Connect Your Home Router to a VPN to Bypass Censorship, Filtering, and More
Whether you want access to video services not available in your country, better prices on software, increased anonymity, or just think the Internet looks finer when viewed through a secure tunnel to another country, a VPN connection at the router level can solve all those problems and then some.
What’s a VPN and Why Do I Want To Do This
There are a myriad of reasons you might want to use a VPN to route your Internet traffic to a location other than the one you’re actually using the Internet at. Before we dive into how to configure your router to use a VPN network let’s run through a crash course on what a VPN is and why people use them (with helpful links to previous How-To Geek articles on the matter for further reading).
What’s a VPN
The primary benefit, for both users looking to avoid oversight (either by their ISP or government censors) as well as those looking to fudge their geographic location to access services only available in another country, is that a properly configured VPN system deployed at the router level is comprehensive and device agnostic. Every device on the network will pass through the VPN tunnel without exception.
In terms of avoiding censorship or government retaliation this means that even if someone is connected to your home network and they forget to use a secure connection it doesn’t matter as their searches and activity will still pass through the VPN (and to a less dangerous country). In terms of dodging geo-blocking this means that all devices, even those that don’t support proxies or VPN services, will still have access to the Internet as if they were in the remote location. This means even though your streaming stick or smart TV has no option to enable a VPN, it doesn’t matter because the whole network is linked to the VPN a point where all traffic passes.
In short, if you need the security of network wide encrypted traffic or the convenience of having all your devices routed through another country (so everyone in your house can use Netflix despite its unavailability in your home country) there’s no better way to wrestle with the problem than to set up whole-network VPN access at the router level.
What’s the Downside?
While for the people that would benefit from the setup the upsides are numerous that doesn’t mean running a whole-house VPN isn’t without a downside or two. First, the most unavoidable effect that everyone will experience: you lose a portion of your total bandwidth to the overhead of running the encrypted VPN tunnel. The overhead typically chews up about 10 percent of your total bandwidth capacity.
Second, if you’re running a whole-house solution and you need access to resources that are actually local to you then you may either be unable to access them or you’ll have slower access because of the extra leg introduced by the VPN. As a simple example imagine a British user setting up a VPN so they can access U.S.-only streaming services. Although the person is in Britain their traffic passes through a tunnel to the U.S. and if they went to access UK-only areas of the BBC network the BBC website would think they were coming from the U.S. and deny them. Even if it didn’t deny them, it would introduce a tiny bit of lag to the experience as the server would be sending the files across the ocean and then back again through the VPN tunnel instead of just across the country.
That said, for people considering securing their entire network to gain access it services unavailable in their location or to avoid more serious concerns like government censorship or monitoring, the tradeoff is more than worth it.
What Do I Need?
If you’ve come this far and you’ve been nodding the whole time, “Yes, yes. That exactly! I want to secure my entire network and route it through a VPN tunnel!” then it’s time to get serious with a project shopping list. There are two principle elements to this project: a proper router and a proper VPN provider, and there are nuances to selecting both of them. Let’s take a look at both now.
Selecting Your Router
Selecting a router is the absolute trickiest part of the entire process. Increasingly routers, especially high-end routers, support VPN but only as a server. You’ll find routers from Netgear, Linksys, and the like that have built in VPN servers that allow you to connect to your home network when you’re away, but they offer zero support for bridging the router to a remote VPN (they can’t act as a client).
That’s extremely problematic as any router that cannot function as a VPN client can’t link your home network to the remote VPN network and for our purposes secure access from afar to our home network does absolutely nothing to help protect us from snooping, throttling, or geo-blocking when we’re already on our home network. As such you either need a router that supports VPN client mode out of the box, to take an existing router and flash a custom firmware on top of it, or to purchase a pre-flashed router from a company that specializes in such endeavours.
In addition to ensuring your router can support a VPN connection (either through the default or third-party firmware) you’ll also want to consider how beefy the router’s processing hardware is. Yes you can run a VPN connection through a 10-year-old router with the right firmware, but that doesn’t mean you should. The overhead of running a continuous encrypted tunnel between your router and the remote network is not insignificant and the newer/more powerful your router is the better your performance will be.
All that said let’s run through what to look for in a good VPN-friendly router.
