본문 이미지

Why You’d Want a VPN Running on the Router Itself

I’ve configured VPN clients on individual laptops, phones, tablets, and even a smart TV that fought me every step of the way. After about the fifth device, the overhead becomes obvious: you’re maintaining five separate VPN apps, each with its own login, its own update cycle, and its own tendency to silently disconnect at 2 a.m.

Running the VPN directly on the router eliminates all of that. Every device that connects to your Wi-Fi — including IoT gadgets that don’t support VPN apps natively — gets encrypted traffic without any per-device configuration. One connection covers everything.

The catch is that not every router supports this, and even among those that do, the setup quality varies wildly. AsusWRT-Merlin — a community-maintained firmware fork for Asus routers — is one of the few platforms that does it well, with native OpenVPN and WireGuard client support, policy-based routing, and a kill switch built into the web interface. This guide walks through the entire process, from firmware flash to verified encrypted traffic.

Choosing Between OpenVPN and WireGuard on Merlin

Before touching any settings, you need to pick a VPN protocol. Merlin supports two worth considering, and the choice affects speed, compatibility, and configuration complexity.

OpenVPN: The Established Standard

OpenVPN has been the default for router-level VPN setups for over a decade. Every major VPN provider supplies OpenVPN configuration files. It runs over TCP or UDP, supports nearly every encryption cipher in common use, and has been audited extensively.

The downside is CPU cost. OpenVPN runs in userspace, which means it doesn’t take full advantage of hardware acceleration on most consumer routers. On an older dual-core Asus router, you might cap out at 30-50 Mbps throughput even if your ISP connection is 500 Mbps.

WireGuard: The Faster Alternative

WireGuard is a newer protocol that runs in-kernel and uses a leaner cryptographic stack. On the same hardware that limits OpenVPN to 50 Mbps, WireGuard can often push 150-200 Mbps. The configuration files are smaller, the handshake is faster, and reconnection after a network interruption happens almost instantly.

The tradeoff: not every VPN provider offers WireGuard configs yet, and some providers implement it through proprietary wrappers (like NordVPN’s NordLynx) that may not export clean WireGuard config files for manual router setup.

Protocol Comparison at a Glance

FeatureOpenVPNWireGuard
Typical router throughput (mid-range Asus)30–80 Mbps100–250 Mbps
CPU usageHigh (userspace)Low (in-kernel)
Provider supportUniversalGrowing, not yet universal
Config file size15–30 lines + certs8–12 lines
Reconnection speed5–15 secondsUnder 1 second
Merlin firmware supportNative since 2014Native since 386.x builds
Kill switch in MerlinYesYes
Audit historyMultiple independent auditsFormal verification of cryptographic primitives

If your VPN provider offers WireGuard configs and your router runs Merlin firmware 386.x or later, WireGuard is the stronger choice for most households. Fall back to OpenVPN if your provider only supplies .ovpn files or if you need TCP mode to punch through restrictive firewalls.

Prerequisites: Hardware, Firmware, and VPN Provider Setup

Step 1: Confirm Your Router Is Compatible

Not every Asus router supports Merlin. The firmware maintains a supported device list that covers models from the RT-AC66U through the current ROG Rapture and RT-AXE series. If your router isn’t on that list, this guide won’t apply — stock AsusWRT has a VPN client, but it lacks policy-based routing and the kill switch reliability that Merlin provides.

Routers with stronger CPUs handle VPN encryption better. Here’s a rough guide based on real-world results from the SNBForums community:

  1. Budget tier (RT-AX55, RT-AX58U): Dual-core, adequate for OpenVPN up to ~50 Mbps or WireGuard up to ~120 Mbps
  2. Mid-range (RT-AX86U, RT-AX88U): Quad-core or strong dual-core, handles WireGuard at 200+ Mbps comfortably
  3. High-end (RT-AX86U Pro, GT-AX6000): Can push WireGuard near ISP line speed on connections up to 500 Mbps
  4. Overkill (GT-AXE16000, ROG Rapture series): If you’re already spending $450+ on a router, VPN throughput is not your bottleneck

Step 2: Flash AsusWRT-Merlin Firmware

If you’re already running Merlin, skip this. If not:

  1. Download the correct firmware .zip from the official Merlin download page for your exact model
  2. Log into your router’s web interface (usually 192.168.1.1 or router.asus.com)
  3. Navigate to Administration → Firmware Upgrade
  4. Upload the Merlin .trx file and wait for the router to reboot — this takes 3-5 minutes
  5. After reboot, do a factory reset (Administration → Restore/Save/Upload Setting → Factory Default) to avoid configuration ghosts from the old firmware

Factory reset is technically optional but strongly recommended. I’ve seen orphaned NVRAM settings from stock firmware cause VPN client crashes on three separate occasions, each of which took hours to diagnose.

