5 Best DD-WRT Routers with VPN

Commercial routers are generally designed for non-techy users to operate easily. Unfortunately, this ease of use comes at the cost of limiting what you can do with them. DD-WRT is an open source project aimed at developing a Linux-based firmware solution that removes the restrictions placed on routers by their default programming.

At the end of this article, we’ll explore different points relating to DD-WRT routers, such as the advantages that DD-WRT provides, how to flash a normal router by yourself, and how to set up VPN on DD-WRT.

Flashed DD-WRT Router Providers

There are two primary providers of flashed dd-wrt routers – FlashRouters and RouterSource –and both have their good and bad points. FlashRouters is definitely a lot bigger, provides a much larger range and has marginally lower prices. It also provides Tomato routers alongside DD-WRT. RouterSource also offers Sabai OS flashed routers, which are designed with VPN users in mind and perform excellently. They also feature “Gateways”, which allow you to specify which devices connected to the router use the VPN and which bypass it.

On the support side, RouterSource definitely trumps FlashRouters. Not only does it provide a one-year hardware and technical guarantee, it also offers a 90-day satisfaction guarantee (compared to 90 days hardware and 30 day satisfaction guarantee). So if you’re new to the world of flashed routers and could run into a lot of issues, RouterSource will likely be worth its more expensive price.


A lot of routers are compatible with DD-WRT, so this list can in no way be considered definitive. Still, these routers come highly recommended and are good, solid choices. Given the differences and capabilities, we’ve decided against putting them in order of preference, in favour of letting you choose which features are important to you.

Prices quoted are from Amazon/FlashRouters/RouterSource on 10/12/2014 respectively. While routers from Amazon are considerably cheaper (especially the higher end models), you also avoid the risk of bricking them and get quality support.

Netgear Nighthawk R7000

(Amazon: $265.23 , FlashRouters: $349.95 , RouterSource: $299.99 )



– Up to 1900 Mbps Wireless-AC Dual Band
– 1 GHz processor
– 3 Powerful External Antennas
– Ram/Flash: 256/128
– 1 USB 3.0 & 1 USB 2.0

The Nighthawk is the daddy of all DD-WRT routers! Its powerful processor delivers the maximum capabilities for VPN encryption and decryption, thereby giving you the best speeds possible. Its large flash memory allows the biggest, best and most powerful DD-WRT builds. It offers fantastic 1900 Mbps transfer speeds too, and is one of the few routers to support USB 3.0.

If you have the money to spare, we fully recommend the Nighthawk – the fastest, most capable DD-WRT router out there.

Amazon »   FlashRouters »   RouterSource »

Asus RT-AC66U

(Amazon: $199.99 , FlashRouters: $299.95)



– Up to 1750 Mbps Wireless-AC Dual Band
– 600 MHz processor
– 3 Powerful External Antennas
– RAM/Flash: 256/128
– 2 USB 2.0

Similar to the Nighthawk, the Asus RT-AC66U comes with a large flash memory, meaning it can handle the largest and most optimized DD-WRT builds. On the downside, it has a significantly slower CPU, so VPN speeds will be lower. As a cheaper alternative to the Nighthawk, it’s a great buy and by far the most popular Asus AC router. We’ve previously reviewed the AC66U and its small brother the N66U, and have been very happy with them ever since.

Amazon »   FlashRouters »

Netgear AC1450

(Amazon: $109.99 , FlashRouters: $199.95)



-Up to 1450 Mbps Wireless-AC Dual Band
-800 MHz Broadcom processor
-RAM/Flash: 256/128
-1 USB 3.0 & 1 USB 2.0

The Netgear AC1450 is a highly overlooked and underrated economy Wireless-AC router. On the upside, it features a more powerful processor than the popular AC66U with the same RAM/flash, so handles the best DD-WRT builds. On the downside, it only sports internal antennas, so isn’t suitable for longer-range transmissions.

Amazon »   FlashRouters »

Netgear WNDR3700

(Amazon: $129.99 , FlashRouters: $149.95 , RouterSource: $149.99 )



-Up to 600 Mbps Wireless-N Dual Band
-680 MHz Atheros processor
-RAM/Flash: 64/16
-1 USB 2.0

The Netgear WNDR3700 is a great small household model. It has a respectable processor but with a small RAM and Flash it is only able to handle medium sized DD-WRT builds. It’s small overall transfer speeds and only internal antennas are a minor let down, as well as no AC capability but it would fit perfectly in any family home.

Amazon »   FlashRouters »   RouterSource »

Cisco Linksys E1200

(Amazon: $59.99 , FlashRouters: $89.95)



-The Economy DD-WRT VPN Choice
-Up to 300 Mbps Wireless-N Single Band
-300 MHz Atheros processor
-RAM/Flash: 32/8

The Cisco Linksys E1200 is a great compact model for those on a tight budget who only need a router for a few devices. It’s minimal in every aspect of its specification, so not surprisingly it’s only able to handle small-to-medium DD-WRT builds. Despite this, it’s a nice, discreet piece of kit for those starting out with DD-WRT or wanting a cheaper option. You can find our more in-depth review of the E1200 here.