VPN Terminology
While we’ll do our best to recommend a router for you that will save you the headache of digging through the feature lists and terminology yourself, it’s best to know what terminology to look for when shopping so you end up with exactly the product you need.
The most important term is “VPN client” or “VPN client mode”. With no exception you need a router that can function as a VPN client. Any mention of “VPN server” is no guarantee at all that the device also has a client mode and is completely irrelevant to our endeavour here.
Secondary terms to be aware of that are related, but not directly relevant, to VPN functionality are terms identifying types of VPN passthrough. Typically the firewall/Network Address Translation (NAT) components of routers play very poorly with VPN protocols like PPTP, L2TP, and IPsec and many routers have “PPTP Pass-Through” or similar terms listed under the VPN category in their marketing materials. That’s a nice feature and all but we don’t want any sort of pass-through, we want actual native VPN client support.
Again, before we proceed, we want to emphasize what you’re looking for: you want a VPN clientand not a VPN server. If a router doesn’t have a VPN client package you cannot use it to link your home network to a remote VPN.
Purchasing a Router with In-Box Default VPN Support
Unfortunately there are very few routers on the market that include a VPN client package. If you have an ASUS router, you’re in luck as most newer ASUS routers from their premium RT-AC3200all the way down to the more economical RT-AC52U support VPN client mode (but not necessarily at the level of encryption you might wish to use so be sure to read the fine print). If you’re looking for a no-fuss solution because you don’t want the hassle (or aren’t comfortable) flashing your router to a new firmware it’s a very reasonable compromise to pick up an ASUS router that has the support baked right in.
Flashing Your Router to DD-WRT
DD-WRT is a third-party firmware for dozens upon dozens of routers that has been around for years (we first flashed a router to DD-WRT way back in 2007 or so and the project has been active since 2005). The appeal of DD-WRT is that it’s free, it’s robust, and it adds a huge amount of versatility to routers big and small. We’ve run it on the venerable old Linksys WRT54GL, we’ve flashed newer flagship routers like the Netgear R8000 to DD-WRT, and we’ve never been unhappy with it.
As scary as flashing your router with new firmware seems to someone who hasn’t done it before, we assure you that it’s not as scary as seems and in years of flashing our own routers, routers for friends and family, and so on, we’ve never had a bricked router.
To see if your router (or the router you’re interested in purchasing) is DD-WRT compatible, check out the DD-WRT router database here. Once you put in your router name you’ll find the entry, if it exists, for the router, as well as additional information.
The above screenshot is an example featured the available DD-WRT builds for the iconic Linksys WRT54GL router. There are really only two important things to consider when flashing. First, read the “additional information” section to learn more about how to flash DD-WRT to any given router (this is important and where you’ll find useful information like “In order to flash this router to to the full package, you first need to flash the Mini version”). Second, make sure you flash the version identified at VPN or Mega (depending on what your router can support) as only those two packages have the full VPN support included. Smaller packages for less powerful routers, like the Micro and Mini save space and resources by not including the more advanced features.
Buying a Pre-Flashed Router
If you want the power of DD-WRT but you’re really uncomfortable doing the ROM flashing process yourself there are two alternatives. First, the Buffalo network and storage company has a line of routers that actually use DD-WRT right out of the box. Routers in the AirStation line now ship with DD-WRT as the “stock” firmware, including the AirStation AC 1750.
Short of flashing your own router, purchasing a Buffalo router that ships with DD-WRT is your safest bet and doesn’t void any warranties because it ships with the firmware already on.
The other alternative is to purchase a router that has been purchased and flashed by a third-party to the DD-WRT firmware. Given how easy it is to flash your own router (and that there are routers on the market like the AirStation that come with DD-WRT) we can’t really endorse this option; especially given that the companies that provide this pre-flashed service charge a significant premium. That said, if you don’t feel comfortable flashing your own router and want to leave it to the professionals you can purchase pre-flashed routers at FlashRouters. (But seriously, the premium is insane. The highly rated Netgear Nighthawk R7000 is currently $165 on Amazon but $349 on FlashRouters. At those prices you can buy an entire backup router and still come out ahead.)
Selecting Your VPN
The best router in the world with fantastic VPN support isn’t worth anything if you don’t have an equally good VPN to connect it to. Fortunately for you we have a detailed article devoted just to the topic of selecting a good VPN: How to Choose the Best VPN Service for Your Needs.
