Setting up a DD-WRT VPN on your wifi router offers two key advantages:
- You can connect as many devices as you want to the VPN
- You can connect devices that don’t normally support VPNs to the VPN
While most wifi routers don’t ship with VPN support built-in, you can replace many routers’ firmware with something that does. Perhaps the most popular router firmware for doing this is DD-WRT. DD-WRT is a free and open source solution based on Linux that works with a wide variety of third-party wireless routers. Among other benefits, most DD-WRT distributions allow users to configure OpenVPN server connections directly from the router. Some providers sell DD-WRT routers pre-configured for their VPNs, saving you the headache of setting it up yourself.
Once this is set up, you can connect as many devices as you want to a single VPN connection, so long as you have bandwidth available. That includes devices that don’t normally support VPNs or VPN apps, including game consoles (PlayStation, Xbox) and streaming media devices (Chromecast, Roku, Amazon Fire TV, Apple TV).
To get started, you’ll need to find a VPN that offers the files and support you need to get connected. We’ve curated our list of the five best VPNs for DD-WRT routers based on the following criteria:
- Allows you to download OpenVPN configuration files for each server
- Offers support for DD-WRT users in the form of customer service and/or tutorials
- OpenVPN connections include DNS leak protection
- Fast and reliable performance
- Strong security and no logs
ExpressVPN is our top pick for users who want VPN-enabled routers. The provider offers tutorials, OpenVPN config files, and live customer support for DD-WRT users. On top of that, ExpressVPN makes its own easy-to-use firmware for a handful of routers that you can install yourself, or buy the pre-configured VPN router. The firmware makes it far easier to get set up, switch VPN servers, and configure split tunneling for every device in your home.
DNS leak protection is included with all VPN server configurations. The company keeps no identifying activity or metadata logs. ExpressVPN uses the highest standards of security, including 256-bit AES channel encryption and perfect forward secrecy. It sets a gold standard when it comes to speed and stability. ExpressVPN can unblock geo-locked streaming services that most VPNs can’t, like US Netflix and Hulu.
Read our full ExpressVPN review.
TRY IT RISK FREE: Get an extra 3 months free here with ExpressVPN’s annual plan. This includes a 30 day money-back guarantee.
NordVPN offers customer support and tutorials for DD-WRT users. You can also buy Linksys, Netgear, or Asus routers with DD-WRT installed and NordVPN pre-configured from Flashrouters. OpenVPN config files for all of NordVPN’s servers, including the double-hop VPN and Tor over VPN servers, are available for download directly from the website.
DNS leak protection comes built in. NordPVN maintains a strict no-logs policy and thus doesn’t store any information or metadata related to your online activity on its servers. The company uses military-grade 256-bit encryption to protect your data, and you’ll have no problem finding a fast server on its huge network of servers around the world. NordVPN is able to unblock US Netflix and Hulu, streaming services that most VPNs are unable to access.
Read our full NordVPN review.
The IPVanish website includes a directory of OpenVPN config files and instructions on how to use them. That includes all the necessary scripts that you’ll need to enter into the DD-WRT configuration. IPVanish pre-configured DD-WRT routers are available through Flashrouters.
IPVanish comes with DNS leak protection and IPv6 leak protection built in. The company keeps zero logs of user activity and metadata. PPTP and OpenVPN are both available for DD-WRT users, with 128- and 256-bit encryption, respectively. We recommend using the latter.
Read our full IPVanish review.
VyprVPN’s website has tutorials and configuration details for connecting to any of its servers via OpenVPN and PPTP, although we strongly recommend the former. There are no pre-configured DD-WRT routers available. However, if your router will run Tomato firmware, VyprVPN does make a custom VPN app for that. Live customer service available should you need any help getting OpenVPN set up.
The company keeps no traffic logs but does record users’ source IP. That information is only retained for 30 days, but if it’s a privacy concern then consider looking elsewhere. Otherwise, VyprVPN offers top-notch security with 256-bit encryption, Netflix unblocking, and fantastic speeds. Unfortunately, if you added VyprVPN’s proprietary Chameleon protocol to your subscription, this can’t be set up on DD-WRT.
