Secure Roamer

Practical security intel for independent travelers

Network router with ethernet cables and wireless connectivity

How to Set Up a VPN on a Router

July 09, 2025 · 5 min read

Running a VPN on each device is fine until you start traveling with laptops, tablets, game consoles, and smart TVs. The better move is to tunnel your entire Wi-Fi network through a router. I've configured routers in hotels from Riga to Rio; here's the reliable recipe using GL.iNet hardware and WireGuard/OpenVPN providers.

Network router with ethernet cables and wireless connectivity

Photo: Unsplash / Thomas Jensen

Gear and Accounts You Need

  • Travel router: GL.iNet Slate AX (GL-AXT1800) or Beryl AX (GL-MT3000). Both support WireGuard/OpenVPN natively.
  • VPN provider: Mullvad, IVPN, Proton VPN, or your self-hosted WireGuard server.
  • USB-C power bank for backup power (router reboots mid-call are no fun).
  • Ethernet cable for when hotels provide wired access.

Step 1: Update Firmware and Reset

  1. Power on the router, connect via Ethernet or default SSID.
  2. Browse to http://192.168.8.1 (GL.iNet’s admin panel).
  3. Upgrade to the latest firmware under System > Upgrade. I check monthly for patches.
  4. After reboot, perform a factory reset to avoid inheriting old configs.

Step 2: Change Defaults

  • Admin password: Set a unique passphrase (nothing resembling “travel2024”).
  • LAN IP: Switch to a non-conflicting subnet (I use 10.21.0.1/24). Some hotels already use 192.168.0.x.
  • SSID: Rename to something private (e.g., RomerNet) and enforce WPA3/WPA2 mixed mode.

Step 3: Configure WireGuard (Preferred)

  1. In your VPN account, generate a WireGuard config for routers. Example from Mullvad:

[Interface]
PrivateKey = <your private key>
Address = 10.67.98.4/32
DNS = 193.138.218.74
[Peer]
PublicKey = <server public key>
AllowedIPs = 0.0.0.0/0
Endpoint = 185.213.154.12:51820
PersistentKeepalive = 25
  1. In GL.iNet UI, go to VPN > WireGuard Client > Set up WireGuard Client.
  2. Upload the .conf file or paste the config directly.
  3. Toggle Auto Start to ON.

Custom DNS

Under VPN > WireGuard Client, enable “Override DNS” and use 1.1.1.1 or your provider’s DNS. This prevents DNS leaks.

Step 4: OpenVPN Fallback

If your provider only supports OpenVPN or the network blocks WireGuard:

  1. Export .ovpn file from your VPN provider (choose TCP 443 for maximum compatibility).
  2. Upload via VPN > OpenVPN Client in GL.iNet.
  3. Enable “Use VPN for all devices.”
  4. Add custom parameters to handle captive portals:

reneg-sec 0
remote-cert-tls server
sndbuf 524288
rcvbuf 524288

Step 5: Handle Captive Portals Without Breaking the Tunnel

Captive portals only need to be satisfied once. GL.iNet has a Captive Portal Helper under More Settings > Captive Portal.

  • Connect your phone to the router SSID.
  • When the portal appears, log in.
  • The router captures the session cookie so subsequent devices bypass the portal while still using the VPN tunnel.

If the portal blocks VPN traffic until login, temporarily disable the VPN, authenticate, then re-enable the tunnel.

Step 6: Optimize Performance

  • Enable Hardware Offloading under Network > Hardware Acceleration for faster throughput.
  • Use a local exit node close to your physical location to reduce latency.
  • Avoid double VPNs unless you need multi-hop; they cut speed drastically.
  • Monitor speeds with speedtest-cli on a connected laptop.

Step 7: Create Device Policies

Under VPN > Policy, choose how traffic routes:

  • Global mode: Everything through VPN.
  • VPN Policy Mode: Exclude devices (e.g., streaming stick needing local content) by MAC address.
  • Domain-based policy: Route specific domains outside the VPN if they block VPN IPs (e.g., banking sites).

Step 8: Set Up Kill Switch and Alerts

  • Toggle Block Non-VPN Traffic so if the tunnel drops, traffic stops instead of leaking.
  • Under System > Scheduled Tasks, add a cron job to ping a reliable host. If unreachable for 5 minutes, reboot the router:

*/5 * * * * ping -c 3 1.1.1.1 > /dev/null || reboot

Step 9: Back Up the Config

  • Navigate to System > Backup / Restore.
  • Export settings to your laptop and encrypted cloud storage.
  • Keep a copy on an encrypted USB so you can restore quickly if the router dies.

Case Study: Lisbon Apartment

  • ISP-provided router had NAT issues.
  • Plugged GL.iNet via Ethernet to ISP router, set DMZ to GL.iNet IP to avoid double NAT.
  • Connected laptop, Apple TV, and Framework server. All traffic tunneled through Mullvad Amsterdam to maintain EU streaming rights.
  • Speed: 110 Mbps down / 18 Mbps up, plenty for remote work.

Troubleshooting Common Issues

| Symptom | Fix | | --- | --- | | VPN connects but no internet | Check DNS override, ensure AllowedIPs includes 0.0.0.0/0. | | Hotel blocks VPN | Switch to OpenVPN TCP 443 or Cloudflare WARP on router. | | Slow speeds | Change exit node, disable QoS, ensure router is not overheating. | | Captive portal looping | Disable VPN temporarily, authenticate, then re-enable. |

Advanced Extras

  • Ad blocking: Install AdGuard Home via GL.iNet plug-ins. It filters ads for every device.
  • Mesh network: Pair with an additional GL.iNet Beryl for larger apartments.
  • Remote management: Enable GoodCloud to monitor router status from your phone.
  • Self-hosted WireGuard: Run a VPS (Hetzner, DigitalOcean) with wg-easy so you control IP reputation.

Final Checklist Before Every Trip


[ ] Firmware updated and config backed up
[ ] WireGuard/OpenVPN profiles tested on local network
[ ] Captive portal helper enabled
[ ] Power bank + spare USB-C cable packed
[ ] Exit nodes selected for destinations

Setting up a VPN at the router level takes 20 minutes and pays off every day after. One login, one tunnel, all devices protected—even the smart TV in your Airbnb. Consider it your portable security perimeter.

Explore More Topics