VPN router setup: WireGuard, OpenVPN, custom firmware

Putting VPN on your router instead of on individual devices means every device on your home network gets VPN coverage automatically. Smart TVs, IoT devices, gaming consoles, kid devices, guest devices. The setup is more involved than installing an app; the coverage is comprehensive.

This guide covers the practical paths and trade-offs.

Why router-level VPN

The cases where it makes sense:

Devices without VPN client support. Smart TVs (most), older streaming devices, gaming consoles (none of the consoles support VPN apps natively), smart home hubs, IoT generally. Router-level VPN covers all of these.

Whole-home privacy as policy. All your home devices get VPN encryption without per-device setup or per-device discipline. Set once; works always.

Family use. Devices that family members use without VPN-app understanding still get coverage.

Privacy for visitors. Guests on your home Wi-Fi inherit the VPN tunnel.

The cases where it does not make sense:

Per-device exit-region selection. Router VPN has one exit at a time for all devices. If you want US Netflix on the Fire TV but UK iPlayer on the laptop, per-device VPN apps are needed.

Performance-critical devices. Router CPU gates the throughput. A budget router doing VPN can produce 30-100 Mbps; gigabit-class home connections see meaningful throughput loss.

Some smart-home setups. Devices that need same-LAN discovery (Chromecast, AirPlay receivers, some IoT) can break under VPN routing.

Mobile devices that leave the home. Per-device VPN goes with them; router VPN does not.

For users wanting whole-home + per-device, the answer is "router VPN for whole-home + override per-device when needed" rather than picking one approach.

Router options

The router landscape, in 2026:

ASUS Merlin firmware. ASUS routers (RT-AX series) flashed with Merlin firmware support WireGuard natively. Configuration via web UI; reasonable performance on mid-tier routers. The Merlin community is active; documentation is good.

Stock ASUS firmware. Some recent ASUS routers support OpenVPN and WireGuard in stock firmware. Less flexible than Merlin but simpler to set up. Verify your specific model's protocol support.

GL.iNet routers. Designed specifically for VPN use. Pre-flashed with OpenWrt + GL.iNet's GUI. Multiple WireGuard tunnels supported; switch exit countries via UI. Models from $40 (Mango) to $300+ (enterprise). Good choice for users who want low-effort setup.

OpenWrt. Open-source router firmware; supports many routers. Maximum flexibility; steeper learning curve. WireGuard via opkg. Documentation extensive but assumes Linux familiarity.

DD-WRT. Older custom firmware; supports many routers. WireGuard support exists but less mature than OpenWrt's.

pfSense / OPNsense. PC-based router platforms. Full networking stack; substantial CPU available; multi-gigabit VPN throughput possible. Requires dedicated hardware.

Stock router firmware (TP-Link, Netgear, etc.), usually limited. Some specific models support OpenVPN; few support WireGuard. Stock firmware is the worst path for VPN; consider custom firmware on supported models.

For most users, the path of least resistance: ASUS Merlin or a GL.iNet box. Both work, both are documented, both perform reasonably.

WireGuard vs OpenVPN on routers

WireGuard: lower overhead; better throughput on the same router CPU. Modern routers (post-2020 high-end consumer) support WireGuard well. Older routers may not have WireGuard support; OpenVPN is the fallback.

OpenVPN: higher CPU overhead; lower throughput on the same hardware. Available on more router platforms because it has been around longer.

Throughput examples on a typical ASUS RT-AX86U:

• Direct connection: ~900 Mbps
• WireGuard via router: ~450-600 Mbps
• OpenVPN via router: ~150-300 Mbps

Higher-end routers (RT-AX88U, RT-AX89X) deliver better; budget routers (RT-AC68U) struggle with OpenVPN above ~100 Mbps.

Configuration pattern with Fexyn

For ASUS Merlin (WireGuard):

1. Sign up at fexyn.com/pricing
2. Generate WireGuard config in Fexyn dashboard (we provide WireGuard config files for routers; the standard .conf format works on Merlin)
3. ASUS Merlin web UI → VPN → WireGuard Server/Client → Add Client
4. Paste configuration; save; activate
5. Firewall rules to route home network through VPN (handled mostly by Merlin's policy routing)

For OpenWrt (WireGuard):

1. Install wireguard-tools and luci-proto-wireguard packages
2. Configure WireGuard interface in /etc/config/network with our provided keys and endpoints
3. Configure firewall in /etc/config/firewall to mark VPN interface as outbound zone
4. Reload network; WireGuard up

For GL.iNet:

1. GL.iNet GUI → VPN Client → WireGuard Client
2. Upload Fexyn config or paste manually
3. Activate

Specific configuration files vary by router; we provide them through the Fexyn dashboard for users who request router configs.

Selective routing

For users wanting some devices VPN-routed and others direct, the router can do per-device policy routing:

ASUS Merlin "VPN Director": select specific clients (by MAC, IP, or name) to route through VPN; rest go direct. Useful for "Fire TV through US-VPN, other devices direct."

OpenWrt: more flexible policy routing via firewall mark + ip rule. Steeper learning curve.

GL.iNet: GUI-based selective routing on most models.

This pattern lets you keep latency-sensitive use (gaming, video calls) on direct connection and route privacy-sensitive use (smart TV, IoT, browsing) through VPN.

What router VPN does not solve

Worth being explicit:

• Per-device exit-region selection at the same time. All VPN-routed devices share the exit. Per-device selection requires per-device clients.
• Overhead. All home traffic now goes through the router's VPN. CPU and bandwidth are gated by the router's capacity.
• Mobile devices off-network. Phone leaves home Wi-Fi; phone is no longer covered. Need per-device VPN client for off-network use.
• DNS leaks if misconfigured. Router needs to force DNS through VPN; default routers may leak DNS to ISP. Configuration detail; verify.

What Fexyn supports for routers

Today (May 2026):

• WireGuard configuration files for routers (provided through dashboard on request)
• OpenVPN configuration for routers (similar)
• Documentation for ASUS Merlin, OpenWrt, GL.iNet

What we do not yet ship:

• A native Fexyn router app (in development; not yet released)
• One-click router setup for stock-firmware routers (the configurations we provide require manual import)

For users with technical comfort, the manual configuration is straightforward. For users wanting fully GUI-driven setup, GL.iNet routers with our provided WireGuard config files are the easiest path.

Frequently asked

Will my router work for VPN?

Modern (post-2020) ASUS routers and GL.iNet routers, yes. Stock TP-Link, Netgear, Linksys, usually no for WireGuard, sometimes yes for OpenVPN. Verify your specific model.

Will I get good speeds?

Depends on router CPU. Mid-tier ASUS routers (RT-AX86U class) deliver 400-600 Mbps on WireGuard. Budget routers (RT-AC68U class) deliver 100-200 Mbps. Higher-end routers (RT-AX89X, pfSense PC) can sustain gigabit.

Can I run VPN on a router AND on my devices?

Technically yes (double-tunnel). Practically not useful — same encryption applied twice adds overhead without privacy benefit. Pick one layer.

What about the kill switch on router VPN?

Router-level kill switch: when VPN drops, router blocks all WAN traffic. Most VPN-capable routers support this. Configure in firmware; verify it works by intentionally disconnecting VPN and checking that no traffic leaks.

Can I use Fexyn on my router today?

Yes via manual WireGuard or OpenVPN config import. Native router app not yet shipped.

---

Try Fexyn free for 7 days. Request router configuration files through the dashboard. VPN for Fire TV Stick and VPN for smart TV / IoT cover the device-specific use cases that motivate router-level deployment.

Last reviewed 2026-05-09.