Read our full VyprVPN review.
CyberGhost offers a DD-WRT router tutorial and configurations to paid users. You can even specify which features you want included in a custom configuration when adding a device from your user dashboard, such as tracking prevention, ad blocking, force HTTPS, and data compression.
CyberGhost keeps no identifying activity or metadata logs. 256-bit encryption is used to protect your connection along with DNS leak protection. The VPN performed well in our speed tests.
Avoid free VPNs for DD-WRT
Most free VPNs don’t offer up their OpenVPN configurations to be used with routers. Even if they did, you probably would want to avoid them. Free VPNs tend to use poor security, can inject ads into your browser, and will even record your browsing activity to sell to advertisers. The limited number of servers tend to be congested, and caps on bandwidth or data are often implemented.
VPNBook is one provider that offers OpenVPN configurations free of charge, but relatively little is known about who is behind the operation. In 2013, hacker collective Anonymous once accused VPNBook of being a honeypot for law enforcement after logs from the provider appeared in court documents. This is just one example of why you should be extremely wary of any VPN that purports to give its service away for free.
Will DD-WRT work on my router?
Not all routers support DD-WRT. You can find a list of supported devices on the official DD-WRT website. Cheaper and newer routers are less likely to support DD-WRT firmware. Old routers may use an outdated version of DD-WRT that doesn’t support OpenVPN. Your router will require at least 8 MB of flash memory.
Be doubly sure that you download and install the correct version of DD-WRT for your router, and follow the instructions provided by DD-WRT carefully. Attempting to flash an incompatible version or flashing improperly could permanently damage your device.
Choosing the best DD-WRT router for VPNs
Comparitech does not review DD-WRT routers, but we’ll list some suggestions to help guide your purchasing decision. When choosing a DD-WRT VPN router, you have a few options:
- Pre-flashed router – A pre-flashed router comes with DD-WRT and the VPN already configured. It’s typically the most expensive option, but also requires the least amount of effort to get set up. ExpressVPN’s custom router firmware is our favorite, although it’s not technically DD-WRT. Check out FlashRouters to get pre-flashed VPN routers with DD-WRT firmware from several major VPN providers, including a few in our recommended list.
- DD-WRT router – Some router models come with DD-WRT already installed, so the user just needs to enter in the VPN configuration details to get connected. Adding multiple servers can get tedious, but it shouldn’t be too hard if you’re following your VPN provider’s tutorial. Most, but not all DD-WRT versions support VPNs, so be sure to check before you buy.
- DD-WRT compatible router – This is likely the cheapest option but requires the most tech savvy and can be a bit risky. Some router models come with the manufacturer’s proprietary firmware installed, and proprietary router firmware usually doesn’t support VPNs. That said, you can replace the stock firmware with DD-WRT in a process called “flashing”. After that, you’ll have to configure the VPN connections in the settings. Be warned that making a mistake during the flashing process could permanently damage, or “brick”, your router, so proceed with caution. Be sure to check your router is compatible with a DD-WRT version that supports VPNs.
A few popular DD-WRT routers we recommend include:
- Asus RT-AC5300
- Netgear Nighthawk R9000 X10
- Linksys WRT3200ACM
- Linksys WRT1900ACS/AC v2
- Netgear Nighthawk R7000
- Linksys WRT1200AC
- Linksys Cisco E4200 (discontinued)
- Asus RT-N16
These aren’t the only options, of course, so feel free to shop around. Broadly speaking, you’ll need a router with at least 800 MHz of CPU and 8 MB flash memory, although that’s just barely enough to run OpenVPN. For high performance, you’ll want something north of 128 MB flash memory, 256 MB RAM, and 1.2 GHz CPU, if not more.
How to set up OpenVPN on DD-WRT
First off, go to your VPN provider’s website and download the OpenVPN configuration files–they’ll have a .ovpn or .conf extension–for all of the servers you want to connect to. You’ll also need your username and password for the VPN.
