual device is the most common approach to VPN protection, but it has a significant drawback: devices that do not support VPN clients — smart TVs, gaming consoles, IoT devices, Chromecast, Apple TV — are left unprotected. A VPN configured on your router solves this by routing all traffic from every device on your network through the VPN tunnel, regardless of whether the device has a VPN client installed.
The benefits of a router-level VPN:
- Every device on your network is automatically protected — no per-device configuration required
- Smart TVs and streaming devices can benefit from VPN protection and geo-unblocking
- Gaming consoles can use a VPN to reduce certain types of DDoS exposure
- Guests connecting to your WiFi are automatically protected
- One VPN connection slot instead of multiple simultaneous connections
Before and after setting up your VPN, use our IP address tool to verify your public IP changes to the VPN server's address, and run a DNS leak test to confirm DNS queries are also routed through the VPN.
Does Your Router Support VPN Clients?
Not every router supports running a VPN client. Consumer routers from ISPs almost never do. Check whether your router supports VPN client mode before proceeding.
Routers with native VPN client support:
- Asus (with or without Merlin firmware) — most Asus routers support OpenVPN and WireGuard client natively in the admin panel
- GL.iNet routers — explicitly designed for VPN use, support WireGuard and OpenVPN out of the box with a clean UI
- Netgear Nighthawk (some models) — supports OpenVPN client on selected models
- pfSense / OPNsense — full VPN client support for OpenVPN and WireGuard, used by power users
- OpenWrt-flashed routers — virtually any supported router running OpenWrt can be configured as a VPN client
Alternatives if your router does not support VPN:
- Flash your router with OpenWrt (if your model is supported — check openwrt.org)
- Add a GL.iNet travel router between your modem and current router
- Use a Raspberry Pi as a VPN gateway for your network
- Purchase a new router with native VPN client support
WireGuard is strongly preferred over OpenVPN for router use — it is significantly faster, uses far less CPU (important on router hardware), and is simpler to configure.
Check If Your VPN Is Working
Verify your IP address changed and run a DNS leak test to confirm VPN protection
Hide My IP NowSetting Up WireGuard on an Asus Router
Asus routers with recent firmware have native WireGuard VPN client support. Here is the step-by-step configuration process.
Prerequisites: An Asus router with firmware 3.0.0.4.388 or later, and a VPN provider that supports WireGuard (Mullvad, NordVPN, ExpressVPN, ProtonVPN, and most major providers do).
- Get your WireGuard configuration file from your VPN provider. Most providers have a "Generate Config" option in their client area. Download the
.conffile for a server in your target region. - Log into your Asus router admin panel at 192.168.1.1 and navigate to VPN > VPN Client.
- Click "Add profile" and select "WireGuard" as the VPN type.
- Import the configuration file you downloaded, or manually enter the keys and endpoint information.
- Set routing rules — you can route all traffic through the VPN, or configure selective routing (also called split tunneling) to send only specific devices or traffic through the VPN while leaving other traffic on the normal internet connection.
- Enable the VPN profile and check the status indicator — it should show "Connected."
- Verify the connection by checking your public IP address — it should now show the VPN server's IP address, not your ISP's IP. Run a DNS leak test to confirm DNS is also going through the VPN.
Split Tunneling: Sending Only Some Traffic Through VPN
Full tunnel VPN routes all traffic through the VPN server, which can reduce speeds (depending on the VPN server's location and load) and may break some local services. Split tunneling gives you granular control over which devices or traffic use the VPN and which use the normal internet connection.
Use cases for split tunneling on a router:
- Route smart TV and streaming device traffic through VPN for geo-unblocking, but use the normal connection for gaming consoles where latency is critical
- Route laptop traffic through VPN for privacy while keeping NAS backup traffic on the local ISP connection
- Exclude IoT devices from VPN routing (they often do not need VPN protection and may have cloud connectivity issues through certain VPN servers)
- Keep banking apps and local services on the normal connection to avoid false fraud alerts from geolocation changes
On Asus routers, split tunneling is configured per-device under the VPN Director feature. You assign each device's IP to either "VPN" or "WAN" routing. On pfSense and OPNsense, policy-based routing rules offer even more granular control based on source IP, destination IP, or port.
After configuring split tunneling, verify each device is routed as intended by checking the IP address from each device — VPN-routed devices should show the VPN IP, while non-VPN devices show your normal ISP IP.
Performance Considerations and Troubleshooting
VPN on a router introduces some performance overhead that is worth understanding and optimizing.
CPU is the limiting factor. Consumer routers have modest CPUs that must handle VPN encryption for all traffic. WireGuard is designed to be lightweight and can typically saturate a 100–300 Mbps connection on most modern router CPUs. OpenVPN is more CPU-intensive and may limit throughput to 50–100 Mbps on budget routers. Run a speed test after VPN setup to measure the actual throughput impact.
Choose a geographically close VPN server. The farther the VPN server, the higher the added latency. For general privacy use, choose a server in your own country or region. Verify latency with our ping test — good VPN connections should add no more than 20–30 ms to your base latency.
Common troubleshooting steps:
- IP not changing after VPN connects: Check routing rules — the VPN may be connecting but not routing traffic. Verify in the VPN client status that routes are being applied.
- DNS still leaking to ISP: Force DNS through the VPN tunnel explicitly in your router's DNS settings. Run a DNS leak test to confirm.
- Slow VPN speeds: Switch from OpenVPN to WireGuard, choose a closer server, or check if your ISP is throttling VPN traffic (try changing the VPN port)
- Certain devices cannot connect through VPN: Check if the device has hardcoded DNS settings that bypass your router's DNS. Firewall rules blocking the hardcoded DNS may help.
Frequently Asked Questions
Does a router VPN protect all devices including phones on cellular data?
No. A router VPN only protects devices when they are connected to your home WiFi. When your phone leaves your home network and uses mobile data, it bypasses the router entirely and is not protected by the router VPN. Use a VPN app on your phone for protection on mobile data.
Will a router VPN slow down my internet significantly?
It depends on your router's CPU power, the VPN protocol, and server distance. WireGuard is very efficient — a modern mid-range router can typically maintain 150–300 Mbps VPN throughput. OpenVPN is slower, often 50–100 Mbps on consumer hardware. Run a speed test before and after to measure the actual impact on your specific hardware.
Can I run a VPN server and VPN client on the same router?
Yes, many routers support simultaneous VPN server and client modes. For example, you could set up your router as a WireGuard server (for accessing your home network remotely) while also running as a WireGuard client (routing all home traffic through a commercial VPN). Configure them on different network interfaces to avoid routing conflicts.
Which VPN providers work well with router installations?
Providers with dedicated router support and WireGuard compatibility are easiest to configure: Mullvad, ProtonVPN, NordVPN, ExpressVPN (has its own Lightway protocol and dedicated router firmware), and Surfshark all offer router configuration guides and WireGuard config file generators.
