I’ve been testing VPNs for years — not because I’m afraid of the internet, but because I care about control, transparency, and predictable performance. Over that time I’ve moved from consumer apps to self-hosted solutions and, recently, to running WireGuard directly on my router. If you want a fast, modern VPN that you can audit (or at least inspect), open-source options matter — and WireGuard is a practical, high-performance way to get that level of control across every device on your network.

Why open-source VPNs matter

Open-source VPNs bring several advantages that matter to anyone who values privacy and long-term reliability:

  • Transparency: You can read the code or rely on third-party audits. That reduces the risk of backdoors, hidden telemetry, or shady business practices.
  • Security through peer review: Open-source projects are inspected by security researchers. Vulnerabilities are more likely to be discovered and fixed quickly.
  • Longevity and portability: You’re not locked into a single vendor. If a provider shuts down or changes strategy, community-driven software can be forked and maintained.
  • Customizability: You can integrate the VPN into complex home networks, create split-tunnels, or combine it with ad-blockers and DNS controls.
  • Performance: Modern open-source protocols like WireGuard are lean and fast, often outperforming older, heavier alternatives.

    • In practice, that means fewer surprises and more options. When I place an open-source VPN on my router, I’m making the whole house safer and giving myself granular control over routing, DNS, and device-level policies.

    Why WireGuard on your router?

    WireGuard is designed to be simple, secure, and fast. It uses a small codebase (which makes auditing feasible), modern cryptography primitives, and straightforward configuration. Running WireGuard on your router has clear benefits:

  • Network-wide protection: All devices, including phones, smart TVs, and IoT devices, route through the VPN without installing client apps.
  • Performance: WireGuard typically delivers lower latency and higher throughput than older protocols like OpenVPN.
  • Battery-friendly mobile: WireGuard’s efficient handshake and statelessness make mobile reconnections smoother.

    • Prerequisites — what you need before you start

    To set WireGuard on your router today you’ll need:

  • A router that supports WireGuard either natively or via custom firmware. Good candidates: routers that run OpenWrt, ASUSWRT-Merlin, pfSense (for x86 boxes), or recent stock firmwares from ASUS or Netgear that have WireGuard built-in.
  • Basic comfort with SSH and editing text files.
  • If you’re using a VPN provider: a service that supports WireGuard (Mullvad, ProtonVPN, OVPN, Tunsafe-based providers). Or: a server you control (VPS) where you can run a WireGuard instance.
  • Key management tools: I use the command line’s wg and wg-quick tools or the built-in GUI on OpenWrt/ASUSWRT-Merlin.

    • Choosing firmware and router

    Which route you take depends on your hardware:

  • OpenWrt: My go-to for routers like the GL.iNet, TP-Link Archer series (supported models), or custom flashing on supported devices. OpenWrt’s package management makes installing wireguard-tools straightforward.
  • ASUSWRT-Merlin: Excellent for many ASUS routers. It includes WireGuard and a friendly UI for basic configs.
  • pfSense/OPNsense: Great for advanced home labs on an x86 box or small appliance; both have WireGuard packages.
  • Stock routers with WireGuard: Newer ASUS and Netgear models often include WireGuard in their firmware — fastest route if you want minimal fuss.

    • Step-by-step: Set up WireGuard on OpenWrt (example)

    This is a typical and repeatable workflow. If you use a different firmware, the steps and concepts are identical.

  • Install WireGuard packages:

    • SSH into the router and run: opkg update && opkg install wireguard-tools luci-app-wireguard. The Luci app gives a GUI if you prefer it.

  • Generate keys on the router or your workstation (I generate on my workstation and keep private keys offline):

    • On Linux/macOS: wg genkey | tee privatekey | wg pubkey > publickey. Keep the private key secret.

  • Create a WireGuard interface on the router:

    • In OpenWrt Luci: Network → Interfaces → Add new interface. Choose WireGuard. Set the Interface private key and an internal VPN IP (e.g., 10.0.0.1/24).

  • Configure peers (server or provider):

    • If you’re using a remote server (VPS), you’ll need the server public key and endpoint (IP:port). If using a provider like Mullvad, they provide configuration files or keys.

  • Example server-side WG config (on VPS):
    • /etc/wireguard/wg0.conf (server)
    [Interface]
    Address = 10.0.0.2/24
    ListenPort = 51820
    PrivateKey = SERVER_PRIVATE_KEY
    PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
  • Example router/client config (peer on router):
    • /etc/wireguard/wg-router.conf (router)
    [Interface]
    Address = 10.0.0.1/24
    PrivateKey = ROUTER_PRIVATE_KEY
    ListenPort = 51820

    [Peer]
    PublicKey = SERVER_PUBLIC_KEY
    Endpoint = your.server.ip:51820
    AllowedIPs = 0.0.0.0/0, ::/0
    PersistentKeepalive = 25

    Enable and start the interface: wg-quick up /etc/wireguard/wg-router.conf (or use the Luci UI).

    Routing, firewall and NAT

    Two things to remember:

  • On the server, enable IP forwarding (sysctl net.ipv4.ip_forward=1) and set NAT (iptables or nftables) so traffic from the WireGuard subnet is masqueraded on the server’s WAN interface.
  • On the router, adjust firewall rules to allow the WireGuard interface and decide whether to route all traffic (0.0.0.0/0) or just specific networks (split tunneling).

    • DNS, leaks and kill-switch

    Preventing DNS leaks is critical. On the router set DNS servers to a privacy-respecting resolver (Cloudflare 1.1.1.1, Quad9, or your VPN’s DNS). In OpenWrt, put the DNS in the interface’s “Advanced Settings” or use dnsmasq to force queries over the VPN interface only.

    For a kill-switch: block WAN-to-LAN forwarding for client networks unless the WireGuard interface is up. In practice that means firewall rules that only allow outbound traffic when source is from the VPN interface, or scripting that disables LAN routing if wg0 is down.

    Testing and troubleshooting

  • Check interface status: wg show for handshake and transfer stats.
  • Check routing: ip route and ip -4 addr.
  • Online leak tests: I run ipleak.net and DNS leak test sites from devices behind the router.
  • Common issues: blocked UDP ports (try different port), MTU problems (lower MTU to 1280-1420), missing NAT rules on the server.

    • Performance tips

  • Prefer UDP over TCP for WireGuard; it’s leaner.
  • Use a router with hardware acceleration or a decent CPU; WireGuard is fast but still benefits from a capable CPU for high throughput.
  • Tune MTU and keepalive to stabilize mobile reconnections.

    • Which providers and setups I recommend

    If you don’t want to self-host, use a trustworthy provider that supports WireGuard and publishes client configs or keys. Mullvad and ProtonVPN are two I’ve used: both support WireGuard and are open about privacy practices. For self-hosting, a small VPS (Linode, Vultr, or Scaleway) with a simple WireGuard installation is inexpensive and gives you full control.

    Running WireGuard on your router isn’t just a power move for privacy; it’s the most pragmatic way to get consistent, network-wide protection that’s auditable and fast. If you want, tell me your router model and whether you’re planning to self-host or use a provider — I’ll walk through tailored commands and a config you can paste into your device.