How to Set Up a VPN on Your Router: Step-by-Step Guide - DD‑WRT, OpenWrt, Asus, Netgear (OpenVPN & WireGuard)
Router-level VPN protects every device on your network without installing clients per-device. This guide walks through practical setups for DD‑WRT, OpenWrt, Asus stock (AsusWRT/AsusWRT‑Merlin) and what to expect from Netgear stock firmware. I cover OpenVPN and WireGuard, include measured throughput figures, and give focused troubleshooting steps.
Why run a VPN on the router?
A router VPN forces traffic from devices with no native VPN support (smart TVs, game consoles, IoT) through the tunnel. It simplifies management — one connection, one kill switch — but trades off flexibility: per-device routing, split-tunneling, and some app-level features get harder or impossible. Performance depends on router CPU and protocol choice; expect a hit compared to a desktop client.
What you need before you start
- A compatible router and installed firmware that supports VPN client mode (stock Asus routers typically do; many Netgear stock firmwares do not).
- A subscription to a VPN provider that supplies router-compatible configs or WireGuard keys (I test with ExpressVPN, NordVPN, Surfshark, Mullvad, ProtonVPN).
- OpenVPN .ovpn files or WireGuard public/private key pairs and endpoint address/port.
- Admin access to the router (username/password).
- Basic networking knowledge: how to change DNS, check routing table, and read logs. If you have a separate ISP modem, put it in bridge mode where possible.
Choosing a protocol: OpenVPN vs WireGuard
OpenVPN is older, widely supported, and stubbornly reliable. It works when firewalls are aggressive (use TCP 443 if needed) but is CPU-heavy. WireGuard is simpler and much faster in practice, with fewer configuration fields and better throughput on low‑power routers. Not all firmware builds include WireGuard; OpenWrt has the best support for both.
Test methodology (so you can judge the numbers)
I measured throughput using iperf3 to a server in the same region as the VPN exit. Routers tested: Asus RT‑AC86U (primary test router), Netgear R7000 (stock and DD‑WRT builds), Linksys WRT3200ACM (OpenWrt). Baseline ISP WAN: 350 Mbps. Results, measured over three runs and reported as median: OpenVPN (UDP) on RT‑AC86U: ~95–110 Mbps. WireGuard on RT‑AC86U: ~220–240 Mbps. Netgear R7000 on stock firmware (where client supported) returned ~70–90 Mbps for OpenVPN; with DD‑WRT + OpenVPN it matched ~100 Mbps. CPU was the limiting factor; when CPU usage hit 90% throughput collapsed. Vendors often advertise "full gigabit" but CPU-bound routers rarely achieve it under VPN.
DD‑WRT: OpenVPN client setup (practical steps)
DD‑WRT remains a common route for older Nighthawk/Linksys boxes. The UI is utilitarian but functional for OpenVPN client. DD‑WRT OpenVPN client support is generally present; WireGuard is present only in newer custom builds and is not universally recommended for novices.
- Download your provider’s .ovpn file and any CA/client certificates. ExpressVPN, NordVPN, Surfshark and others provide router‑ready packages or .ovpn exports.
- In DD‑WRT web UI go to Services → VPN → OpenVPN Client and enable it.
- Populate fields: Server IP/Host and Port (from .ovpn), Tunnel Device = TUN, Tunnel Protocol = UDP (or TCP if needed).
- Paste contents of ca.crt, cert.pem, key.pem into the CA Cert, Public Client Cert, and Private Client Key boxes respectively, or use the .ovpn Additional Config field to paste any extra directives.
- If provider requires username/password upload a script or paste 'auth-user-pass /tmp/auth.txt' into Additional Config and create the file via startup script: echo -e "username password" > /tmp/auth.txt && chmod 600 /tmp/auth.txt
- Save and Apply. Check Status → OpenVPN for logs. Successful connection will show "Initialization Sequence Completed" and a new tun0 route.
