Best VPNs for Netgear routers (and how to install them)

Caveat emptor, caveat procurator. You have been warned.

How to build your own VPN if you’re (rightfully) wary of commercial options

While not perfect, either, cloud hosting providers have a better customer data record.

Jim Salter – May 26, 2017 12:00 pm UTC

This is a speedtest.net run on the Homebrew, powered by a Celeron J1900, using the nice-and-paranoid combination of AES-256-CBC/SHA512. The results you

OpenVPN on a (Netgear) consumer router

You can also run OpenVPN on all sorts of consumer routers, running either OpenWRT or DD-WRT. I’m going to just talk very specifically about getting it running on a Netgear Nighthawk here for good reason: Netgear directly runs myopenrouter.com, where they actually collaborate with open source developers who are adapting builds of open source firmware for installation on Netgear routers. This is extremely cool, not least because it means that you can install firmware from myopenrouter directly onto a supported Netgear router using the router’s own Web-based interface.

It’s certainly possible to install DD-WRT or OpenWRT on a non-Netgear consumer router, but it’s generally a giant pain in the ass and a good way to potentially brick your router. Typically, the vendor doesn’t support it, doesn’t want you to do it, and you have to put the router into a TFTP firmware flash mode and/or use some sort of stack-smashing hack to break out of the OEM firmware in the first place. Thousands of people do exactly that, of course. A disturbing number of them brick a few routers along the way, though, so the heck with that: Netgear is actually supporting open source, so here’s me supporting them right back.

It

I had a Netgear Nighthawk X6 on hand already (the very same one I used in the first Homebrew router article). I fired it up, browsed to myopenrouter.com, and logged in. (You do need to create a free-as-in-beer account before you can download any of the firmware from the site.) From there, I clicked Downloads, changed the Search Downloads combo box to “R8000” (the internal, non-market-y codename of my Nighthawk X6), and downloaded the latest “DD-WRT Kong Mod” for the router. That was a ZIP file, which I extracted into my Downloads directory. With that done, I logged into the Nighthawk’s Web interface and went to Advanced -> Security -> Router Update, browsed to the .CHK file I’d extracted from the ZIP, and that was that. (You might get a warning that the firmware you’ve selected is older than your current firmware, but that’s just a “misfeature.” It compares version numbers, but the version number history for Kong’s DD-WRT mods is completely separate from the version number history for Netgear’s OEM firmware.)

That’s really all there is to installing Kong’s DD-WRT build on a Nighthawk; after ignoring the version number mismatch, it installs and reboots the router automagically in just a minute or two, and you’re ready to rock, with the router on 192.168.1.1 and handing out addresses in the 192.168.1.0/24 range on your LAN. The first thing you’ll notice after grabbing an IP address, browsing to http://192.168.1.1, and logging back into your newly DD-WRT’ed Nighthawk is that it tells you that you have to change your username and password, which are currently insecure default. Do that, and I would suggest you pick the username “root.” I’m not sure it actually pays attention to the username field here, even though you’re allowed to change it.

You should already be set up reasonably well for most residential or small business Internet connections at this point, with a local subnet of 192.168.1.0/24, DHCP running on the WAN, and dnsmasq providing DHCP for the LAN. One thing you absolutely need to change, though, is the DNS setting in the “home page” of DD-WRT’s interface. By default it’s 0.0.0.0 in all three blocks and will be filled by the ISP’s settings pushed to you via DHCP. You do not want that, since our whole point here is camouflaging things from your ISP. So instead, set them to 8.8.8.8, 8.8.4.4, and 4.2.2.4 (Google, Google, and Layer3 anycast DNS server addresses). If you leave any of them blank, they will get filled with your ISP’s servers, defeating most of our purpose.

Note that the DNS settings are COMPLETELY filled in here. If you leave one of the three blanks at 0.0.0.0, it will be overwritten by one of your ISP

Setting up the VPN itself is pretty easy if you know what you’re doing. Navigate to Services, then VPN, and look for “Client.” Tick the radio box to enable Client and then the one that opens up the “Advanced” options for the client. Find your ca.crt, and the client .crt and .key (in my case, I generated R8000.crt and R8000.key earlier), and paste them into the appropriate boxes. Set “Encryption Cipher” to AES-256-CBC and “Hash Algorithm” to SHA512 (or whatever you set them to in your OpenVPN server’s config file), set NAT to “enabled,” and check the box for “nsCertType verification.”