What you’re looking for in a VPN provider intended for use on your home router, above and beyond other VPN considerations, is the following. Their terms of service should allow for installation on a router. They should offer unlimited bandwidth with no general throttling or service-specific throttling. They should offer multiple exit nodes in the country you are interested in appearing as if you are from (if you want to look like you’re in the U.S. then a VPN service specializing in European exit nodes is of no use to you).While we’d strongly urge you to read over that entire guide before proceeding we understand you might be in a let’s-just-get-this-done mood. Let’s quickly highlight what to look for in a VPN intended for home router use and then highlight our recommendation (and the VPN we’ll be using for the configuration portion of the tutorial).
To that end our recommendation in the Best VPN Service article remains our recommendation here: VPN provider Private Internet Access. This is the service we recommend and this is the service we’ll be specifically using in the next section to configure a DD-WRT router for VPN access.
How Do I Configure My Router?
Configuring your router isn’t horrendously complicated (you won’t be writing any arcane IPTABLES code for your router by hand or any such thing) but you’ll definitely want to pay close attention to all of the steps and double check that all your proverbial i’s are dotted and t’s are crossed.
Again, we’ll be completing the tutorial using a DD-WRT flashed router and VPN service provided by Private Internet Access. You can use the general guidelines that follow for other routers, but if you want to follow along exactly we suggest you use the same materials we are. Let’s get started.
Unless otherwise specified all the following steps occur within the DD-WRT administrative control panel and all instructions like “Navigate to the Setup tab” refer directly to the control panel.
Backup Your Configuration
We’re about to make some not-so-minor (but safe and reversible) changes to your router’s configuration. Now would be an excellent time to take advantage of your router’s configuration backup tool because it’s not that you can’t manually undo all the changes we’re about to make but who would want to when there’s a better alternative?
You can find the backup tool in DD-WRT under Administration -> Backup, as seen in the image below.
To create a backup simply click on the large blue “Backup” button. Your browser will automatically download a file entitled nvrambak.bin. We’d encourage you to give the backup a more recognizable name like “DD-WRT Router Pre-VPN Backup 07-14-2015 – nvrambak.bin” so you can easily locate it later.
The backup tool comes in handy at two places in this tutorial: creating a clean backup of your pre-VPN configuration and creating a backup of your working post-VPN configuration after you’ve finished the tutorial.
If you find that you don’t want/need your router to run a VPN client and wish to revert to the state the router was in before this tutorial you can navigate back to the same page and use the “Restore Configuration” tool and the backup we just created to reset your router to the state is in now (before we make the VPN-related changes).
Change Your DNS
Unless you have specified otherwise at some point in the past your router most likely uses your ISPs DNS servers. This is problematic from a privacy standpoint. You don’t want any personal information, like what web pages or services your contacting, leaking out via DNS information.
To avoid that scenario, we’ll change the DNS settings in DD-WRT to use large and public DNS servers instead of whatever our ISP defaults to. To change your DNS servers navigate to Setup -> Basic and scroll down to the “Network Setup” section.
You need to specify static DNS servers. Here are some well known and secure public DNS servers you can use as alternatives to your ISP’s default servers.
Google DNS8.8.8.88.8.4.4OpenDNS208.67.222.222208.67.220.220Level 3 DNS209.244.0.3209.244.0.4
In our screenshot above you can see that we filled the three DNS slots with 2 Google DNS servers and one Level 3 DNS server (as a fallback in case, by some very rare chance, the Google DNS servers are down).
In addition to setting the DNS servers you’ll want to check that “Use DNSMasq for DHCP”, “Use DNSMasq for DNS”, “DHCP-Authoritative”, and “Forced DNS Redirection” are all checked. While the first three are typically checked on most DD-WRT installations the last one usually isn’t: Forced DNS Redirection ensures that even if a device or client on your network is configured to use alternative DNS servers they will be forced, by the router, to use the DNS servers you specified here.
When you’re done make sure to click “Save” and then “Apply Settings” at the bottom.
Disable IPv6
IPv6 might be important to the general future of the Internet in that it ensures there are enough addresses for all the people and devices, but from a privacy standpoint it’s not so great. IPv6 information can contain the MAC address of the connecting device and most VPN providers don’t use IPv6 and as a result IPv6 requests can leak information about your online activities.