Amazon »   FlashRouters »

DD-WRT Routers

Advantages of DD-WRT

While default router firmware has been improving, installing DD-WRT on your router gives it the full functionality of a business-grade router without the cost. A full list of the many advantages would be too long for this article, but here are some of the most useful:

  • Advanced Quality of Service (QoS) controls– lets you change bandwidth allocation settings for different networks, and usually provides UPnP media streaming
  • Network storage (NAS) – external hard disks and USB flash drives can be plugged into DD-WRT flashed routers that are equipped with USB ports for use as network drives
  • Network printers – printers can also be plugged into a USB port for access from anywhere on the network
  • DNS caching– speeds up host name lookup to improve connection speeds to popular websites
  • Wireless bridging– turns the router into a Wi-Fi repeater to extend the range of your Wi-Fi signal
  • Advanced performance graphs– DD-WRT lets you analyse your network performance and bandwidth use with detailed graphs and statistics
  • Kai Daemon –this feature provides network tunnelling for the PC, Xbox and other consoles to the open source Xlink  Kai game platform
  • Adjust antenna power– to increase wireless range
  • VPN– DD-WRT can route the signals from all connected devices through a VPN service. This is particularly useful when you want to connect devices such as games consoles, Kindle Fire tablets, mobile phones, AppleTV and Roku, which don’t have built-in VPN clients.

Flashing your own router

“Flashing” is the process of changing or upgrading the firmware (built-in programming) of a hardware device. Not all routers can be flashed with DD-WRT, but an increasingly long list can, with some models from Linksys, Buffalo Technology and Belkin starting to include DD-WRT as the default firmware. A full list of DD-WRT-compatible models is available from the official DD-WRT website.
There are a number of ways to get a flashed router:

  • Buy one with DD-WRT installed as the default firmware, such as Buffalo
  • Buy a compatible router then flash DD-WRT onto it yourself. While not too complicated, this can be a bit tricky and requires some technical know-how. Also, while unlikely if you follow the instructions carefully, it’s possible to brick your router so that it will no longer function, so is performed entirely at your own risk. You’ll probably void your manufacturer’s warranty too. On the other hand, it’s the cheapest option! The full, official guide to installing DD-WRT can be found here.
  • Buy a router from one of the companies mentioned at the beginning of this article

Configuring VPN on DD-WRT

Pretty much all builds of DD-WRT support VPN using the PPTP protocol. However, this isn’t very secure and it’s generally better to use OpenVPN. The basic framework for DD-WRT supports OpenVPN, but, unfortunately, not all routers support builds that do, so it’s always best to check before buying if this is important to you.
Many VPN providers supply setup guides for DD-WRT routers, although some only provide support for PPTP. General guides are available on the DD-WRT website for setting up PPTP and OpenVPN.
Some providers, such as TorGuard and ibVPN, also sell routers flashed with DD-WRT and preconfigured to their VPN service, while third-party router sellers, such as FlashRouters, specialise in supplying routers preconfigured to popular VPN providers.

DD-WRT vs Other Platfroms

Tomato is an alternative Linux-based firmware package for routers, most notably the Linksys WRT54G/GL/GS, Buffalo WHR-G54S/WHR-HP-G54 and other Broadcom-based routers. Like DD-WRT, it can be used to flash a compatible router, allowing it to be used as a VPN gateway and providing similar functionality to a DD-WRT flashed router.

DD-WRT is compatible with more routers and is generally considered more newbie friendly. However, many people prefer Tomato’s interface and excellent real-time network monitoring capabilities.


A DD-WRT router is a fantastic way to take control of your wireless network and give yourself business-grade functionality for a fraction of the cost. Most importantly, it’s the easiest way to connect all the internet-enabled devices in your home to your favourite VPN service, shielding your internet use from prying eyes and allowing you to spoof your location so you can access services normally denied you based on you geographic location.

Published 2014-12-13
Written by Peter Selmeczy

I am an engineer by trade and tech geek by night, who's passionate about sharing his knowledge with the people. Find me on Google+.

80 responses to “5 Best DD-WRT Routers with VPN

  1. I do not understand one thing, why people call these things routers at all! I can not make out why people do not anything about it’s routing capabilities. People only talk about power, distance cover. I can not find a place where routing capability is discussed. I was searching for a router (definitely not like Cisco) which serves my purpose : I have three ISPs 1. Telephone broadband ie ADSL 2. Provided by cable operator ie. WAN port is ethernet 3. Something like a cable operator and with ethernet WAN port. All three are different network altogether. I want one equipment to connect me and use them without letting me know that any of them is down. That means if (1) is down, automatically I’ll be going thru live one. Could I make my point clear? If this can not be done then how those ADSL boxes are called routers at all!