Finally, to avoid the dreaded Netflix problem, we take advantage of DD-WRT’s built-in policy-based routing feature. This is considerably wimpier than the one I used under Ubuntu for the Homebrew, but it’s much, much easier than getting the job done from DD-WRT’s command line. (You can shell into DD-WRT with SSH, if you need to and if you enable that option. That’s. kinda cowboy, though, so since we can avoid it, we’re going to.)

The DD-WRT VPN dialog, with most of the things you

Under DD-WRT, any address or subnet you enter into the “policy-based routing” text box will be routed through the VPN, not excluded from it. You do need to be careful, though. If you get frisky and put the wrong thing in here—like 192.168.1.0/24, the entire local subnet—you can pretty easily lock your router up tighter than a drum. If you do that, it’s not going to talk to you again until it has been rebooted. and won’t talk to you then, either, if it manages to reconnect its VPN. So if you’ve managed to lock it up this way, you’ll want to unplug its WAN cable, then reboot it, which will allow you back into the interface to fix your screw-up. Dire warnings done, what you’ll want to enter in here are three single lines: 192.168.1.64/26, 192.168.1.128/26, and 192.168.1/192/26. These add up to mean that anything from 192.168.1.64-192.168.1.254 will get routed out through your VPN, leaving anything from 192.168.1.1 (the router, which must be allowed direct access) through 192.168.1.63 able to just hit the ‘Net directly.

That’s it. Scroll down to the bottom of the page, click Save first, then click Apply. Your VPN connection will fire up and should finish connecting in about 10 to 20 seconds. You can then check on it under Status -> OpenVPN—once it hits “Initialization Sequence Completed,” all is well.

You get lots of chewy dialog here when the VPN client attempts to connect to the server. The money line here is

Finally, you may need to set some static leases for your media center devices. My Rokus don’t allow static configuration within themselves as an option, so doing it on the router is a necessity. Hit the Services tab; under the “Services” sub-tab (the “home screen” of Services, where you should already be), you’ll see a section for adding static leases, under “DHCP Server.” The UI here is a little funky: clicking the “Add” button makes a new blank row show up; it doesn’t add something you’ve already entered in. Now that you’ve got a blank row, put the MAC address of your Roku or other dumb, needs-to-get-directly-to-the-Internet device in, specify an IP address for it that’s below .63. and don’t hit Add again. Instead, scroll all the way to the bottom of the page, where you’ll find buttons to click to first Save, then Apply.

In the policy-based routing section, we told DD-WRT to send clients at 192.168.1.64/26, 192.168.1.128/26, and 192.168.1.192/26 through the VPN instead of directly out to the Internet. Staticking my test server monolith here at 192.168.1.10—within that 0-63 range we didn

Most of the steps above will be the same (or at least very similar) for any consumer router you’ve managed to shoehorn DD-WRT (or a DD-WRT variant, like Tomato) onto.

On consumer routers, price, and performance

If you’re considering buying a consumer router specifically for running a VPN out of your network, the R8000 might or might not be the best fit for you. I’m going to stick to recommending Netgear Nighthawks no matter what for two reasons: Netgear actually supports the process of you replacing their OEM firmware with DD-WRT builds, and Netgear uses relatively high-powered ARM A9 multi-core CPUs in their Nighthawk series, where many consumer routers are using much, much weaker MIPS CPUs. This makes a huge impact on VPN throughput.

The lowest-powered choice in this line is the Netgear R6400, but that model has a slightly slower CPU than the one in the R8000 I tested here (which could handle 25 Mbps throughput on AES-256-CBC/SHA512 and 35+ Mbps on AES-256-CBC/SHA1). The R8000 uses a 1 GHz ARM A9 CPU, where the R6400 uses an 800MHz ARM A9. I haven’t directly tested it, but I would assume you’re looking at roughly 80 percent of the performance of the higher-end part, maybe less. I don’t recommend the R6400 currently even if you can live with the performance drop, because the R6700 is the same price on Amazon ($110) and features the higher-performance 1 GHz CPU—the exact same part as the R8000 I tested here.

