VPN on router as opposed to device interface

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Louis Car

Occasional Visitor
I'm fairly close to choosing a VPN and haven't used one to date so am still researching best ways to implement it.

Apart from my PC I have 2 android devices and a Qnap NAS and initially it struck me as a sensible move to have everything go through the router setup to use the VPN account.
Currently I see a couple of possible disadvantages (probably more to be pointed out by the more savvy of you out there).

1) Not easy to change IPs, actually probably a pain whereas through PC / Android interface quite easy?
2) Possible drop in speed due to CPU Power (how will the RT-AX86U perform when dealing with encryption - I'm aware it's not the most powerful of Asus' offerings?)

If I opt for the separate device control I'm not quite sure what to do about the NAS drive, I'm used Qnap's linux being a bit quirky and may not have a version of control available for that.

Any suggestions / help / observations or experiences would be helpful.
 

eibgrad

Very Senior Member
The RT-AX86U should be able to handle the VPN quite well. Then again, I don't know what kind of bandwidth your ISP is offering, and your minimal expectations from the VPN. There's always some loss of throughput, no matter how good the router. And of course, there are limitations imposed by the VPN provider.

The issue of changing IP, which I presume you mean change the server IP, can be managed by configuring multiple OpenVPN clients, each w/ its own server IP/domain-name, assuming you're willing to install Merlin firmware. And even for a single OpenVPN client, it's possible to specify multiple servers (in the form of remote directives) in the customization field (OEM or Merlin) so the OpenVPN client has multiple options. You can have it run sequentially or randomly through a list of potential servers until it establishes a connection.

Personally, I run OpenVPN client off a small form-factor PC and route by network through it. But that's mostly because I'm using a much less powerful router than you; the ASUS RT-AC68U. I just prefer the cost savings of this approach (since it cost me nothing extra; I already had all the parts) rather than upgrading my router (something I'm otherwise completely satisfied with).
 

Louis Car

Occasional Visitor
Thanks for the insight Eibgrad.
I am only on 100mbs internet and a little degradation which is expected would be fine.

I am running Merlin but havent' go my head around the ideas you express or the remmote directives but I'll look into that. I'm a bit new to the VPN side of things so have a few things to gen up on. I'm expecting Wireguard to be implemented soon too on the AX86U but till then I'll definitely be looking to use openvpn.
 

dosborne

Very Senior Member
Where you choose to implement a VPN depends primarily on what you are trying to protect.

In general, running it on your router is the simplest and most logical as you can easily decide which specific traffic will be routed through the VPN (and what better place than a router!) or Al traffic (which is usually overkill).

By selecting certain devices or apps to be redirected you aren't overburdening the VPN with traffic that doesn't need to be redirected which minimizes the performance impact.

I too am confused by your first point about up addresses. Not sure what you are referring to.

There at least 3 main areas to consider when talking about a VPN (at least that I have encountered).
1 - protecting some (or all) outbound traffic from your lan. Usually by running a VPN client on your route for other device on your lan.
2 - protecting your mobile devices as your roam outside your home lan (using free wifi for example). Using a VPN provider app to connect to your VPN provider or back to your own lan.
3 - providing a secure entry point back to your lan to access data or devices or even tunnel back out to the internet. Usually accomplished by running a VPN server on your router (or other device).

VPN providers typically limit the number of systems you can connect at once (or have to pay more) so that is also a good reason to run it on your router and it can protect all the devices on your lan through 1 connection.
 

Louis Car

Occasional Visitor
Where you choose to implement a VPN depends primarily on what you are trying to protect.

In general, running it on your router is the simplest and most logical as you can easily decide which specific traffic will be routed through the VPN (and what better place than a router!) or Al traffic (which is usually overkill).

By selecting certain devices or apps to be redirected you aren't overburdening the VPN with traffic that doesn't need to be redirected which minimizes the performance impact.
OK So this is where I am somewhat confused - if VPN is in the router I always thought all traffic would have to go through it where as when (for instance on the PC) you can just turn the VPN on / off at will via the app.

Can you explain how control of the router based solution can be controlled for different devices?
I too am confused by your first point about up addresses. Not sure what you are referring to.
Sorry for the confusion. I meant changing the server IP so you come from a country of your choice. Eg. some news articles cannot be read if they are in the US and they detect you are from EU or GB, so switching to a US IP will solve this .
There at least 3 main areas to consider when talking about a VPN (at least that I have encountered).
1 - protecting some (or all) outbound traffic from your lan. Usually by running a VPN client on your route for other device on your lan.
2 - protecting your mobile devices as your roam outside your home lan (using free wifi for example). Using a VPN provider app to connect to your VPN provider or back to your own lan.
3 - providing a secure entry point back to your lan to access data or devices or even tunnel back out to the internet. Usually accomplished by running a VPN server on your router (or other device).
Something I also get confused with. On my NAS I installed OpenVPN as and experiment and that doesn't seem to need a paid VPN, it is simply a means to access the NAS exposed to the NET for access it's intereface without opening port 8080. I don't really need to do that however, so I never used it, instead I closed off all ports and left my ftp running and accessible to the outside world but on a completely different port to 21.

VPN providers typically limit the number of systems you can connect at once (or have to pay more) so that is also a good reason to run it on your router and it can protect all the devices on your lan through 1 connection.
Understood, the ones that I've been considering give enough simultaneous connections for my use. I am on my own here and need 4 at most. Torguard I think give 8 connections on their basic plans.

