I often get requests via EMail, sadly I can’t answer them all but I try to pick some interesting stuff which I can explain here in detail. In general, if you’re looking for a good and solid VPN router, you can’t go wrong with Asus because they offer a great lineup of VPN-ready routers – from cheap to very high-end prices.
First things first – why VPN on your Router?
I do believe and have some evidence that most (if not all) ISP’s are selling your data which includes Browser history (visited page) and more, they usually see your DNS traffic and can come to a conclusion which pages you like and visit often. Such data are interesting for Amazon & Co. Besides you harden your security setup up to 90% while using a VPN, because MITM attacks aren’t possible.
The basic example shows in a nutshell why you always should use a VPN (no matter what) while you’re connected to the Internet.
Choosing the right Router
There are many projects which selling pre-configured Routers, like FlashRouters or Sabai Technology if you#re too lazy to do it yourself, however, I’m not really a fan of such projects because you pay extra for something you can do yourself and this also guarantees that no has tampered your Router or it’s firmware. It’s more a trust thing, I haven’t heard something bad about FlashRouters or Sabai in my years of Router security firmware research.
For VPN enabled routers that natively (within the official firmware) support OpenVPN, you have three main choices:
- Asus Routers – Asus is my favourite option because they offer a large lineup of VPN enabled routers. Not all Asus routers are VPN enabled – see the Asus section below for a complete list of routers and specifications.
- Buffalo Routers – Buffalo offers a small selection of DD-WRT routers. Unfortunately, the highest powered router is the Buffalo N600, which is somewhat underpowered for VPN use at only 680 MHz CPU. But for basic web browsing, it may be fine.
- Synology Routers – Synology currently offers two routers that can be quickly configured with OpenVPN with little time and effort (no flashing): The RT1900AC and the RT2600AC coming already with the correct firmware.
Asus is here the better choice in my opinion because they offer more products which are OpenVPN ready. I’m also not really a Buffalo and Synology fan because they often have serious leaks in their hardware or software solutions.
The key here is to choose a powerful router which has decent hardware, OpenVPN requires a good processor otherwise it might throttle your speed down and you wonder why your VPN provider might not deliver the speed you expect.
Asus is rolling out new routers with powerful processors that can do exceptionally well with VPN encryption. Based on test reports I’ve seen in forums, the new Asus RT-AC86U can hit speeds over 150 Mbps with OpenVPN. There also more expensive routers from Asus but it’s up too you if you really like to spent 300 Dollars for a router.
The AsusWRT stock firmware natively supports OpenVPN, L2TP, and PPTP encryption protocols. Setup is easy which takes around 20 minutes or less and you can load numerous VPN configurations onto your router – which is something you can’t do with DD-WRT due to its current limitations. However, OpenWRT (merged with LEDGE) might solve this (if compatible).
VPN University was so kind to provide a video how you can setup your Router with OpenVPN. It’s very easy.
Here are the Asus routers that are VPN enabled and can be set up with minimal effort (with the corresponding CPU):
- Asus RT-N66U (600 MHz)
- Asus AC1750 (RT-AC66U) (600 MHz)
- Asus AC1900 (RT-AC68U) (800 MHz, dual core)
- Asus RT-AC87U (1,000 MHz – dual core)
- Asus RT-AC3200 (1,000 MHz – dual core)
- Asus RT-AC3100 (1,400 MHz – dual core)
- Asus RT-AC88U (1,400 Mhz – dual core)
- Asus RT-AC5300 (1,400 MHz – dual core)
- Asus RT-AC86U (1,800 MHz – dual core with AES-NI)
- Asus GT-AC5300 (1,800 MHz – quad core with AES-NI)
- All newer models also including OpenVPN support!