The R6700 and the R8000 share the same CPU and will perform equivalently for VPNs, but the R8000 is a tri-band router while the R6700 is only dual-band. Is the addition of a second 5GHz radio worth the additional $150, with the R8000 currently running $260 on Amazon? That depends on how many Wi-Fi devices you have in the house. If you’ve got a couple of TVs, several phones, a couple of laptops, and a tablet or two with several people who might be using a bunch of them simultaneously, the answer is probably a resounding “yes.” On the other hand, if you’ve got a high-quality mesh network kit like Orbi or Plume handling Wi-Fi duties, you don’t need the R8000’s radios at all, so you can get the R6700 to handle routing and VPN duties and let your mesh kit keep handling the Wi-Fi. (And before you ask, no, you can’t just run DD-WRT on the mesh kit itself.)

The Nighthawk R9000 offers twice the VPN throughput of the R6700. but at $450, it does so at just over four times the cost. (And our Homebrew still smacks its butt and sends it running home to mommy.)

Finally, if the sky’s the limit, Netgear also offers a Nighthawk X10 (R9000) with a whopping 1.7 GHz quad-core ARM A9 CPU. I have not tested one yet, but if I had to hazard a guess, I’d expect nearly double the OpenVPN throughput that the R8000’s 1 GHz dual-core ARM A9 managed (figure an estimated 45+ Mbps throughput on AES-256-CBC/SHA512, or 65+ Mbps on AES-256-CBC/SHA1). You’ll also get MU-MIMO, quad-stream 2.4 GHz and 5 GHz radios, and where the R8000 had a second 5 GHz radio, the R9000 has an 802.11ad 60 GHz “wigig” radio instead. (You almost certainly don’t have a wigig client device to connect to it with, but hey, you’ll have the radio on your router.) All of this comes at a pretty whopping price tag, though: Amazon is currently listing the R9000 at $450.

On (in)security and performance

A final option, which I will go ahead and discuss but flat-out tell you we do not recommend is to sacrifice security for performance almost entirely. Weakening the encryption protocol and dropping the authentication protocol entirely—AES-128-CBC/None—resulted in 51.25 Mbps throughput on my R8000. Finally, dropping both authentication and encryption (at which point, yes, you’ve tunneled your data but somebody who actually cared could still pick it apart) to None/None will go wire speed on just about any Internet connection you throw it at.

File this under “I’d rather talk with you kids about it than have you learn it on the playground.” Yes, these options are faster. And if all you’re concerned about—we truly mean all you’re concerned about—is throwing a monkey wrench into your ISP’s very casual predatory snooping, they’ll probably do the trick. An actual attacker will absolutely be able to unravel these “fast” tunnels and view or modify the data running down them, though, so really. don’t do it. Or, at the very least, don’t claim nobody told you it was a bad idea.

Conclusions

It’s really not that hard to roll your own, personally hosted VPN service to get your data away from prying eyes at your ISP (or at the coffee shop; we didn’t cover the minutiae of installation here, but you can use OpenVPN credentials on Android and iOS phones and tablets, too). Extremely heavy data users might have problems with bandwidth overage costs from their VPS provider, but the 1TB/month allotment from DigitalOcean will easily cover my household usage. Whether you want to set the whole thing up on a router to blanket-cover your whole network, on individual devices, or both at once, you can get it done.

The Good:

  • OpenVPN can be configured extremely securely, is free as in speech and as in beer, and can be run on just about any device you can think of: Windows, Macs, Linux or BSD machines, phones, tablets, and even (some) consumer routers.

The Bad:

  • At the end of the day, your insecure traffic is still insecure—you’ve just moved your point of vulnerability, not eliminated it. You (understandably) didn’t trust your ISP, so you moved it out of their reach. You (understandably) didn’t trust VPN providers, so you didn’t use them. But you’re still trusting your hosting provider. and everybody they’re downstream of.

