How to setup OpenVPN on a home router

[JT101]

Hi everyone

I must warn you firstly that I'm only slightly tech savvy so I can follow instructions with computers and programming but that's about it. Beyond that and I find it a bit challenging.

So I read about VPN's for creating a secure channel for me to use the internet. I bought a subscription from NordVPN.

I then realised it would be better and much easier if I ran VPN on my router to protect all devices in my home.

However, I'm struggling to do this, and not even sure it's possible. I have a TP-Link TD-W8968. According their tech support it only supports VPN Pass-through i.e. PPTP,L2TP,IPSec Pass-through.

From what I've read the most secure protocols now are Open VPN or IKEv2. OpenVPN seems ok so I'll go with that.

I'm getting conflicting advice from NordVPN and other sources as to whether or not I can setup an OpenVPN on a router. Their site says you have to setup a different protocol on each device which would be a complete pain.

So my questions are, how do I setup OpenVPN or even IKEv2 on a home router, and if possible should I be looking at a new router and if so what models support this. And finally do I need a subscription like NordVPN to do this?

I have searched quite a bit, and have yet to find anything that explains how to do this hence my question.

Thanks in advance

 

[bremen1874]

If you want to connect out to VPN then you will need a suitable subscription.

Connecting everthing via a VPN isn’t necessarily a good idea. It will potentially break somethings.

You can setup OpenVPN on a router but most affordable routers don’t have the processing power for anything much over 10Mbps.

There’s a dedicated VPN thread on here somewhere that you should read.

 

[Bluecube]

Check out the NordVPN support pages as they have setup guides for various VPN protocols and routers.

 

[BigT]

Think of a VPN like a tunnel with two ends. One end is a server and the other a client. So with your Nord subscription, they are providing the server end of the tunnel and your subscription allows you to ‘bore’ your tunnel to the server, your end being the client.

So at your end you need something that supports being a VPN client. Providers give you software that does this for your PC or perhaps your mobile phone. As you’ve correctly identified you can choose to have you router as the client and then everything behind that is protected. So you need a router that supports acting as a VPN client (don’t confuse it with being able to act as a VPN server nor allowing VPN traffic to pass through).

Most consumer routers don’t support acting as a VPN client out of the box and if they can, or made to with custom firmware, then they don’t have the processing power to handle the encryption/decryption at high speeds as @bremen1874 says. Read the other VPN threads here as suggested and you’ll get a feel for what router solutions can do this. They boil down to:

• Consumer router (probably flashed with a custom firmware) and accept the reduction in speeds
• Something with a steep learning curve like a Mikrotik
• Expensive enterprise kit
• pfSense or other open source solution on a physical or virtual machine

 

[JT101]

I've found this one which has dual core processors: ASUS RT-AC66U b1 and

Linksys XAC1900. Should do the trick.


Ok I will read the VPN threads. Anyway, I have a much better understanding of it all now. Thanks

 

[Avalon]

I've found this one which has dual core processors: ASUS RT-AC66U b1 and

Linksys XAC1900. Should do the trick.


Ok I will read the VPN threads. Anyway, I have a much better understanding of it all now. Thanks

Have a look at previous similar threads, the implications and limitations are well discussed in detail - short version is consumer routers are generally bad at this, how bad is dependent on how fast your connection is.

 

[JT101]

yeah I hear what you're saying, and I read through all the posts to see which routers were recommended but I think the better ones such as the Mikrotik hAP Lite Classic are a bit too difficult for me to setup. I read a post on a different site from a guy who was trying to setup one of these routers with NordVPN using the OpenVPN, and it seemed he was struggling, so I think I will too. I guess that's the compromise. The consumer routers are more user friendly but less fit for purpose. To be fair, I'm not on virgin media, or any of the big boys and currently only achieve around 5Mb/s download speed so I doubt it will affect me anyway.
One question I do have though. Let's say hypothetically that I had a 200Mb/s setup with Virgin Media or the like, and I had a Mikrotik router, does my consumer level TP-Link TD-W8968 modem then become a bottle neck? Thanks

 

[Bluecube]

Only if the TP Link is running the OpenVPN connection. You would likely be using the Mikrotik router for that with the TP Link simply being your net connection.

 

[Avalon]

yeah I hear what you're saying, and I read through all the posts to see which routers were recommended but I think the better ones such as the Mikrotik hAP Lite Classic are a bit too difficult for me to setup. I read a post on a different site from a guy who was trying to setup one of these routers with NordVPN using the OpenVPN, and it seemed he was struggling, so I think I will too. I guess that's the compromise. The consumer routers are more user friendly but less fit for purpose. To be fair, I'm not on virgin media, or any of the big boys and currently only achieve around 5Mb/s download speed so I doubt it will affect me anyway.
One question I do have though. Let's say hypothetically that I had a 200Mb/s setup with Virgin Media or the like, and I had a Mikrotik router, does my consumer level TP-Link TD-W8968 modem then become a bottle neck? Thanks

Its not just the hardware that's an issue. Banking, shopping, paying for things, browsing sites, even app store usage and updates can be problematic if running via a non geographically appropriate vpn, consider what you actually need before you decide to push everything via vpn.