    1. Hi Darenhoff,

      They are called routers because they route data packets between computer networks (i.e. your home network and your ISP’s network). I think I understand what you are looking for, but this is a specialized area that I am not familiar with. Perhaps one of our readers might be able to help?

  2. Set up a few year old Netgear router and flashed it with dd-wrt. was getting 50 mbs before setting up vpn on router; router now pulls 5 mbs with vpn. I daisy chained another router on for all other internet traffic–getting 65 on it.

    would a newer router with dd-wrt speed up the vpn?
    i have tried different channels, different security etc.
    no luck
    open to suggestions

    1. Hi Clint,

      The problem with using routers for VPN is most of them do not have powerful enough processors to cope with the task of encrypting/decrypting data. If you buy a high-end router with a fast processor you will see speeds improve, but even the best router is likely much slower than even a low-end PC…

  3. I am trying to set up pure vpn but it won’t work with the router I currently use (Apple time capsule 1tb). I am trying to figure out what type of a Vpn friendly router to buy to hook up my Amazon Fire tv and my Apple laptop. My endgame would be to have isp att modem/router hard wired to VPN router/ hardwired to my apple time capsule/ wireless to my fire tv and laptop. The ?’s I have are, if I have my time capsule hard wired to my Vpn router would I still be able to use my wireless connection from the time capsule and would it be VPN be working on that wireless signal? My second question is what type of router should I buy (inexpensive) that would work with purevpn? Thanks!

  4. Hi Peter,

    I have just moved to a country where certain IPTV channels are blocked on my Roku. It appears the ISP here want to sell their own sports stations!!!
    Is using a VPN router the best solution to regain my Saturday soccer fix????

    1. Hi Neil,

      A better solution is probably to use a SmartDNS service. Setting up SmartDNS on a Roku is more difficult than for most devices, but all the services listed here provide full setup guides for doing so. Using a VPN router is another solution, but unless it is a very good model it will likely struggle with the task of processing VPN traffic fast enough to stream video content smoothly.

  5. I’m just wondering does this mean my router is having the VPN or only my computer? Like if my phone which doesn’t have any VPN is connected to the wi-fi, will I be able to enjoy the VPN from my phone? Thank you.

    1. Hi 98A,

      If you setup VPN on your router then all devices that connect to the internet through your router (including your phone when using WiFi) will benefit from the protection VPN affords. The only real downside is that the processor inside most routers is slower than on most PCs (and even smartphones,) and can struggle to keep up with the demands of VPN (resulting in a slow internet connection.) You should therefor choose a router with a good fast processor.

  6. Hi peter,

    I live in south america, i would like to know ,if i can use a Roku device only in my TV.
    I have to setup VPN in my router to access USA, which I do not want/need. Is it possible to setup a separate connection just for the Roku, so only the Roku is using the VPN? Is possible?? I can use?

    I have to buy router or just a VPN service?

    Thank you in advance.


    1. Hi Victor,

      You cannot use a Roku with VPN unless you share your PC’s VPN connection, or use a VPN router. However, toi access US TV you can use a SmartDNS service instead. Instructions on how to set this up are available from most SmartDNS providers, or we have some quick ones here.

  7. Hi Peter,

    The university network offers only internet connection trough IPSec VPN connection (they suggest to use the cisco client to connect to this network). But some devices like a smart tv doesn’t have this client. This is the reason why I’ve bought the N300 (E900) Linksys wifi router. I installed the DD-WRT software on it and tried to connect it to the VPN network of the university. I choose the L2TP option and enter the VPN details, but at the end it won’t connect. (I also don’t know where I can enter the ‘group name’ and ‘group password’. Is there any solution to this? Thanks already!

  8. hi peter,
    i just got a netgear R7000, router i was able to flash it with the latest kong3 firmware successfully. After the first day i noticed that the 2.4 ghz acccess point became unstable. it disconnect and drop users off the internet.
    i would like to know if there is a better firmware build or fix for this issue. i have about 20 concurrent user on it and i dont think this should be a capacity issue at all.


    1. Hi Dammy
      I’ve had a look at the official DDWRT forum for the latest Kong R7000 build, and there have been some issues with regards to wireless networks. It might be worth also mentioning your problem there, as in theory, while 20 is a lot, this router shouldn’t have too many problems with it.
      I’d also recommend trying to utilise the 5G frequency so if possible have 10-10 users per frequency. Another thing could be to overclock, but remember this voids all warranties and it doesn’t sound like the route of your problem is CPU related (I just have a bad habit of overclocking all devices from the go).