Thanks for the food for thought, it's hard to see a lot of the ideas before the hands on experience so some of the things, especially when using the router I didn't think were possible.
 

slrt

Occasional Visitor
Any VPN software (TLS-based like OpenVPN and Wireguard, or IPsec) allows defining traffic selectors, whereby only a specific set of traffic is encrypted. You should definitely use them. The key question is what is your use-case.
 

Tech9

Part of the Furniture
VPN providers typically limit the number of systems you can connect at once (or have to pay more) so that is also a good reason to run it on your router and it can protect all the devices on your lan through 1 connection.

It depends what the VPN will be used for. We use one single NordVPN account to access streaming services in other countries. It allows up to 6 devices/connections. All my family members have VPN capable devices, all my TVs are attached to VPN capable boxes. For that reason I don't need to run VPN client on my firewall. With 4 family members, we can all be connected to different exit points at the same time. In relation to this thread - everyone is free to choose what they want to do. I don't bother re-configuring my firewall.

The key question is what is your use-case.

Indeed.
 

Louis Car

Occasional Visitor
It depends what the VPN will be used for. We use one single NordVPN account to access streaming services in other countries. It allows up to 6 devices/connections. All my family members have VPN capable devices, all my TVs are attached to VPN capable boxes. For that reason I don't need to run VPN client on my firewall. With 4 family members, we can all be connected to different exit points at the same time. In relation to this thread - everyone is free to choose what they want to do. I don't bother re-configuring my firewall.



Indeed.
I guess multiple uses. Access to some streaming for sure and other geo restrictions. Increasing lack of privacy and tracking (my ISP is known to make use (sellling), of our browsing habits for instance), so the router idea if flexible enough might be the better solution as all devices can go through most of the time.
I need to figure out if the NAS should be part of this as I let it do it's thing most of the time but I do want to be able to share stuff with people on occasion from it but as I say I've closed everything off but ftp which a lot of people don't find easy convenient to use.

So generally more privacy minded usage of my devices on the net and getting over geo restrictions when needed.
 

Tech9

Part of the Furniture
So generally more privacy minded usage

You'll be paying the commercial VPN provider and sending them all your browsing habits. What they are going to use the information for no one knows. They all promise many things in the process of asking for your credit card number. Some sites will refuse services, VPN exit points are known. You are going to create more issues for you and your family. Every time you need to change the VPN server you connect to you'll have to login to your router and re-configure the client. Every time you get blocked because of VPN you'll have to login again and re-route your client. I don't find it convenient.
 

bertradio

Occasional Visitor
I have experimented with 2 VPN services: PIA and Mullvad. Both can be run from apps or the router. With Merlin you can select which devices use the VPN. This is useful because some devices won't work with a VPN and for some it's not needed.

In my case, I route our smartphones and most IOT devices through the VPN.

I run Linux Mint on my desktop and laptop. On both I use the VPN apps. This permits easily changing servers if necessary or disabling the VPN temporarily for sites which block it. Both PIA and Mullvad also have split tunneling which permits excludng certain apps and, in the case of PIA, certain IP addresses. from the VPN. Split tunneling is a bit more complicated with Mullvad, but easily implemented. The way they handle split tunneling is a bit different. You cannot do split tunneling if you set up the VPN on your router.

I have a 200mbps down and 11mbps up ISP connection which generally tests at 235/11. Using the router VPN I get 120/11. Using the Linux PIA or Mullvad apps I get around 220/11. So speed is not an issue for me.
 
Last edited:

slrt

Occasional Visitor
To reduce the data available to your ISP your best option is to forgo the ISP's DNS, in favor of Cloudflare. You should also enable DNS over HTTPS or DNS over TLS (both on your mobile devices, and on your router). This would prevent manipulation and blacklisting by your ISP, and essentially make traffic to servers hosted on AWS/GCP/Azure opaque to your ISP.
 

Tech9

Part of the Furniture
and essentially make traffic to servers hosted on AWS/GCP/Azure opaque to your ISP.

The ISP can still track your browsing history and habits, if they want to. They may not see the actual DNS queries, but they know what IPs you are connecting to and what data is coming back to you, if unencrypted. It's a pretty accurate method. There is no total privacy, if you connect to another place over Internet. Some folks chasing privacy ideas hurt or limit themselves only with VPNs, IP/DNS blockers, proxies, Tor. Most reverse or abandon the strategy after family members start to complain.
 

slrt

Occasional Visitor
The ISP can still track your browsing history and habits, if they want to. They may not see the actual DNS queries, but they know what IPs you are connecting to and what data is coming back to you, if unencrypted. It's a pretty accurate method. There is no total privacy, if you connect to another place over Internet. Some folks chasing privacy ideas hurt or limit themselves only with VPNs, IP/DNS blockers, proxies, Tor. Most reverse or abandon the strategy after family members start to complain.
Changing the DNS prevents blacklisting, and increases privacy to some degree. Of course your ISP can still learn a lot from tracking you, however as you said, using VPN etc. cripples the experience, so mostly it's not worth it.
I don't know about the ISP in question, but mine has a tracking toggle in their customer account page. Naturally the toggle is "on" by default, and hidden in an obscure sub page, behind a scroll. All it was missing was a "beware of the leopard" sign...
 

Tech9

Part of the Furniture
ISPs in many countries are required by law to keep records for specific number of months. They do it not because they are all bad guys, but because they have to comply. Otherwise they won't be able to provide services to you. VPNs based in such countries also have to comply to local regulations. What they can offer is best effort to protect privacy. One example - PIA VPN, registered in USA, one of Five-Eyes Alliance countries. Who runs it, CIA? I don't know.
 

Clark Griswald

Senior Member
The Culinary Institute of America?
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top