Step 3: Get Your VPN Provider’s Configuration Files

Log into your VPN provider’s website and download the router-specific configuration files:

  • For OpenVPN: Download the .ovpn file for your preferred server location. Most providers (ExpressVPN, Mullvad, Private Internet Access, Surfshark) have a manual setup section that generates these.
  • For WireGuard: Download or generate the WireGuard configuration. Mullvad and IVPN provide clean .conf files. NordVPN and Surfshark require you to generate WireGuard keys through their dashboard or API.

Keep your credentials handy — you’ll need your VPN username and password (which are often different from your account login credentials) for OpenVPN, or your private key and endpoint for WireGuard.

The Actual Setup: Step by Step

OpenVPN Client Configuration

  1. Log into the Merlin web interface
  2. Go to VPN → VPN Client
  3. Select a client slot (Merlin supports up to 5 simultaneous VPN clients)
  4. Set Client Instance to your chosen slot and toggle it to ON
  5. Under Import .ovpn file, upload the configuration file from your provider
  6. Enter your VPN username and password in the authentication fields
  7. Under Redirect Internet traffic, select your preferred routing policy:
    • All — everything goes through the VPN
    • Policy Rules — lets you specify which devices use the VPN (more on this below)
  8. Enable Kill Switch by setting “Block routed clients if tunnel goes down” to Yes
  9. Click Apply and wait for the connection status to show a green checkmark

WireGuard Client Configuration

  1. Navigate to VPN → WireGuard Client
  2. Select a client slot
  3. Import your WireGuard .conf file, or manually enter:
    • Private Key (from your provider’s generated config)
    • Address (the tunnel IP assigned to your client)
    • DNS (your provider’s DNS servers, or a privacy-respecting alternative like 9.9.9.9)
    • Peer Public Key (the server’s public key)
    • Peer Endpoint (server address and port)
    • Allowed IPs (usually 0.0.0.0/0 to route all traffic)
  4. Configure routing policy under the same redirect options as OpenVPN
  5. Enable the kill switch
  6. Click Apply

Setting Up Policy-Based Routing

This is where Merlin earns its reputation. Policy-based routing lets you split traffic so that only specific devices use the VPN tunnel while everything else goes through your normal ISP connection.

Practical example: you want your work laptop and phone routed through the VPN, but your smart TV streaming on the regular connection to avoid geo-blocking issues.

  1. In the VPN Client settings, set Redirect Internet traffic to Policy Rules (strict)
  2. Add rules by specifying the local IP address of each device and whether it should use the VPN or WAN
  3. You can route by individual IP, IP range, or even by destination domain

The “strict” mode is important — without it, DNS queries can leak outside the tunnel even when traffic is routed through it. Strict mode forces DNS through the tunnel as well, which is the whole point of running a VPN for privacy.

For more on why DNS leaks matter, see our guide on DNS leak prevention and testing.

Common Mistakes That Break the Setup

I’ve helped configure VPN-on-router setups for friends and family more times than I’d like to admit. These are the mistakes that come up repeatedly.

Mistake 1: Skipping the Kill Switch

Without the kill switch enabled, a dropped VPN connection silently reroutes all traffic through your naked ISP connection. You won’t get a notification. You won’t see a warning. Your devices keep working, and you assume you’re still protected. The Merlin kill switch prevents this by blocking internet access for VPN-routed devices when the tunnel drops.

Mistake 2: Using TCP When UDP Works Fine

Some guides recommend OpenVPN over TCP for “reliability.” In practice, TCP-over-TCP (your application’s TCP traffic wrapped inside OpenVPN’s TCP tunnel) causes retransmission cascades that destroy throughput. Use UDP unless you have a specific reason not to — like a network that blocks UDP VPN traffic entirely. The OpenVPN community wiki documents this problem extensively.

Mistake 3: Not Setting a Static IP for Policy-Routed Devices

If your VPN policy routes traffic based on device IP addresses and those addresses are assigned by DHCP, a device might get a different IP after a reboot and fall outside the policy. Fix this by setting DHCP reservations for every device in your policy rules (LAN → DHCP Server → Manually Assigned IP).

Mistake 4: Forgetting to Test for Leaks After Setup

A green checkmark on the VPN status page means the tunnel is up. It does not mean all your traffic is actually going through it. After configuration, visit a leak test site from every device you expect to be tunneled and verify that your reported IP belongs to the VPN, not your ISP.

