• How to set up a VPN server at home (on the router)

    If you did some search on this topic, you are probably confused. Most articles on this topic confuse readers rather than helping them.

    Why you need a VPN server at home

    First of all, let’s make it clear that there’s only one reason to set up a VPN server at home: you want to access your home network from outside.

    If you are trying to hide your IP address, hide your Internet traffic from the ISP, access contents not available in your geographical area, you need a VPN client and a VPN service subscription, not a VPN server at home.

    There are many reasons that you may want to access your home network remotely. These may include:

    1. Access to files stored on your home network
    2. Remote desktop to a machine on your home network
    3. Encrypt your traffic for better security when you are connected to a public WiFi network
    4. Utilize a network wide ad blocker (e.g., the ad blocker on the pcWRT router or a pi-hole) that you set up at home
    5. Access to streaming services at home when you’re traveling
    6. Share streaming service or media from one house to another
    7. Pretend that you’re home while traveling

    What you need

    There’s more than one way to set up a VPN server at home. But it’s easiest to set it up on the router.

    As shown in the diagram below, there are basically two requirements:

    1. A router that supports VPN server
    2. A public IP address assigned by your Internet Service Provider (ISP)

    Many routers support VPN server. Check your router’s manual to find out whether it’s supported, and how to configure and start it up.

    The public IP address is needed so that your VPN client devices can connect back home from outside. It is usually displayed on the router’s Internet or Broadband page.

    In the US, most users get a public IP address at home from their ISPs. But there are more and more ISPs that put their subscribers behind Carrier Grade NAT (CGNAT), due to the increased scarcity of IPv4 addresses. Before trying to set up the VPN server on the router, check that you have a public IP address from your ISP.

    Without a public IP address, your remote device running the VPN client has no way to contact your VPN server. For this post, I assume that you do have a public IP address from your ISP. I’ll address the case where you don’t have a public IP address (i.e., behind CGNAT) in another post.

    What are the steps?

    1. If you have a dynamic IP address from your ISP, set up Dynamic DNS (DDNS) on the router. DDNS maps a domain name to your home IP address, and you can use that domain name to connect to your VPN server at home. Most routers support DDNS.

      If you have a static IP address from your ISP (which is rare), you can omit this step. But you may still choose to do it if you want to access the VPN server by domain name instead of by IP address.
    2. Set up and start the VPN server on your router by following the instructions in the user manual. Set the VPN server to auto-start if there’s an option.
    3. Install VPN client software (if needed) on the remote device(s). Set up the VPN configuration to connect to the VPN server (again, check the router manual).

    Here’s a guide of how to set up a VPN server on the pcWRT router: The Complete Guide to Setting up a WireGuard® VPN Server at Home with pcWRT

    Security considerations

    1. Use non-standard ports if possible. E.g., for OpenVPN, use a port other than 1194; for WireGuard choose a port other than 51820, etc.
    2. Choose UDP over TCP. Hackers have a harder time probing UDP ports than TCP ports.
    3. Choose a secure VPN protocol. OpenVPN, IKEv2 and WireGuard are good choices. Avoid PPTP.

    * WireGuard® is a registered trademark of Jason A. Donenfeld.

Leave a Reply