While IPv6 should be disabled by default on your DD-WRT installation, we’d encourage you to double check that it actually is by navigating to Setup -> IPV6. If it isn’t already disabled, turn it off and then save and apply your changes.
Enable Local DNS Lookups
To support the VPN functionality we need to enable local DNS lookups. Make a stop at Services -> Services and under the “DHCP Server” heading switch the used ‘Used Domain” from the default of “WLAN” to “LAN & WLAN”.
Additionally, in the “DNSMasq” subsection, ensure “DNSMasq”, “Local DNS”, and “No DNS Rebind” are all enabled. Save and apply your changes.
Enabling The VPN
Now that we’ve done the prep work of tidying up the DNS/DHCP options we can finally get down to enabling the actual VPN. Navigate to Services -> VPN. Under the heading “OpenVPN Client”, select “Enable”. After you select enable a whole host of new options will immediately appear in the “OpenVPN Client” section.
We have a lot of important information to fill in here so, as we noted above, it’s important to read closely.
Fill in your VPN server’s name in the “Server IP/Name” slot. We’re going to configure our VPN client to connect to Private Internet Access’ mid-west United States server under the premise that many readers will want to spoof a U.S. address to get access to Netflix. If you’re in the U.S. and you want to appear to be in another country, check out the PIA server list here and select a different address.
Regardless of the server address you use, fill in the following information. Before proceeding check “User Pass Authentication” and “Advanced Options” both to “Enable” to open up more options required for connecting to the PIA VPN.
Server IP/Name = us-midwest.privateinternetaccess.com
Port = 1194
Tunnel Device = TUN
Tunnel Protocol = UDP
Encryption Cipher = Blowfish CBC
Hash Algorithm = SHA1
User Pass Authentication = Enable
Username, Password = Your PIA username / password
TLS Cipher = None
LZO Compression = Yes
NAT = Enable
The end result should look something like this:
Scroll down to the “Additional Config” section so we can add a few necessary configuration options to the OpenVPN server.
In the section add the following text:
persist-key
persist-tun
tls-client
remote-cert-tls server
There’s one more very important step. We need to insert the OpenVPN security certificate from Private Internet Access so that our router’s OpenVPN client can connect to their servers.
First, download this zip file from Private Internet Access containing their OpenVPN certificate. Extract the contents of the zip file and then open up the file “ca.crt” with Notepad or another plaintext editor like Notepad++.
Copy the entire block of text including the dashed lines at the top and the bottom that say “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–“. Paste that entire block of text into the section toward the bottom of the VPN configuration page labeled “CA Cert”.
Be sure to scroll all the way down and save and apply your changes; you really don’t want to plug all that stuff back in again!
Confirming The VPN Is Active
After completing the last steps and saving your settings, the VPN should be active. We can confirm the VPN is active both on the router (which will give a status report) and by checking our external IP address.
First, navigate to Status -> OpenVPN.
You should see, the “State” box, “Client: CONNECTED SUCCESS” followed by a very lengthy status log. If you see anything but that, retrace your steps above and ensure that every setting is exactly as we described.
If everything looks good on the router side of things, open a web browser on any device on your network and perform a simple Google query “what is my ip”. Check the results.
That is most definitely not our normal IP address (a 71.-block address that belongs to our ISP Charter Communications). The VPN is functioning and as far as the outside world is concerned we’re actually browsing the Internet in a U.S. state hundreds of miles from our current location (and with a simple address change we could be browsing from a location in Europe). Success!
Turning The VPN Off
While privacy concerns or desire to always have unfettered access to services like Netflix might lead you to leave your VPN service on 24/7, it’s actually very easy to turn the service off without having to reverse every configuration option we tinkered with above.
If you wish to turn the VPN off permanently or temporarily you may do so by navigating back to Services -> VPN and then, back in the “OpenVPN Client” section, switching the “Start OpenVPN Client” section to “Disable”. All your settings will be preserved and you can return to this section to turn the VPN back on at any time.
Although we had to do some relatively serious digging in the DD-WRT settings menus, the end result is a whole-network VPN that secures all our traffic, routes in anywhere in the world we want to send it, and offers us significantly increased privacy. Whether you’re trying to watch Netflix from India or to keep the local government off your back by pretending to be from Canada, your new VPN-toting router has you covered.