In your example you'd be given a different modem.

 

[JT101]

Ok. Well I'm pretty well concerned about security of personal info these days. I'm not bothered about people seeing what I surf the web about i.e. shopping, research etc. They'll find a way to send me targeted marketing one way or another. So really, it's more personal security details such as banking etc from all my devices i.e. mobile phones, ipads, laptop.
So Avalon, presumably I need a new modem too. Are there up market or specialised modems for this task, above and beyond consumer level ones? Presumably the likes of Mikratik sell such things. What sorts of specs would I be looking at? Has this been discussed in these forums already?

Thanks

 

[BigT]

I think you're confusing what different bits of hardware do in the connection from your end device to the internet. Although not this simplistic, you can think of it in three parts:

1. A 'modem' that actually creates a working connection to the internet into your home
2. A router that does all the networking bits in your home terms of assigning IP addresses, firewall rules, network address translation, DMZ or all manner of other things dependent on feature richness including acting as a VPN client and/or server potentially (which is the subject of interest for you)
3. If wireless is involved then a wireless access point.

Typically at the consumer level all three of these things are wrapped up in a one box solution with compromises. Think Virgin Super Hub, BT Homehub, Vodafone Connect router etc. They are also branded/marketed as 'routers' even though they do all three functions. Sometimes you will see third party routers that only do functions 2 and 3 above. They are generally marketed at the consumer level as 'cable routers' because for Virgin you can put their provided router into 'modem' mode which means it does function 1 above and the router does 2 and 3. In actual fact a cable router could work with a VDSL modem. And finally you can buy routers dedicated to the job of point 2 only - the mikrotik you link to is an example as are typically pfSense solutions and Ubiquiti ER-L and USG that you'll see mentioned on here.

The mikrotik hAP is not a model I know, but a quick glance at their website suggests it's is a router only. That means you'll need to work out how you'll do the modem bit and the wireless bit. It is also the reason why @Avalon says to you that you'll be given a different modem. If you're on VDSL now you'll have to have a VDSL modem or router and if you switch to say a Virgin 200Mbit connection they'll give you a superhub which you'll put into modem mode and still use the mikrotik behind it - you won't need a new router each time per-se. One of the nice things about separating out things is that you can have best of breed for each component for your budget and it is reusable as you switch providers and internet technologies. My pfSense box works with my VDSL connection and then when I added a 4G connection via a MiFi device it seamlessly sat behind both WANs.

And to answer your final point about specialist modems, the situation is relatively simple I think. For ADSL/VDSL the BT Openreach modems are just fine. You can buy them on eBay for little money. Otherwise it is Draytek but you get little extra for a fair bit more cash.

If Virgin then the 'modem' will be your superhub in modem only mode

You can also effectively use any ISP provided router as a modem but this introduces some complications (manually turn off wireless, firewall, DHCP and set a static route to your mikrotik) and double-NAT which needn't be a problem but is undesirable. If you receive your internet some other way (WiMax, Satellite, 4G/LTE) then you're probably going to have to do this, although I know you can get LTE modems from the likes of TP-Link and Netgear.

 

[JT101]

Thanks for explaining all that BigT. Actually I didn't quite get what Avalon meant before but now I do. The modem has to be suited to the type of broadband you receive i.e. ADSL, VDSL or FibreOptic. Well I'm very happy with my provider, a small company called DirectSave, and my TP-LINK works fine with it, and I don't want too much equipment i.e. a dedicated WiFi device, so I will just stick to buying a dedicated router.
And re-reading Avalons message, he makes a crucial point. If I run everything via VPN, it may cause me issues with banking, shopping etc etc. Although I'll never know until I try right? Worst case I buy it, and have to sell it on Ebay.
As I said, I might be capable of setting up a Mikrotik router, but it's when things go wrong that I struggle, and i don't have any mates into computer hardware/software, so I'll go for the ASUS RT-AC66U b1.

 

[BigT]

Have you read up on VPN throughput on that router and compared it to your internet speed? Put your network behind that and I don’t think you’ll see more than 20Mbit/s. Fine if you’re on ADSL, but quite a lot of wasted connection if you’re on Virgin.

 

[Bluecube]

It may be worth checking out apps from the VPN providers that allow you to set up a VPN as and when you require it from individual devices. I use NordVPN which has a very easy to use app. Certainly much easier to use and set up than a VPN on a router.

 

[ANDARIAL]

re problems with Banking/Shopping
I have a router that directs ALL my internet traffic through my VPN and have never had an issue with geolocation (location shows me as in another country)
but i suppose ymmv