Mistake 5: Running VPN on an Underpowered Router and Blaming the VPN Provider

If your router has a weak CPU and you’re running OpenVPN, your throughput ceiling is the router’s encryption speed, not your ISP speed or the VPN server speed. Check your router’s CPU usage during a speed test (Tools → System Monitor in Merlin). If it’s pinned at 90%+, the router is the bottleneck. Switching to WireGuard or upgrading the router hardware are the only real fixes.

Verifying the Connection Actually Works

Setup without verification is just optimism. Run these checks from a device that should be tunneled:

  1. IP check: Visit whatismyipaddress.com — the result should show your VPN server’s IP and location, not your ISP
  2. DNS leak test: Use dnsleaktest.com — run the extended test and confirm all DNS servers listed belong to your VPN provider or your chosen DNS resolver, not your ISP
  3. WebRTC leak test: Open a WebRTC leak checker in your browser — browsers can expose your real IP through WebRTC even when VPN is active
  4. Speed test: Run a speed test through fast.com and compare against your speed without VPN — the difference tells you your encryption overhead
  5. Kill switch test: Disconnect the VPN from the router’s VPN Client page and verify that tunneled devices lose internet access, confirming the kill switch is doing its job

If any of these tests fail, you have a configuration problem. The most common culprit is DNS — if your DNS queries are going to your ISP while your traffic goes through the VPN, your ISP can still see which domains you’re visiting. Double-check that the VPN client settings include DNS override, or manually set DNS on the router’s WAN settings to a provider like Quad9.

For a deeper dive into choosing a VPN service that pairs well with router setups, see our best VPN services comparison for privacy.

🔑 Key Takeaways

  • Running a VPN on your router protects every device on the network without per-device app installs — including IoT devices that don’t support VPN software
  • WireGuard outperforms OpenVPN on router hardware by a wide margin; use it if your provider supports it
  • Policy-based routing in AsusWRT-Merlin lets you exclude streaming devices or other traffic that doesn’t need the tunnel
  • Always enable the kill switch — without it, a dropped VPN connection silently exposes your traffic
  • Verify with IP, DNS, and WebRTC leak tests after setup; a green status light alone is not proof of protection

Frequently Asked Questions

Does running a VPN on my router slow down my internet speed?

Yes, to some degree. Every packet gets encrypted on the router’s CPU before leaving your network, and that processing has a cost. On a mid-range Asus router like the RT-AX86U, expect roughly 15-30% speed loss with OpenVPN and 5-15% with WireGuard. The actual impact depends on your ISP speed, the VPN server’s distance, and how much CPU headroom your router has. If your connection is 100 Mbps, you probably won’t notice. If it’s gigabit, you’ll feel it with OpenVPN.

Can I exclude specific devices from the router VPN tunnel?

Absolutely — this is one of Merlin’s strongest features. Policy-based routing lets you define which local IP addresses get routed through the VPN and which bypass it entirely. A common setup is to tunnel laptops and phones while leaving the smart TV and gaming console on the direct ISP connection. Set each device to a static DHCP lease first so the policy rules stay consistent.

Will a VPN on my router work with streaming services like Netflix?

It depends entirely on your VPN provider and server. Streaming platforms maintain blocklists of known VPN IP ranges, and enforcement has tightened steadily. The most reliable approach is to use policy-based routing to keep your streaming device on the regular ISP connection and only tunnel the devices that actually need privacy protection. Trying to force everything through the tunnel usually ends in buffering and error messages.

What happens to my internet if the VPN connection drops on the router?

Without a kill switch, traffic from all VPN-routed devices silently falls back to your unencrypted ISP connection. You get no warning — pages keep loading, and you assume you’re still protected. With Merlin’s kill switch enabled (“Block routed clients if tunnel goes down” set to Yes), those devices lose internet access entirely until the VPN reconnects. That momentary loss of connectivity is the point — it prevents accidental unprotected browsing.

Making It Stick

A VPN on the router is one of those configurations that takes an hour to set up and then runs silently for months. The key is getting the initial setup right — correct protocol choice, kill switch enabled, policy routing configured, and leak tests passed — so you don’t have to think about it again.

If you’re running into throughput issues after setup, our guide on optimizing VPN speed on home networks covers server selection, MTU tuning, and hardware upgrade paths that make a measurable difference. And if you’re still deciding whether a VPN is worth the effort in the first place, the honest answer is that a router-level deployment is the lowest-maintenance way to do it — one configuration point instead of a dozen apps to manage.

Configuration steps verified on AsusWRT-Merlin firmware 388.x running on an RT-AX86U. Interface labels and menu paths may vary slightly across firmware versions and router models.

References

Trusted public, academic, and industry sources referenced while writing this article.