  9. Hi Peter,
    Thank you for sharing your knowledge! After doing several hours of research, I actually learned quite a bit from this piece and the Q&As as well. I am hoping you can guide me just a bit further. I am currently living in Saudi Arabia and use StrongVPN on my laptop to get Netflix, Hulu Plus, etc. This past summer, I purchased a WiiU. I now need a router to connect that to, so I can watch these US programs on the tv rather than my laptop. I don’t have a large budget, my place is around 900 sq ft, and other than online college courses, Netflix, and Hulu Plus…there isn’t a lot of online networking going on. Can you recommend a vpn preloaded router for someone in my situation? Thank you kindly!

    1. Hi Marcy
      Thanks for your feedback, I’m glad you enjoyed it.
      Good question, I know that BlackVPN provide preloaded routers and there are other companies as well, but I’d like to recommend something else.
      I think it is better if you take the advice on this list and get one of these routers. Since you’re budget isn’t large I’d recommend buying one from your local hardware store, instead of pre-flashed. Then sign-up to the FlashRouters support plan who will be able to flash it for you and set up your VPN for you as well.
      We recently did a full review of them, find it here, and I have no doubts that they will be able to help you out.
      Just a note, check with them before purchasing your router that they will provide support for that make and model (occasionally they can help with ones not mentioned on their site but those are the most recommended ones)

  10. Hi all,
    Do the DD-WRT routers have NAT feature that can route VoIP packets to LAN ports /devices adequately?

    Anyone tried?

  11. Hello Peter,
    Thank you for sharing your great knowledge.

    I have specific scenario need your recommendation. I have a number of Linksys VoIP ATA-adapters in X country which just blocked VoIP. I learned that using DD-WRT can be very helpful in bypassing the ISP’s restrictions. In normal situation, the ATA needs to be connected to a router, that does NATing/routing packets to ATA correctly, otherwise, voice communications would be interupted on both ways. Now with using DD-WRT router, does this router has the capacity to route such packets to the correct ATA’s LAN port, NATing? I know this is not an issue if it was PC not VoIP.
    Any one has a solution for this?

    Thank you

    1. Hi Sam
      Just saw this after approving your other comment. Personally we’ve never played around too much with NAT and routing so we can’t help too much. However, it sounds like your problem could be solved fairly easily, I recommend joining the DD-WRT Forum and asking for help there.

  12. Hello Peter,
    bestvpn is as some others always recommending expressvpn. I just came out of the chat with them since my router did lose the connection over night and is not reconnecting.
    The answer was: we do not recommend to use routers in China since they cannot use the stealth method.
    Which VPN service is recommended for the router instead of expressvpn?


    1. Hi Andreas
      Have a look at this list. From that list I’ve personally tested Buffered, AirVPN and IPVanish on my router and didn’t have issues with any of them (Buffered was the fastest for me followed by AirVPN) but your mileage may vary.
      However, the issue that ExpressVPN mentioned is due to DD-WRT and not the provider, since it can only run the bog standard version (as far as I’m aware). Which means that cloaking techniques and codes used to overcome the GFW can’t be run on a router. I’d recommend either asking AirVPN for help, or looking in the DD-WRT forums.
      We’d love to know your feedback on how you get on.

  13. Hi Peter, maybe you’ll know the answer to this. I’m sure every basic user who’s used VPN clients on their computer has tried to find the perfect “kill switch”. The Kill Switch on the PIA client just doesn’t work.

    I’d like to setup a new computer to connect only through a VPN and not go through the trouble of setting up programs and firewalls and fiddling with a bunch of little things for a failsafe for when the VPN loses its connection.

    It seems like having a computer connect to one of these routers would be a perfect solution, but my question is – if the VPN connection drops out on one of these routers, will it just pass on the regular internet connection? Or is there a way to have the router ONLY connect to a VPN and never expose your ACTUAL IP address?

    It seems like it would be perfect to have 1 normal router and 1 VPN router and switch to the VPN network whenever you need to. I would only need it for 1 laptop and nothing else.

    Thanks so much for the great article!

    1. Hi Tony
      No you will notice if your connection drops, though I’ve always noticed it myself if it does. Like on your computer you can set up rules and commands to avoid against this. Unfortunately, I haven’t researched this in-depth so can’t give exact guidelines. However if you contact FlashRouters they might be able to help.
      If you choose a Tomato build instead of DD-WRT it’s extremely easy to start/stop a VPN connection, the same goes for SabaiOS routers, unfortunately with DD-WRT it’s a bit of a pain.

  14. Hi,
    I have an ASUS RT-AC66U router, which is great for normal wifi, but I bought it only to take advantage of VPN for my British TV. Unfortunately when I connect to my VPN I lose wifi connection, so it is totally useless for my needs. I have contacted ASUS on many occasions, but get no joy. Surely there must be an answer to my problem, have you any ideas?


