Net Privacy Pro

Accessing the internet can be risky if your computer is not properly protected. It turns out that if you connect your Windows XP or 2000 computer to the internet, it takes about 10 minutes until it is infected with malware. This is due to the fact that in the article linked above, Windows’ ports are opened to the raw internet. With modern setups, all of your hosts are hidden behind NAT routers that do not by default open any ports to the outside, protecting your home network. If you want to go one step further, you should consider setting up a secure VPN router at home.

Using a private VPN router to protect your entire home network transparently brings various benefits:

  • You don’t open ports to the internet: Just like other NAT routers
  • Your identity is obscured: The sites you visit see your VPN IP, not your real home IP address
  • Your traffic is hidden from your ISP: Your service provider cannot snoop on your traffic or sites you visit (read below why that’s important)

While most ISPs monitor your DNS traffic to find out which websites you visit (for more personalized ads), some even go a step further. The Berkeley project, called Netalyzr, together with the EFF have reported on instances of ISPs redirecting users with spoofed DNS responses to lead them to ad sites for profit. You can read more about that here. This is a dangerous and disturbing tactic which you should protect against.

Transparent Home Network Protection

You can protect most sophisticated devices like desktop PCs, laptops, tablets, and mobile phones with VPN clients these days. Affordable providers like Private Internet Access offer clients for all platforms. There are many devices on your network though that cannot use apps: Printers, your connected kitchen appliances, your smart TV, and voice assistants (Alexa, Google’s Nest Hub, etc.). To let these devices enjoy the same benefits mentioned above, I will guide you through setting up a dedicated VPN router for your home network in this article.

The VPN Router Hardware

To set up a reliable hardware VPN router that protects your home network, you should opt for a model that ticks these features:

  • Ease of Use: You will be setting up a crucial piece of your online safety, and you want to make sure it’s not confusing when using it
  • Affordability: If you use such a setup for your home network, you don’t want to spend thousands (or not even hundreds) of bucks for hardware. If your device should ever break, it should also not be a major liability to replace it.
  • Open Platform: Many routers are closed systems that do not allow any tampering with the underlying system, beyond the (mostly very bland) user interfaces. You want one that either supports VPN profiles out of the box, or one that can be extended to support VPN connections.

It should go without saying that you should choose a company that has a certain track record in router manufacturing. First-shot companies that build just one model (even if it is cheap) will likely have inexperienced support, a narrow technological focus, and potentially less experience in building such a product in a way that protects you adequately online. This might not be true for every case, but should serve us as a general guideline here.

The “Mango” Router

For this article I will be using the GL.iNet GL-MT300N-V2 WLAN Router, colored in a bright mango yellow. GL.iNet offers a wide array of routers and has been in this business for a very long time. I have used their products for >10 years and have always been satisfied. Especially this very handy little router device comes with a surprisingly large feature set.

GL.iNet GL-MT300N-V2 WLAN Router, 20€-30€ on Amazon

One of the largest pros of this model is that its firmware is based on OpenWRT. This does make it very extensible – but we don’t even have to go that far. The base firmware already allows us to configure WireGuard and OpenVPN profiles out of the box. With 25€-30€ on Amazon this is one of the best bets you can make for a small scale, secure home routing project.

Getting Started with the GL-MT-300N-V2 “Mango” Router

The GL-MT300N-V2, or 300M Mini Smart Router Mango, is a very minimalist device. It comes with two Ethernet ports, a power port (via micro-USB), and a regular USB-A port (the one that goes into your pre-USB-C computer ports). Beyond this, it has a reset button, a (configurable) mode switch, and three status LEDs (on the top). It is also a WiFi access point and weighs very light 39g, by the way.

The USB-A port accepts mass storage (for network sharing) and USB modems (for dialup / mobile internet if you connect your mobile phone for tethering). If you want to go over the top, you can open it up and get access to an UART interface and GPIO pins for DYI fun! All in all, this is a super versatile, robust device usable for a variety of use-cases. It is ideal for the purpose of safe VPN routing, too. Be sure to grab one, as they tend to be in high demand.

Let’s go ahead and set up the basics before we proceed to configure it as an internet gateway for your home network.

Base Settings

After you plugged in your GL.iNet Mango router, you can connect to it via Ethernet or WiFi. We will be connecting via Ethernet for the sake of this article since we want to alter the WiFi settings. When you first connect (the default IP of the admin panel is http://192.168.8.1/), you need to set up the base settings. First, you choose the interface language. We will use English, but there is a long list of available languages. Second, you choose an access password for the admin panel. This is not your WiFi password, but the router password. Make sure you remember it. If you forget it, you need to reset the router back to its factory settings to be able to access the admin panel again.

After you chose both settings, click “Apply” and you will be guided to the overview screen.