While connected to your router, preferably via LAN, go to your router dashboard in a web browser. You can usually do this by typing http://192.168.1.1 into the URL bar. If that doesn’t work, try http://192.168.0.1. Log into your dashboard using the credentials you set upon first installing DD-WRT.
What you do next depends on your version of DD-WRT. If your firmware has User Pass Authentication, you’ll need to open the configuration file for the server you want to connect to with a text editor such as Notepad. Copy over the settings from the config file, including the server address (an IP address or domain name), a username, and a password. Depending on your provider, you may also need to set the port, tunnel protocol, encryption cipher and/or hash algorithm. Consult your provider’s customer service or knowledge base to get these details.
If your DD-WRT firmware does not have User Pass Authentication, find the Additional Config text box and enter this command:
You’ll see several fields that correspond to those in your OpenVPN config file. Open the config (.ovpn) file in a text editor such as Notepad. You’ll need to copy over the server address (IP address or domain name) and the port number, which are shown after the “remote” line in the config file.
To configure keys and certificates, you’ll need to consult your VPN provider’s customer service or knowledge base to get the proper commands to enter into the Additional Config box. Copy and paste the TLS auth key, CA cert, public client cert, private client key, into each of the respective fields in the DD-WRT dashboard.
Setting the DNS on your router
If you want to prevent your ISP from receiving DNS requests, which can give away your location and browsing activity, you should also considering setting your DNS servers in DD-WRT. While you can usually specify these on individual devices, you can take care of all of them at once in DD-WRT.
In the DD-WRT dashboard, go to Setup > Basic Setup. Under Network Address Server Settings (DHCP) and enter the DNS addresses next to Static DNS 1, 2, and 3. You can use Google DNS, OpenNIC, or DNS servers provided by your VPN provider.
Click Save and Apply settings.
We’re not quite done yet. Go to Services > Services. Under DNSMasq, in the Additional DNSMasq Options, enter this command, replacing “dns.ip.1.here” with the DNS servers you used above:
dhcp-option=6, dns.ip.1.here, dns.ip.1.here, dns.ip.1.here, dns.ip.1.here
Split tunneling a DD-WRT VPN
In some cases, you may only want certain devices to have their internet traffic routed through the VPN. Some builds of DD-WRT allow for split tunneling, which allows you to pick and choose which devices get tunneled through the VPN and which use the unencrypted ISP network.
To set this up, in the DD-WRT dashboard, go to Service > VPN. Find the Policy based routing box and enter IP addresses for each of the devices you want to go through the VPN.
If you want to enable split tunneling for specific websites, apps, servers or other traffic destinations, this will have to be set up in the firewall using iptables. Go to Administration > Commands. Under Firewall click Edit and enter the necessary commands. These vary widely depending on what exactly you want to accomplish, so some further googling will be required.
What about PPTP VPN for routers?
Some DD-WRT support the PPTP VPN protocol, but we don’t recommend using it. While it may work as a rudimentary VPN, it has known security vulnerabilities. You can read more about PPTP and its flaws here.
PPTP is simpler to set up and is generally considered faster than OpenVPN, however. So if you’re not concerned about security or privacy and just want a VPN to use as a basic proxy, PPTP could fit the bill.
The cons of using a VPN on your router
Configuring a VPN on your DD-WRT router has some clear benefits as described above, but it has some drawbacks to consider as well.
The first is that all devices are tunneled through a single VPN connection, which, depending on the provider and server, might get congested quickly if you have a lot of devices connected to the router.
If the server is experiencing downtime or for some reason doesn’t suit your needs, disabling the VPN or switching servers is a pain. Pre-configured routers or custom firmware, such as that offered by ExpressVPN, make these problems easier to deal with than stock DD-WRT.
Finally, most routers don’t have high-performance hardware, and using a VPN requires encrypting and decrypting data on the fly. This process consumes a lot of resources, and lower-end routers might not be able to keep up with your bandwidth demands, considerably cutting your overall speed.