Considering applying VPN at router level, thoughts?

I have two asus routers (86u, and 68u in mesh mode). I have a 3 year sub to nordvpn. I’m considering setting nord up at router level.

Thoughts on this?

VPN client in router:

Advantages: nothing
has to be installed on each client device, some client devices (such as game consoles, IoT) are locked down
and you can’t install VPN client software on them, some smartphone OS’s (iOS at least) permit installing
only a VPN client OR a firewall so this would allow you to have both, new devices automatically use the VPN,
you administer the VPN client in only one place, you’re guaranteed that even accesses by your client during boot and
shutdown and install and update are handled by the VPN.

Disadvantages:
If that home router/modem is owned by your ISP, they may be able to see your traffic before it goes into the VPN.
And if you need to disable the VPN to play a game or stream video or something, it may
get disabled for all devices. Make sure you can put a list of domains into the VPN router client, so
access to those sites does not use the VPN, because some sites will not tolerate a
VPN. Expect complaints from other users in your house as sites break and you have to whitelist them.
Sometimes one device or user may need to use a VPN server in country A while another device or user
needs to appear to be in country B.
You’re not protected against other devices on your LAN attacking your traffic.
If you take your phone/laptop to another network,
it no longer has (automatic) use of the VPN, you have to remember to switch to client
software on the device.

Are you really wanting every client to the same path(location, country)?
I use the client based install because some apps (BBC) want you to appear to to be located in UK

VPN encryption will eat up a lot of processing power. If you have a decent connection, you’ll probably want a PC or dedicated VPN box as your router. More expensive to buy, more expensive to run.

I, personally wouldn’t do it. It may be more of a headache than it’s worth. For example, I’ve found that Hulu and some other streaming services will detect a VPN and refuse to connect. Also sites like Ticketmaster will cause problems.

That said, I do something similar with OPNsense where I have VPN tunnels that I can connect various clients to. That part works fine, but I’d hesitate to run all traffic though it.

Thanks for the write up. The ISP can see your traffic regardless or whether or not you put a vpn on at router level or on each device I thought?

I have 350mb connection, and the main router seems good enough I thought

If you run VPN client in the client device (each phone or computer etc), the traffic is encrypted and encapsulated before it leaves the client device. So other devices on the LAN, and the router, and the ISP if it’s controlling/subverting the router, see only VPN-encrypted traffic to the VPN server.

If you run the VPN client in the router, other devices on the LAN, and the router, and the ISP if it’s controlling/subverting the router see your traffic without VPN encryption, and they see the true destination IP addresses of your traffic. Now, if your traffic is HTTPS, they can’t tell much more than that. So maybe that’s okay.

Ah ok. I assumed that if vpn was installed at router level, then every other device connected to the router is protected. Is this not the case? Basically saving the hassle of running vpn on each device?

every other device connected to the router is protected

The issue is “protected where, and against what threats ?”.

If VPN client is running in the router, then traffic from a client device (say, laptop) is NOT protected by the VPN as it travels from client device across LAN to router, and not protected from some code inside the router. That traffic may be protected in other ways that have nothing to do with VPN, such as HTTPS.

If VPN client is running in the router, then traffic from a client device IS protected by VPN encryption and encapsulation as it travels from router across public internet to VPN server. That traffic may also have HTTPS, so two layers of encryption.

Ok I’m getting confused. I have a modem that connects to a router. In the past I have set nordvpn to go from within the router. When I’ve done this every device in my home connected to WiFi shows as being on a vpn when the ip address is checked?

Surely this means all devices are connected via vpn since they connect to the router that is running the vpn?

Yes, that’s all correct, that’s a good setup.

The VPN is protecting the path from router across internet to VPN server. It is hiding your IP address from the destination web sites.

That’s all it’s doing. It’s not hiding your laptop’s traffic from other devices on the LAN, they can see what IP addresses you’re accessing. It’s not adding a layer of encryption from your device to the router.

But it’s encrypting all connected devices when they pass through the router to Internet correct? I’m fine with other LAN devices seeing it, it’s just I want to use the vpn to safeguard everything connected to the router as such.

Hope this makes sense? Cheers :+1:

Yes, it’s encrypting the traffic of all devices from router to internet to VPN server.

Hey sorry one more question. Does it matter if I use Google DNS with vpn at router level?

Thanks

If you do that, you’re telling Google what web sites you’re accessing.

I prefer to use my VPN’s DNS instead. The VPN is going to see the list of sites anyway. And my VPN provides extra features in the DNS such as tracker-blocking.

Your VPN client might have a setting for DNS. Maybe the VPN’s DNS is “automatic”, or maybe there’s some special 10.x.x.x address you have to put in.

Cheers I added nordvpn following their guide just after I’d asked. Thanks alot for your help!