Got tired of VPNs on every device: one client for all


Ah, Monday morning. Disconnect from your home VPN, kill the app, and start a different app with your employer's VPN to work remotely. After work, do everything in reverse. New TV firmware? You’ll need to reset the VPN here too. Got a new phone or tablet? Don’t forget to set up a VPN for this, or who knows who might poke around your precious data packets. And what about your fridge and robot vacuum?

Home security shouldn’t be that hard. Nobody argues about the benefits of VPN. It hides your activity online from your internet service provider (and reveals that to your VPN provider, which can be trusted, right?). Also, your data is encrypted and can’t be seen by nosy neighbors, pesky bots, or even competent adversaries.

But after a while messing around with various protection tools and apps, it’s easy to get tired of the inconveniences. Because of this, many people often leave themselves unprotected.

Luckily, I’ve found a simple solution. Just set up a VPN client on your router, covering your whole home network and the devices of your choice.

If this is too much for your old router, it may be time to get a new one and enjoy better security and increased speeds with Wifi 6E. Or add a gateway to the mix and enjoy enhanced firewall features in addition to VPN.

An all-in-one solution would be great, but it doesn’t exist

Wouldn’t it be great to have one simple device, a gateway that connects your router and ISP and performs all the security stuff you need? Things like VPN, next-gen firewall, and even the filtering of annoying advertising? And imagine if it was simple for the end user to manage, preferably from a mobile device and a single app.

Well, sadly, there’s no such solution. So before changing around my home network, I talked to Mantas Sasnauskas, Cybernews Head of Security Research, about my options.

According to him, I can’t trust my internet service provider (ISP). I also shouldn’t trust my VPN provider, router firmware provider, computer OS provider, Chrome browser provider, and even myself.

Well, I can’t write my own OS and firmware. And even if I was a genius and could install open-source alternatives, should I trust that random account on GitHub? And what about Jeff Bezos? He’s ultimately responsible for Amazon’s cloud if I wanted to set up my own VPN server there.

Ultimately, we’ve got no choice but to rely on something, somewhere, in the modern world. I place my trust in large corporations like Apple, Microsoft, and Google, and I can only hope that they’re well-regulated and act accordingly to my best interests.

So, back to the router.

It was easier than expected

According to Sasnauskas, installing a VPN client on my router would simplify the management of all VPN instances. And boy, it did.

Personally, I use a TP-Link router at home and have a NordVPN account that has done the trick so far. I didn’t need anything else.

I just logged into the control panel via the internet browser (using the IP address 192.168.0.1, yours may be different), navigated to “VPN Client” in Advanced settings, and from there, the settings were straightforward.

You can add a VPN server by providing its name, VPN Type (OpenVPN in my case), username, and password. Nord provided those in the management console. And lastly, I had to download the client configuration file for the server. That’s it. I followed their guide online – your VPN provider may have something similar.

To my amazement, the router’s VPN settings were better than a simple on/off switch. You can turn the VPN on or off for each device connected to the router. Say you want your TV protected but don’t care about that smart light bulb that’s secretly a Chinese spying device.

You can add more VPN server profiles from different locations worldwide if bypassing geo-blocking is your thing. That requires more work than a simple server switching in a VPN app. Or, you can keep the VPN app on a computer and “chain” VPN connections, as the last server in the chain will be from the app you’re using. I have to keep my work's VPN.

A VPN inside a VPN.

Settings_in_router
Firstly I added a server, and then you can choose which devices to connect.

The good thing is that after setting everything up, you can keep the direct URL to your router settings in bookmarks if you want quick access to the settings later.

The main advantage for me is that I don’t need to use a VPN app on slower devices and save their CPU resources for other things. I still keep a VPN app on my computer.

In the end-to-end encryption provided by the VPN service, the router becomes the endpoint, so be sure to configure it to use at least Wi-Fi Protected Access 2 (WPA 2) or, even better, WPA 3. This will encrypt your communication between the router and devices. And turn off that WPS (a more straightforward authentication method for devices, i.e., by pressing a button or entering a PIN).

Of course, I hope your router password is not set to “admin” or any of these.

A VPN-capable router centralizes the protection and privacy measures at the gateway level, so be sure to use a robust password and keep it updated.

No security measure is foolproof. No VPN, firewall, and filtering combo will protect you from social engineering or phishing attacks that utilize human error. But those precautions will reduce the surface of a potential attack and put some barriers in place.

Sasnauskas take on home cybersecurity: measure the size of your paranoia

According to Sasnauskas, protecting your home is a never-ending process, and the best combo of security measures may be the one that “keeps your paranoia in check.”

“It depends on your threat landscape and how paranoid you are. Some may need to block everything, filter everything through a sinkhole, and only whitelist a single website, cybernews.com,” Sasnauskas jokes.

Having a VPN, according to him, is a crucial step.

“It depends on what you trust more, your ISP or your VPN provider. Even better would be to set up your own VPN server somewhere so that its logs are only accessible to you. Also, do you trust your router’s manufacturer? You should better use DD-WRT or other open-source firmware solutions. But that requires knowledge to set up.”

He recommends using Pi-Hole or a similar network-wide ad-blocking DNS sinkhole. This limits the ads and spam you see and blocks known malicious sites. However, setting the Pi-Hole up also requires work, knowledge, and a separate device.

His final recommendation would be a network-wide advanced hardware firewall, i.e., PFSense, which may be expensive. It also connects before the router and needs configuration.

“You should only leave two ports open for HTTPS and HTTP, that’s it. Everything else is too vulnerable. Why would your mom need an open port for a remote desktop connection? Unless she wants some scammer to connect remotely to fix her computer,” Sasnauskas concludes half-jokingly.