The Ugly:

  • You now have one more machine to maintain. Your Ubuntu 16.04 LTS VM will automatically apply security upgrades, and it’s supported through April 2021 (after which it will need an upgrade to a newer LTS version, which can generally be done relatively painlessly and in place for simple systems like this), but that’s not forever. There’s no guarantee that some new crypto breakthrough won’t force you to reevaluate your cipher/digest choices before then, either.

twistero Smack-Fu Master, in training

I’ve been running OpenVPN on a DigitalOcean droplet for a long time now, and just recently added IKEv2 to the mix.

Actually, since we’re using the tun adapter, each client will use four IP addresses in its own /30 subnet—up to 10.8.0.255. This means we’ll be limited to about 60 total clients, so if you’re setting this VPN up for your friends and your friends’ friends and maybe some people you don’t even really like all that much, you may need to consider a bigger subnet.

If none of your clients are on ancient versions of OpenVPN (2.0 or something like that), you can specify “topology subnet” in your config file, in which case each client will only use one IP address from your pool. The default setting is “topology net30”, which is required for backwards compatibility, but “topology subnet” is strongly recommended if there are no legacy clients.

2. OpenVPN 2.4 is recently out, and it’s AWESOME. Previously with 2.3 and earlier, it’s very easy to fingerprint OpenVPN traffic, so your ISP or a nation-state censor will know you’re using OpenVPN and can block your server easily. With 2.4 you can use “tlscrypt” to obfuscate your traffic with a static key, so no one even knows you’re using OpenVPN anymore. This is obviously not backwards compatible, so make sure all your clients have 2.4. In particular, the official “OpenVPN Connect” app for iOS and Android are NOT compatible with 2.4 yet, which is a real shame.

3. IKEv2 is cool, but it’s more difficult to make it secure. Windows’s built-in VPN client only support weak crypto by default (maxes out at AES128, DH1024, SHA1. Can you say Logjam?) although it’s possible to turn on some strong ciphers using a registry key or PowerShell. Also Windows is extremely picky about the certificates used for IKEv2; I still haven’t figured out how to make Win10 accept them yet.

3 posts | registered 4/19/2017
Jim Salter Contributor

An update for everyone asking about Streisand, here and on Twitter:

Streisand is a project which aims mainly to help volunteers in countries with less oppressive regimes enable citizen journalists in countries with oppressive nationwide firewalls to escape. As such, its goal is not to provide anonymity for the operator, it’s to provide anonymity and network escape to other people.

There’s obviously a lot of overlap between that project and a straightforward VPN like the one discussed here, but where this article focuses on securing your own traffic on the way out of an untrusted network, Streisand focuses on escape and anonymity. There are a lot more moving parts to Streisand to worry about breaking or becoming insecure, and it’s not entirely self-updating.

Finally, neither the straightforward security-focused VPN in this article nor Streisand directly provide anonymity to the operator , and should not be relied on to hide the operator’s identity from any surveilling entity. If the operator wants anonymity, the operator will need some kind of bulletproof, anonymous, non-logging hosting to use with either Streisand or with the VPN described in this article. AWS, Linode, Digital Ocean, et al are absolutely not that, and using either Streisand or a simple VPN with an exit point in one of those datacenters will tie all the traffic coming from the VM(s) in question directly and extremely clearly to the person who is paying for the hosting.

Caveat emptor, caveat procurator. You have been warned.

Best VPNs for Netgear routers (and how to install them)

Netgear routers come with a built-in VPN function, but they won’t work with third-party VPNs. We’ll show you how to set up a VPN on your Netgear router and the best VPNs for the job.

Paul Bischoff TECH WRITER, PRIVACY ADVOCATE AND VPN EXPERT
@pabischoff UPDATED: August 13, 2023

Best VPN Netgear router

Netgear routers, depending on the model, can work with VPNs in one or two ways:

  • You can set up a VPN server on the router itself, allowing remote access to your home network
  • You can set up a secure connection to a VPN server in another location

Netgear routers only include the first option by default, which gives you secure, remote access to a computer, IoT devices, or a media server in your home. Basically, the router is the VPN server.