    1. Hi Deryk
      Sounds like an odd problem and not something we’d experience before. If you’re using a flashed router (or maybe even if you’re not), try contacting FlashRouters as they might be able to shed some light on it.

  15. Can any of these routers host a VPN?

    I’m ideally looking for something that can host a VPN because I want to VPN into my home network. I.E. to get files off my computers and what not.

    If not where can I find something like that? I would prefer to purchase something rather than try building it myself but will if that’s the only/best way.


    1. Hi Ken
      Yes, most of these routers can be used as a VPN server. Talk to FlashRouters as they’ll help you select the best router for your needs and can also help you set everything up pre-shipping or even with a remote desktop session.

  16. Apologies if this is a stupid question. I live abroad and use a commercial VPN service for accessing web sites such as BBC iPlayer in the UK. I was wondering if there are routers available that act as a VPN servers for incoming connections and then re-routing them back onto the internet? If so does the BT Home Hub Router 4 have this capability as this is what my mother has and if it could be configured for this VPN scenario?

    1. Hi John

      It’s not a stupid question. Yes you can run a VPN on a router, I’d recommend looking at this and this list. It might also be easier for you/ your mother to look into using a Smart DNS.

      I doubt you’ll be able to use your BT Home Hub unfortunately.

    1. Hi joel,

      If you are talking about connecting to a VPN service using a DD-WRT router then this varies a bit by provider. Many providers have detailed setup guides (for example al the ones we discuss in our article on 5 Best VPNs for DD-WRT), so it is best to check these out. If you are talking about using a DD-WRT router as a VPN server, then we may write a guide in the future.

  17. Hello.
    I live in Italy on an acer of land. I’m installing satellite internet but I know in Europe the standards for routers are very minimal. What type of router is compatible with European systems and would allow a broader spand of wifi to all my property?

  18. What Manufacturer preloaded dd-wtr Routers are available to me thereby saving me the trouble of installing it and bricking the routers?

    1. Hi Steve,

      No manufacturer (as far as I know) preloads their routers with DD-WRT, but third party distributors such as FlashRouters will pre-flash a router for you (and even configure it for many popular VPN servers should you so wish, as well as offer DD-WRT support plans). They do tend to be a bit pricier when sold pre-flashed, but this does remove any danger of bricking the router.

  19. I have 2 buffalo airstation routers. I have subscribed to ipvanish vpn and hidemyass vpn. I intended using the routers with my roku 3 but I realized that some channels (crackle, netflix, hulu plus, pandora, etc) still know my true location. I need an I.T expert who can help me setup the routers correctly. I will need you to direct me to any in either Irving or San Francisco. I shall visit those 2 places this week. Thank you

  20. I’ve been reading through and trying to figure what I need to do. Some back ground: I’m in the US and moving to the middle east for a few years. Most all of my electronics are connected through wifi. I have an Apple airport extreme currently. I know Apple doesn’t play well with VPN and VPNs usually run a little slower bandwidth. I still want to get my Netflix, Hulu, and other US based services I have now, hence looking for a VPN/router. I would also like to keep a faster local/in country connection. So, my plan was to keep the Apple airport extreme for the local and get a VPN/router to get back to a US location. I’m not sure, but would I just change the wifi networks (VPN or non-VPN)? I’m looking for ease and not network savvy at all. Thanks.

    1. Hi Mark,

      Yup, simply connect both routers to your broadband modem and change WiFi networks as required. Alternatively, depending on what devices you plan to connect, you could just run the VPN through a software client, which would save you buying an extra router (although this will not work with smart TV’s, games consoles etc.). If the only reason you need a VPN for is to watch Netflix etc., (i.e. not for privacy and security), then you might want to consider using SmartDNS instead, as this gives better streaming performance (less computational overheads).

  21. Hi folks
    I have stumbled across this article by sheer coincidence and I have to say there are some very knowledgeable folks on here who are very forthcoming.
    A couple of weeks ago I managed to flash my Netgear WNDR3700v2 router with dd-wrt. After many weeks of research I am still at a loss on how to set the router up to let specific devices through the VPN and other devices through ISP.
    Any info would be greatly appreciated.


    1. Hi Eddie,

      I believe this can be achieved by playing with the router’s IP tables, although I would need to do some research before I could comment fully on this (I may write a guide in the future). My DD-WRT router config page (services -> VPN) also notes that,

      ‘OpenVPN Client
      Policy based Routing: Add IPs/NETs in the form to force clients to use the tunnel as default gateway. One line per IP/NET.
      IP Address/Netmask: Must be set when using DHCP-Proxy mode and local TAP is NOT bridged’

      I hope this is of some help. An alternative workaround is to simply connect the devices to wish to use VPN with to the VPN router, and the other devices direct to ytour modem…

      1. “After many weeks of research I am still at a loss on how to set the router up to let specific devices through the VPN and other devices through ISP.”

        its very easy …
        the dd-wrt based router is behind your first router with internet access, right?

        in this case you have to use dedicated ips on your client side.
        use vpn: set gateway in the client setup to dd wrt router
        use isp mode: set gateway in the client setup to the isp router

        thats all ,-)

        1. Hi netguru,

          I love it when our readers come to the aid others! Thanks, and I hope this answer helps out Eddie (and anyone else suffering similar problems.)

