PhoenixVPN

Blog

Setting up PhoenixVPN on your router: a no-nonsense guide

By Priya at PhoenixVPN 8 min read

If you have a smart TV, a games console, a smart speaker, or a few too many IoT devices, you’ve probably noticed: most of them can’t run a VPN client. The solution is to put the VPN on the router. Once it’s there, every device on your network is protected — including the dumb ones.

What you need

  • A router with at least 128 MB of RAM. Most consumer routers from the last five years qualify.
  • Firmware that supports WireGuard or OpenVPN. OpenWrt is our recommendation. DD-WRT, pfSense, and AsusWRT-Merlin also work.
  • An PhoenixVPN subscription. Generate a WireGuard config from your dashboard.
  • About 30 minutes the first time. Five minutes the second time.

Quick path: OpenWrt + WireGuard

  1. Flash OpenWrt if you haven’t already. The OpenWrt firmware selector tells you what build to use for your router. Follow their install guide carefully.

  2. Install WireGuard packages. SSH into the router and run:

    opkg update
opkg install wireguard-tools luci-app-wireguard kmod-wireguard

  3. Import the config. In your PhoenixVPN dashboard, generate a WireGuard config for the city you want to use. Then in OpenWrt: Network → Interfaces → Add new interface → Protocol: WireGuard. Paste in the config values.

  4. Route LAN through it. Add a firewall rule that forwards LAN traffic through the new WireGuard interface. The OpenWrt wiki has a step-by-step example.

  5. Test. Visit ipleak.net from a device on your network. You should see the PhoenixVPN server’s IP, not yours.

A few practical notes

  • Throughput is limited by your router’s CPU. A modern router with WireGuard can sustain 200–500 Mbps. Cheaper routers with OpenVPN often top out around 30–50 Mbps. If you have a gigabit connection and want all of it, you may want a more capable router (or a pfSense box).

  • Split tunnel some devices. You probably don’t want your smart speaker or your work laptop on the VPN. Most firmware lets you exclude specific MAC addresses from the tunnel — your dumb devices stay protected, your work laptop talks to corp VPN as normal.

  • Kill switch on the router. Set the firewall to block forwarding when the WireGuard interface is down. That way, if the tunnel fails, nothing leaks.

When not to do this

If you only have a couple of devices and they all have PhoenixVPN apps installed, the per-device apps are simpler, faster, and more flexible (per-app split tunneling is hard at the router level). Router setup pays off when you have a lot of devices or any number of device classes (TVs, consoles, IoT) that can’t run an app.

Stuck? Hit us up on chat. The support team has done this enough times to walk you through it on any router that’s not from 2008.

< Back to blog