The second option secures the internet connections of all the devices in your home and lets you unblock region-locked content. If you want private torrenting, geo-unblocking, and added security, this is for you.

Unfortunately, the VPN function built into Netgear router firmware doesn’t work with the second option. So if you want to connect your Netgear router to a VPN server in another location, you’ll need to replace the firmware with something like DD-WRT or Tomato.

Putting new firmware on your router is free and isn’t particularly difficult, but it does carry certain risks, such as potentially damaging the router or voiding the warranty.

Best VPN for Netgear routers:

NordVPN

Apps Available:

VPN Ratings:

Money-back guarantee: 30 DAYS

If you want to securely connect your Netgear router to a VPN server in a remote location, we highly recommend NordVPN.

If your router is compatible with DD-WRT firmware, you can follow the instructions for manual configuration on NordVPN’s website. Another option is to purchase a configured NordVPN Netgear router from FlashRouters.

NordVPN is the fastest VPN we’ve tested and is great for unblocking region-locked content like Netflix, Hulu, and BBC iPlayer. It’s also very secure and doesn’t store any identifying logs. Customer support is available 24/7 via a live chat feature on the website.

Although NordVPN is our top choice, Surfshark and ExpressVPN are also good choices if you’re looking for alternatives.

WANT TO TRY THE TOP VPN RISK FREE?

NordVPN is offering a fully-featured risk-free 30-day trial if you sign up at this page. You can use the VPN rated #1 for Netgear routers with no restrictions or limits for a month. This allows you to try out all of its powerful security features first-hand.

There are no hidden termsjust let support staff know that NordVPN isn’t right for you within 30 days and you’ll get a full refund. Start your NordVPN trial here.

Methodology: How we find the best VPNs for Netgear Routers

At Comparitech, we use a scientific VPN testing methodology to test and review VPNs. This allows us to compare services and locate VPNs that are ideal for routers. We test for IP and DNS leaks and check the VPN apps for important privacy and security features. This includes checking the VPN’s protocols and encryption implementation.

To find the best VPN for Netgear Routers, we compared the market in search of a provider with reliable apps and guides for setting up the VPN on a router. Below, we have included the key criteria we used to find the best VPN for Netgear:

  • Excellent router compatibility and setup guides to get the VPN working effortlessly.
  • Large global server network with fast speeds to let you access vast amounts of content.
  • Lots of advanced privacy and security features to protect every device on your network.
  • Superb ease of use and reliability for accessing popular services like Netflix, Hulu, and more
  • Outstanding live chat support and a money-back guarantee to test the service.

Netgear router VPNs explained

Many Netgear router models support Virtual Private Networks, but that might not mean what you think it means. A VPN setup on a stock Netgear router is much different than a typical VPN app on your phone or laptop.

Netgear lets users set up their own VPN server on the router itself. This allows you to access your home network from some other location through the internet. For example, if you’re out of the house and want to access your home PC, internet-of-things devices, or a media server, you can do so.

However, this setup does not secure your internet connection while at home or let you access region-locked content.

That’s where a VPN provider like NordVPN comes in. VPN providers operate servers all around the world and let you connect to them via encrypted tunnels. This enables you to access content that’s only available in other countries, for example. It also protects your privacy by preventing your ISP, government agencies, and hackers from snooping on your browsing activity and downloads.

Unfortunately, Netgear routers don’t support the option to connect to a remote VPN server. Replacing the firmware is necessary if you want to do that.

How to set up a VPN to your home network on a Netgear router

This setup, which comes as a stock option on many Netgear router models, allows remote access to your home network, not the internet. This is useful for smart home and IoT devices, home media servers, and remote access to computers. It is not intended to give you an encrypted tunnel to the internet or a different public IP address.

netgear genie vpn

Not every Netgear router comes equipped with this feature, but many do, including all ProSafe and Nighthawk models.

Because you’re setting up both a client and server, you’ll need to set up the VPN both on the router and on the device with which you want to connect.