  22. hi,

    good review, but can any one clarify 1 problem if vpn connect via router it has very limited speed +- 220-280kb/s only even with 20mb line. Speed both my VPN normal (1.8mb/s 2.3mb/s up/down) if connect via computer (software//gui )

    as i know it happened because ‘cpu’ limit by router. Correct me if im wrong since i try 2 VPN ‘Private Internet Access’ & ‘FinchVPN’ service with my 3 Asus Router run via Tomato Shiby firmware. (RT-N10, RT-N12 and RT-18U)

    1. Hi Epolz
      You’re getting very slow speeds even without the router. Try out a few different providers as with a 20MB line on your computer you should get about 15 upwards (depending on where to and where from you’re connecting of course).
      Yes with a router your CPU indicates your max speed. I have a 30MB line and with an N66U I could still get close to 15 in some cases with Tomato and DD-WRT.

  23. Hello Peter,

    i need your help for buying Router, which is the best router for DD-WRT support fast interface/internet/long life

    40Mbps download internet broadband
    100 users (no need wifi)
    most active on Access Restrictions Tab (main n only purpose for DD-WRT)

    thanks for your kind help.


    1. Hi Raaja

      You would need a switch for that and not a router. I’m not sure that you can get switches support by DD-WRT.

      Sorry I couldn’t help you.


  24. Hi Peter,

    Great article, appreciate you sharing your knowledge on VPNs. I am a bit new to this, please excuse me for ignorance – trying to learn by my own through trial and error.

    I have already set up my home VPN using a good brand AC1900 router, with DynDNS services – works like a charm. It includes a personal NAS drive, now we can access from anywhere in the world.

    My next project is for a friend’s retail stores where they have 4 sites – 3 IP Cameras and 1 NVR locations,
    > site 1 is to host the VPN server to host the NVR that needs to connect to the 3 IP Cameras
    > site 2 – 4 to host VPN clients having the IP Camera devices that do not have VPN capabilities on their own

    Main criteria is to have the IP Cameras and the NVR in the same IP subnet, I am thinking VPN is the best option – correct me if I am wrong.

    Do you think this is workable?
    Is it possible to use 1 expensive VPN Router and 3 generic routers to completed the VPN tunnelling?

    Your suggestions will be highly appreciated and will definitely help a lot.


    1. Hi Vaz

      No problem I learnt to use DD-WRT on my own using trial & error and a lot of Google too so I know the feeling.

      I think what you’re suggesting should be possible but I’d recommend getting some cheaper gear and testing it out first. If I understand (guess) correctly you want to use the powerful VPN Router to be the server. VPN both server and client can be processor intensive and unlike desktops and mobiles the CPUs in routers hasn’t been advancing the same rate. What I think might be more helpful is to get a Synology system (or similar) as these have tons of functionality built in and better capabilities – at least for the central location anyway. Alternatively Sabai/RouterSource has a VPN accelerator bundle which might aid you too.

      I will talk to some tech guys at both Sabai and FlashRouters and see if they have any tips/ideas. I think I might also know someone with expertise in this area but I won’t be able to have a talk with them until Monday at least.


      1. Thanks Peter for the insight. Will definitely look into the suggestions and please do check with your colleagues / friends for any ideas.


  25. Hello Peter and thank you in advance for your help. I live in the Dominican Republic which prohibits me from getting soooo many USA websites. If I get a ‘flashed router’ with a preinstalled vpn, what happens when I decide I no longer want that particular vpn service? Am I stuck with a router that only works with that company??

    1. Hi Scott
      No. They just set up the VPN as recomended by the VPN provider. If you decided to change VPN provider you would have to just change a few settings around. I have not heard of any VPN Providers hard-coding their settings into the router.

  26. Dear Peter,

    i have a question for you, i am using Witopia as vpn provider mainly because I am an Italian living in Hungary and I like to have the access to italian tv that it has IP restriction, so far i am using Witopia on my laptop and iPhone but i am facing issue while i try to connect my device to my chromecast because it doesn’t allow to broadcast trough a vpn client.
    For this reason i would like to buy a new router, i was also considering to buy the Witopia router but they deliver just in the USA, for this reason can you please advice me if it is possible to use the Witopia VPN on one of the routers u mentioned in your great article.
    Thank you very much.