OpenWrt: WireGuard client setup (recommended when available)
OpenWrt is my go‑to when you want modern features and stability. WireGuard in OpenWrt is clean, and the luci interface makes peer management straightforward. For routers with limited CPU, WireGuard’s lower overhead often doubles VPN throughput versus OpenVPN.
- Install packages: opkg update; opkg install luci-app-wireguard luci-proto-wireguard wireguard kmod-wireguard
- Create a new WireGuard interface in Network → Interfaces → Add new interface, protocol = WireGuard.
- Generate keys on the router: wg genkey | tee /etc/wireguard/privatekey | wg pubkey > /etc/wireguard/publickey. Or paste provider key pair if supplied (Mullvad gives keys; others supply configs).
- On the Peer section set Public Key = provider public key, Endpoint = provider.host:51820 (or provider port), Allowed IPs = 0.0.0.0/0, PersistentKeepalive = 25.
- Assign the interface to a firewall zone and enable forwarding to WAN. Save and Apply. Check with 'wg show' and iperf3 to measure throughput.
- Example peer fields for WireGuard:
- PrivateKey (router): <your_priv_key>
- Address (router): 10.7.0.2/32
- Peer PublicKey: <provider_pub_key>
- Endpoint: eu1.vpnprovider.net:51820
- AllowedIPs: 0.0.0.0/0
- PersistentKeepalive: 25
Asus stock firmware (AsusWRT / AsusWRT‑Merlin) setup
AsusWRT exposes a VPN section that is user friendly. Merlin firmware expands features and brings WireGuard to models that support it. If you have an Asus RT‑AC/AX series recent router the process is straightforward and often the least hacky option.
- Open the router web UI → VPN → VPN Client. Choose Add profile → OpenVPN.
- Import the .ovpn file or paste the server address/port. Enter your VPN username/password if required and save.
- Enable the profile and select which LAN devices should route through the VPN (Merlin supports policy-based routing on many builds).
- For WireGuard (Merlin or new Asus firmware): go to VPN → WireGuard, Create a profile, paste peer/public keys and endpoint, set Allowed IPs to 0.0.0.0/0 for full tunnel.
Netgear stock firmware: realistic expectations
Many Netgear consumer firmwares focus on VPN server (for remote access) rather than client. Some Nighthawk models support OpenVPN client, but performance and UI are inconsistent. If your Netgear model lacks a client option, your practical choices are to flash DD‑WRT/OpenWrt (if supported) or use a secondary VPN router behind the Netgear box.
Common troubleshooting (ordered by what I see most frequently)
- No internet after connect — check routing table: ensure default route points to the VPN interface. On OpenWrt, confirm firewall zone allows forwarding from LAN → VPN.
- DNS leaking — set router DNS to the VPN provider’s DNS or 1.1.1.1/9.9.9.9 and disable ISP DNS push. Verify with dnsleaktest.com.
- Authentication or TLS errors — clock skew on the router will break certificate checks. Sync time via NTP. Check CA and cert pairings.
- MTU/fragmentation problems — reduce MTU by 40 (e.g., 1500 → 1460 or 1400) on the tunnel interface if sites hang or large downloads fail.
- Performance collapse — check CPU usage on the router. If >80–90% CPU, the router is the bottleneck; move to WireGuard or a faster router.
Performance tips and practical notes
- Prefer WireGuard on routers when supported — in tests it delivered roughly 2× the OpenVPN throughput on the same hardware.
- Choose UDP rather than TCP for OpenVPN except where TCP is required to pass restrictive networks.
- Pick a nearby VPN server; latency matters. In my tests moving 200 km closer improved throughput by ~15–25% for the same router.
- If you need per-device rules, use policy-based routing (AsusWRT‑Merlin or OpenWrt’s fw3) rather than a blanket tunnel.
Final recommendations: If you want an easy, reliable router-level VPN use a modern Asus with Merlin or stock AsusWRT that supports WireGuard. If you want maximum control and package options use OpenWrt. DD‑WRT is reasonable for older hardware but expect a clunkier experience. For Netgear users: check if your model supports client mode; if not, plan to flash or chain a second router.