Using a VPN on a single PC is not that difficult, as there are many tools to help you out, but securing all the traffic passing through your router is a bit more complicated, so I've decided to write a guide to help you out with this task. However, unlike most of my other How To articles, this one is a bit more complicated and costly, so make sure that you actually need to do this, before embarking on such a journey.
What is VPN and why would you use it?
Let’s start things out with a simple explanation about what a VPN actually is. A Virtual Private Network is a tool which masks the origin of your Internet traffic. Every website you visit, every search you perform will appear to originate from another part of the world, so it’s going to be a lot harder to track it down back to you. A lot of people use this kind of online privacy protection to bypass censorship (websites that are blocked by the local government) or to access content that would otherwise be inaccessible in their region (like YouTube videos not available in their country).
However, when you are dealing with serious Internet censorship from the local government, using a simple VPN is not enough. There are times when you or a guest may forget to use the secure connection, and that can mean a lot of trouble. Directly connecting your router to a VPN is a great way to solve this issue, as all the Internet traffic coming from your network will be completely protected, even from your ISP. The main downside of using this kind of systems is that you lose some of your bandwidth (usually somewhere around 10%), so your websites will load slower. Moreover, you should, be careful about what you download when trying to stay hidden on the Internet, as saving stuff on your computer means that it can be tracked down to your real IP address.
As I said in the beginning, connecting a router directly to a VPN is not only somewhat difficult, but also costly. Why? Because not all the routers on the market offer this capability by default. Even if you purchase a router which states that it does so, many of these can only act as VPN servers (which allow you to connect to your network from remote locations) and not as VPN clients (which is actually what you need).
So, if you want to purchase a router for this purpose, make sure that its technical details specify that it can act as a VPN client. (Additionally, stay clear of the products which have NAT components (firewall/Network Address Translation) and those that offer “PPTP Pass-Through” or something along those lines, as these are not suitable for your task. Being totally honest, I suggest that you ask for assistance from qualified personnel from the shop in case if you wish to purchase a router that can be directly connected to a Virtual Private Network. However, as far as I know, all the newer ASUS routers allow you to connect them to a VPN, so you can start your search there.
Flashing your router
The good news is that if you can’t find a device that fits the bill, or you don’t have enough money for a new router, you can flash your existing one (or purchase one that is comes pre-flashed out of the box). Just remember that using a VPN tunnel takes up a lot of your router’s power, so the newer your devices is, the better your Internet speed will be.
If you’ve decided to flash your router, I recommend using third-party firmware called DD-WRT which isn’t only free, but also effective and reliable. The first thing you will need to do is check if your device is compatible with the firmware, and you can do this by clicking this link, then entering the name of your product in the search box. If you router is supported (and it generally will be), you will see its name along with a downloadable file and additional information appear in the results.
Read the additional information carefully, then download the file and make sure to use the Flash version named VPN or Mega, as it will provide you with the functionality you’re looking for. A tutorial on how to flash can be found in the additional info file, so all you have to do is follow the steps written there.
Once you’re router is ready to act as a VPN client, you will need to configure it accordingly. Most of the actions you will perform will require the DD-RWT administration control panel so that’s where you should be while reading this.
The first thing you should do is make a backup of your current settings, so that you won’t waste time in case if something goes wrong and you need to revert to the original configuration. To do this, go to DD-WRT Administration and find the tab named Backup (in my case it was the last one on the second row). Once there, click the Backup button, give the file a name that will be easy to recognize (for future use), and you’re done.
The next thing you will need to do is mask your DNS address. This can be done by going to the Setup section in the DD-RWT console, then clicking on Basic and afterwards going to the Network Setup part. Once there, change the numbers in the static DNS sections to one of the following: 126.96.36.199, 188.8.131.52 (Google DNS), 184.108.40.206, 220.127.116.11 (Level 3 DNS), 18.104.22.168 or 22.214.171.124 (Open DNS). Since there should be three addresses that you can fill out, I suggest using one from each provider, so that if one service goes down, you can fall back to the other one. Additionally, for this to actually work, you must make sure that the boxes named Use DNSMasq for DHCP, Use DNSMasq for DNS, DHCP-Authoritative, and Forced DNS Redirection are all checked. Click on Save and Apply Settings to finish this step.
Another thing you shouldn’t forget about is disabling the IPv6 protocol. If you’re looking for privacy this protocol will give you away so you should go to Setup, then click on IPv6, make sure it’s turned off, then save and apply the changes.
Now enable the DNS lookup from the Services section of the console, switch from WLAN to LAN & WLAN and make sure that the boxes named DNSMasq, Local DNS and No DNS Rebind (in the DNSMasq section) are all enabled.
The last step is to actually enable the VPN usage and make the necessary configurations. Go to Services, click on VPN then check the Enabled box under the OpenVPN Client section and a bunch of new options should show up.
- Copy-paste the address of your VPN server in the section marked Server / IP name.
- Unless specifically told otherwise, the port should be the default one: 1194.
- Tunnel device: TUN.
- Tunnel protocol: UDP.
- Encryption: Blowfish CBC.
- Hash Algorithm: SHA1.
- User Pass Authentication: Enable.
- Fill in the username and password fields with the data from your VPN service.
- Advanced options: Enable.
- TLS cipher: None.
- LZO Compression: Yes.
- NAT: Enable.
Make sure your DNS service didn’t specify any other kind of settings. (These are the ones I used for mine, and most of them should be the same.)
Now go to Additional Config (it should be downwards along the page) and add these commands for the OpenVPN server:
Finally, download the OpenVPN certificate from your VPN’s website, extract it (it should be a ZIP file) and open it with a plain text editor such as notepad. Copy everything between “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–“ (including the dashes and the “begin certificate” and “end certificate” parts) and paste them in the box named CA Cert (at the end of the VPN configuration page in the DD-RWT console). Now save and apply the settings.
Disabling the VPN
After verifying that the VPN connection is functional (making sure you have a working Internet connection and a new IP), create a new backup (from the DD-RWT Administration panel) so that you can easily switch between the VPN and regular connection. If, at any point you wish to either temporarily or permanently disable your VPN connection go to the VPN section of Services and check the Disable box under the OpenVPN Client.