    1. Hi
      Since you’re internal IP stays same chromecast with a VPN router shouldn’t be an issue. There is also a FlashRouters article on this for a bit more information.
      You’re problem is actually WiTopia as they do not allow you to use their normal VPN on a router . You probably won’t even need a new router just a different provider. Also have you looked into using a SmartDNS instead?

  27. Hi Peter,

    Since the great firewall is blocking VPN Services I was thinking in my own fritzbox server. And this only offers IPSec. PPTP is also not secure anymore as I was reading.

    1. Hi Andreas
      They are trying to block VPNs but they haven’t been very successful so far and plenty of services are still up and running.

    2. Hi Andreas,

      I have a fritzbox too which I love due to the voip capability and the integrated dect base station. Unfortunately VPN is a pain on it, as it doesn’t handle openvpn, and not even L2TP, just “pure ipsec” as they call it. Currently it’s not possible to connect to a vpn provider :-( I already wrote AVM a few times suggesting to implement an openvpn client, unfortunately no success until now.

      Now I bought an asus router and flashed tomato on it, and put the fritzbox behind it. Everything works well, the whole network is behind the vpn, but my incoming voip calls don’t always get through. Annoying…

  28. Hello Peter,

    thanks for your help.
    Short last question. Reading the DD-WRT website and looking for IPSec I do not find any answer that it is really working.
    I am not the specialist, but in my Android I need to set it up with IPSec Xauth PSK. And also for L2TP I cannot find something in the wiki of DD-WRT. They speak always about PPTP and OpenVPN but never mentioned IPSec?

    1. Hi Andreas

      PPTP and OpenVPN are more common to use hence you won’t see L2TP much – but on most DD-WRT builts it’s doable.
      Make sure you select a VPN provider that gives you L2TP DD-WRT set-up guides and then you can’t go wrong.


  29. Hello Peter,

    very interesting and informative.

    I will move from an open internet country to a very restrictive country.
    Therefore I am looking for a possibility to connect my router via VPN to the free internet.

    Do you know if the routers you are showing here are working in China and can connect via IPsec to a VPN Server on a Fritzbox from AVM?

    The DD-WRT Software needs to be installed after you have purchased the router, correct?

    Thank you very much.

    1. Hi Andreas

      DD-WRT can be installed after purchasing the router yes or as stated at the beginning of the article you can buy preflashed ones.
      Router’s will work anywhere as long as the power supply is right (you’ll need to check this for yourself but most come with 110v/240v acceptance now)
      Yes L2TP/IPsec client can be run on a DD-WRT router.
      With the part regarding to the Fritzbox can you please clarify what you mean as I’m not sure I understand correctly>

      1. Hello Peter,

        thank you very much for your information.
        Sorry for the double posting. After refreshing the side I did not see my post and thought it was lost.

        The Fritzbox is running a VPN Server, which means the router could connect directly with the Fritzbox or any other client (iPhone, Android, Laptop, tablet, ect.) can connect to the Fritzbox.

        I will check now that the VPN to the Fritzbox (VPN Server) from China is working and then get the Router. Makes the life easier.

        Is it possible to setup two profiles for VPN in case switching country IPs?

        Thank you a lot

        1. Hi Andreas

          No problem. Yes we check comments as we do get quiet a lot of spam and while our spam filter does catch most of it, it doesn’t get everything.

          Changing VPN client information on DD-WRT can be a bit of a pain depending on how you set it up, especially since most of the time the router has to be restarted for the changes to take effect (at least with OpenVPN, not sure for L2TP). If you’re looking to change often I’d recommend looking into Tomato as it allows multiple client information to be set up.

          You’re welcome

  30. Hello Peter,

    Very interesting article.

    I will move from an Internet free country (Mexico) to a very restricted country (China). A VPN Router was actually was I am looking for instead of setting up every client. Unfortunatley the German company (AVM) is not listed to upgrade to a DD-WRT Router.

    AVM offers VPN (Client – VPN) conection for WIndows / Linux / iPhone / Android. For instance sitting in China connecting to my Fritzbox in Germany or USA/Mexico using unblocked internet.

    Does these mentioned DD-WRT Routers can connect to the Fritzbox VPN with the IPsec VPN?
    Has anybody checked these Routers if they work in China with VPN Providers strongVPN, Astrill or any other, maybe Fritzbox (German/Mexican IP)?

    Thanks for your comments

    1. Hi Andreas

      I just saw you left two comments.
      I had a look at Fritz Products and you can’t upgrade these to run DD-WRT.
      If you’re Fritxbox only runs a VPN Client then you won’t be able to connect to it from China as you would need it to run a VPN Server not a client.
      Setting up strongVPN or Astrill on the router should be no problem and they both provide setup guides for this.


      1. Just to add to Peter’s answer, setting up StrongVPN or Astrill on a DD-WRT router should not be a problem, but whether this will work in China depends on whether these VPN services are currently being blocked by the Great Firewall of China (GFW). Check out our article ‘’ for our most up-to-date information on the current situation (also check our readers comments in that article for ‘on the ground’ advice).