The Asus RT-C86U is most likely the fastest because it allocates 900 MHz of CPU per core, rather than 450 MHz of CPU per core with the GT-AC5300. I’ve found Asus routers to be very stable with good performance, while also being easy to set up. The stock firmware allows you to setup custom DNS and can also block IPv6 (if you want or your VPN provider suffers from an IPv6 leakage). Additionally, Asus routers are very versatile and can be used with lots of other firmware, such as Asus Merlin, DD-WRT, Tomato, AdvancedTomato, OpenWRT and Sabai OS.
My choice – Asus Merlin Firmware
I choose and recommend the Merlin firmware (open source) which is arguably more secure – due to regular updates – and also offers more features. AsusWRT by Merlin is a third-party open source firmware that builds on and improves the AsusWRT firmware. AsusWRT by Merlin is one of the best options if you want a secure, user-friendly firmware with lots of features for use with a VPN.
A Merlin AsusWRT router offers the following benefits:
- Enhanced security – Merlin AsusWRT is regularly updated to fix bugs and security vulnerabilities. You can verify the latest security fixes on the changelog. The developer is active, unlike with some other firmware.
- Policy-based and selective routing – This allows you to select specific devices or destinations to use the VPN, with everything else going through the regular ISP connection. Merlin’s user-friendly policy-based routing feature is a distinguishing factor separating it from other VPN routers. Some people need this for bypassing the VPN, such as with Netflix or other websites.
- Kill switch – A kill switch will block all internet traffic if the VPN connection is lost. Setting up a properly functioning kill switch can be tricky with some VPN routers. With Merlin AsusWRT, this is quite easy. An example how you setup such a switch is given in this video by Moritz FI.
- Multiple VPN clients and servers – Merlin AsusWRT allows you to configure two VPN servers and up to five VPN clients. You can also use different VPN clients at the same time with different devices (but I would recommend a higher CPU router in this case).
- Merlin AsusWRT is a reliable, secure, and feature-rich option for Asus routers.
- Good support in the official forum.
Combining a high-performance Asus router (such as the Asus RT-C86U) with Merlin firmware and a high-quality VPN service is one of the best options for securing your home network.
This is a good project but it’s unfinished and the reason why I not explicitly mention it (yet) as alternatives.
WireGuard is not yet complete. You should not rely on this code. It has not undergone proper degrees of security auditing and the protocol is still subject to change. We’re working toward a stable 1.0 release, but that time has not yet come.
(Quote from https://www.wireguard.com/)
However, it’s a promising alternative to OpenVPN and I’m really looking forward to see much more of this little project, I will definitely review it once it’s in a better (final) state.
Notice on Performance
The VPN router’s processor (CPU) is arguably the biggest factor affecting overall speed (assuming you are using a good VPN). Unfortunately, most consumer-grade processors are underpowered when it comes to handling encryption with a VPN. But on a positive note, this is starting to change with some of the newest routers on the market (see the Asus RT-AC86U for example).
Another consideration is the number of cores with the processor. OpenVPN is single-threaded and cannot be split up across multiple processor cores. Therefore, with a VPN, a 1.0 GHz dual-core router (500 MHz per core) may be faster than a 1.4 GHz quad-core processor (350 MHz per core).
And finally, there are also some processors with AES-NI, which is an instruction that accelerates VPN encryption speeds. This can make a huge difference in performance. If you need more bandwidth for streaming or torrenting, 800+ MHz or more is a good idea, but preferably on the higher end.
Personally, I use two brands Asus and AVM when it comes to routers and they never have let me down. The important thing is on Asus side that you flash another firmware which gives you more possibilities, you also can do this with Freetz on AVM side. The Merlin aftermarket firmware for Asus is, in my opinion, a good replacement for the stock firmware and offers a lot. It has decent support and a good GitHub page which also explains the missing parts from the official homepage.
The RT-AC86U is a very good choice the OpenVPN performance is very good for the price and it offers you a lot of features, in case you need more ports, go for the RT-AC88U (which has 8 ports), however, the OpenVPN performance in this series is not as good as in the RT-AC86U.
Keep in mind that the current OpenVPN implementation (2.4.6) allows a maximum of 265 Mbps (on single-core CPU)!