Here’s how to set up a VPN on a Netgear router:

  1. Open a web browser and go to http://www.routerlogin.net.
  2. Enter the username and password for your router admin panel (Netgear Genie). By default, the username is admin and the password is password, but you should change these if you haven’t already.
  3. Go to Advanced > Advanced Setup > VPN Service.
  4. Check Enable VPN Service and click Apply
  5. Specify the VPN service settings you want. This depends on what you want to use the VPN for.
  6. Download the OpenVPN configuration files for the type of device with which you want to connect, such as For Windows or For Smart Phone.
  7. Move the files onto the device you want to connect to the VPN and import them into your OpenVPN app of choice.
  8. Choose the OpenVPN profile you’ve created in the app and connect!

You can use the free, official OpenVPN apps available for most major operating systems. They are usually available from your device’s app store or default repository.

How to replace firmware on a Netgear router

If you want to connect your router to a remote VPN server, you’ll have to replace the firmware with something that offers this capability. This process, called “flashing,” can permanently damage your router and void the warranty if not performed correctly, so proceed with caution.

  1. Download VPN-compatible firmware that works with your specific Netgear router model. We recommend something of the DD-WRT or Tomato varieties.
  2. Open a web browser and go to http://www.routerlogin.net.
  3. Enter the username and password for your router admin panel (Netgear Genie). By default, the username is admin and the password is password, but you should change these if you haven’t already.
  4. Select Advanced > Administration > Router Update.
  5. Click Browse and navigate to the firmware you downloaded in step 1.
  6. Click Upload to flash the router.
  7. Restart the router.

With your new firmware in place, you can set up a VPN connection. Check out our articles on the best VPNs for DD-WRT and best VPNs for Tomato routers for more information.

Are there any free Netgear router VPNs?

As discussed above, you can turn some Netgear routers into VPN servers that let you connect to your home network. This is a built-in feature, and you can connect to it using free and open-source VPN apps on your phone or laptop.

If you want to connect your router to a VPN server in another location, however, there are no free options that we know of. Most free VPNs only work with phones and laptops on major operating systems.

At any rate, free VPNs are best avoided. They cap your data, throttle downloads, and force users to wait in queues to connect. Many track your online activity and sell the data to third parties such as advertisers. Some can even infect your device with malware or sell your bandwidth for use in botnet attacks.

Opt for a paid VPN if you want a quality service.

VPN for Netgear Routers FAQ

Will a VPN work on my Netgear Nighthawk router?

VPNs will work on your Netgear Nighthawk router, but the quality of the connection may vary depending on the VPN provider. If you’re planning to use your VPN for travel, make sure to choose a provider with servers in countries around the world so that you’ll have access to local content no matter where you go.

If I install a VPN on my router do I still need to use a VPN client on my computer?

No, if you have a VPN router, your devices will automatically be protected by the VPN, there is no need to install VPN clients on every device you own.

However, if you leave your home, then you may want to install VPN clients on your mobile devices, as these won’t be protected when you leave your home network.

How do I know if my Netgear router is VPN compatible?

As we’ve covered, Netgear routers come with a built-in VPN function . However, you’ll need to replace the firmware with DD-WRT or Tomato if you want to connect your Netgear router to a VPN server in another location. The best VPNs for Netgear routers provide step-by-step instructions for manual configuration. However, if you’re having trouble, you can purchase a Netgear router that’s pre-configured with a VPN from FlashRouters.

How many devices can I use with a Netgear router VPN?

The good news is that you can use as many devices as you like with a Netgear router VPN. Most top-rated VPN services let you have at least five or six simultaneous connections. However, one of the many benefits of using a router VPN is that you can protect every device that connects to the router because the router only counts as one connection.

Which Firmware is Better, DD-WRT or OpenWRT?

Unless you’re an experienced user, you probably won’t notice much of a difference between DD-WRT and OpenWRT firmwares. DD-WRT is better-known, so there’s a ton of support available and it’ll work on just about any router you can find. OpenWRT, on the other hand, offers a higher level of flexibility, provided you’re willing to spend time tinkering around in the settings.

If you’re on the fence, we’d suggest giving DD-WRT a try first. After all, you can always flash different firmware later if you decide it’s not what you’re looking for.