  31. Hey Tom and Peter,

    Great discussion you’ve got going on here.

    Our gateways feature routes based on IP address only and helps with static DHCP setup. We are not routing based on port yet. What underlies Gateways is ip rule in linux that allows routing based on IP address. There is an ability in iptables that would let us address based on port, but that’s not built into the web interface. Would love to know what setup you were thinking with ports rather than IP address. Would you have a switch connected with multiple devices? We’re open to adding it to our development schedule if it’s something that’s highly useful.

    The next cool thing we plan to add to our interface is the ability to route based on website, so that you can have a website and any sub-sites routed locally or through the tunnel. It uses an underlying linux capability called ipset. It got integrated with dnsmasq, which we use for DHCP but we’d be the first that I know of with a web interface for control.


  32. Hi Peter
    Thanks for the article. I was wondering if you could help.

    I want to upgrade my network to have a router that will be able to connect to a vpn (ExpressVPN). However, I don’t want all the devices connected to the vpn. I’m looking for a set up where I will be able to control which selected devices are routed through the vpn (and if possible even down to the port) and it to all be managed router side. Is there anything which you know of that would allow me to do this? My research is unfortunately coming up short.

    Many Thanks,


    1. Hi Tom

      I have the perfect solution for you (I can’t remember if port settings are included but device yet), it’s called Sabai Technology/ Sabai OS. In the review look under Features ‘Gateways’. I’m not sure if such a thing is possible with DD-WRT or Tomato, or at least not very easily anyway. It also performed very well in our VPN comparison for routers. You also get a year long support which they are very good at!
      On the downside they are slightly pricey (though you can sign up to just support and install yourself if you have one of the required routers) and if you want to install some custom stuff on there (i.e. I installed Transmission – a torrent client) there’s a few tweaks you have to make in order to do it but nothing major.


    2. I have also got in contact with Sabai and the initial statement from them is that it might be possible to specify which devices uses VPN using Ports using some fancy IP tables. Their tech guys will have a look into it and see how easy it is to do and get back to me, or they might post straight here.

      1. There is a WanUp script that I’ve been using for a couple years in Tomato firmware to route specific computers through openvpn client on my router to an external OpenVPN server.
        from bottom of this page, not my work, we all stand on the shoulders of giants etc:

        DD-wrt uses “.wanup” for wanup scripts, I don’t have one in front of me.
        Should be possible to run this or very similar in wanup in DD-WRT.
        script after this colon:
        # disable Reverse Path Filtering on all network interfaces:
        for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
        echo 0 > $i

        ip route flush table 100
        ip route del default table 100
        ip rule del fwmark 1 table 100
        ip route flush cache
        iptables -t mangle -F PREROUTING

        # OpenVPN tunnel named “tun11”
        ip route show table main | grep -Ev ^default | grep -Ev tun11 \
        | while read ROUTE ; do
        ip route add table 100 $ROUTE
        ip route add default table 100 via $(nvram get wan_gateway)
        ip rule add fwmark 1 table 100
        ip route flush cache

        # all traffic bypasses the VPN
        iptables -t mangle -A PREROUTING -i br0 -j MARK –set-mark 1

        # these addresses use the VPN
        iptables -t mangle -A PREROUTING -i br0 -m iprange –dst-range -j MARK –set-mark 0

        1. Hey

          Thanks, that’s awesome! When we get a chance we’ll definitely check that out and hopefully bring out a similar list for Tomato too!


  33. Hi Peter –

    Thank you for taking the time to share your knowledge. I’m a little confused though. Do I still need to subscribe to a VPN service even after flashing my router and if so isn’t it just the same to use Windows and the VPN service? I mean, if you have to pay for the service anyway, why bother with a router?

    Thanks again!

    1. Hi Julia
      Yes you still need to subscribe to a VPN service after.
      The reason is that usually the number of devices you can connect to the VPN is limited (the average is around 2/3). By running a VPN on your router all devices connected to it will automatically be protected yet you’ll only be using 1 connection. For example I have a router with a VPN on it and I can connect my laptop, computer, touchpad and phone to it without any issues as well as my families devices and I’ll still only be using one connection whereas if they we’re connected individually using the windows/mac/android/ios software I’d be using around 5.

    2. Apart from supporting multiple devices, how would you set up your TV / STB with your VPN, given that there’s no (simple) method to install a VPN app?

      1. Hi DJA,

        The simplest way is setup VPN on your router. Most VPN providers have instructions for doing this in DD-WRT (and sometimes other router firmware.) You can also connect your internet enabled TV/STB to your computer, and share its VPN connection. We have instructions for doing this here (Windows & Mac OSX.)

Leave a Reply

Your email address will not be published. Required fields are marked *