Here, you can see the most important stats of your router in one place. You can see how many Ethernet (LAN) and WiFi (WLAN) clients are connected, and what the internet status is. In the screenshot above, the WAN port is not connected to the internet yet. We will be setting this up in a later step. Currently one Ethernet client is connected, and WiFi is not yet being used.

Configuring WiFi

After the base setup of the router is done, we set up the WiFi network. A default network is configured that starts with “GL-MT300N-V2“, followed by a unique number that is likely chosen at random during initial router setup. The default password for this WiFi is “goodlife“.

We first disable the network and change the settings to values suitable for our setup. To modify the network settings, scroll all the way down and click “Modify“. For the sake of this tutorial, we chose the network SSID “MySuperSecureSecretHotspot” and change the network password to “supersecretpw123!“. These should by no means be used in real networks. If you set this up yourself, choose less obvious settings. Click “Apply” to save the new settings, and toggle on “Enable Wi-Fi” again.

Your network should now be active and clients should be able to access it using the credentials you configured above. You also have the option to configure a second, guest network with different/more restrictive access rules. We won’t go into that in the context of this tutorial.

Configuring the Internet Gateway

After we set up the WiFi network, we enable the internet gateway functionality. For that, just plug in an Ethernet cable that has internet access into the WAN port of the Mango router. The port says “WAN” on the device. Just plug in a regular LAN cable that leads to your router, usually used to directly connect your desktop or laptop computers. After you did that, the overview screen shows the IP range served through your home network’s DHCP server now.

Network clients connecting to your new WiFi will for now be served IP addresses directly from your home network. You can change the behavior of the DHCP server by clicking on “Modify“.

In the then-appearing popup, you can change which host served IP addresses, and how. You can configure static IPs or PPPoE. We won’t go into that for this tutorial though and keep this for informative purposes.

Next, we will configure the VPN provider and secure internet access.

Choosing a VPN Provider

Now that the router hardware is ready, we need to choose a VPN provider that we trust. The most important thing from a configuration perspective is that it needs to provide us with a VPN profile. The Mango router works with WireGuard and OpenVPN profiles. Once we get a profile for our VPN provider, we will copy it onto the router – it will be used to establish the connection to the VPN server.

Getting the VPN Profile

For the sake of this article (and because it is an awesome and cheap VPN provider that doesn’t keep logs), we will be using Private Internet Access (PIA), which I highlighted in a previous article. While they support WireGuard connections, I will use their OpenVPN profile generator for the sake of simplicity. You can fine it by logging into your account and going to “Downloads“. Then scroll all the way down until you see this:

In the generator dialog, choose OpenVPN 2.4 or newer, and Linux as host system. The other two settings (server region and port) you can leave at default. Change the country if you have a specific VPN server location in mind. After that, click “Generate“. This will automatically download the OpenVPN profile file into your downloads folder.

Configuring the Router for VPN Access

With the OpenVPN profile acquired above, on your Mango router control panel navigate to “With the OpenVPN profile acquired above, on your Mango router control panel navigate to “VPN” on the left side bar, and select “VPN Dashboard“.

This dashboard screen shows you the currently configured VPN settings. Right now, no OpenVPN or WireGuard profiles are configured. This screen also allows you to set up your own VPN server, similar to what I reported on for WireGuard. For now, click “Set Up Now” in the OpenVPN row.

The first screen will suggest known profiles. My version of the software only suggests NordVPN as a default option. Click “+ Add Manually” below, which leads you to the screen on the right. Add a new group, call it “Private Internet Access” and drag your generated OpenVPN profile into the designated area. Now enter your VPN credentials (your PIA login) below that and click “Apply“.

The VPN dashboard will now show your configured VPN connection and allow you to enable or disable it with a single click:

Once switched on, you will see traffic statistics, your VPN IP, and a link to your VPN service logs. These only contain functional items for the VPN application running in the background, not clients accessing resources on the internet.

You now set up your VPN client in your router. All traffic flowing through this router will now be encrypted by your VPN connection, and your origin IP (as seen by websites and services) will be that of your PIA VPN.

Testing your VPN Connection

Now that your VPN is active, the overview dashboard of your router shows all revelant stats. This includes the connection from our one LAN client that connects to the internet via Ethernet (the WAN port), using VPN.

To validate that I’m accessing the internet transparently via the VPN now, I connected to the new SSID with my mobile phone. Using the privacy-minded DuckDuckGo browser, I went to whatismyipaddress.com and verified that it correctly identified my as being in California (the OpenVPN profile generator’s default setting for me):

The IP 84.247.111.24 is my VPN’s IP, not my real one. This proves that traffic for devices using this new WiFi network is encrypted transparently. No need to configure the PIA VPN app on each of your devices (some even can’t).

Conclusion

Congratulations, you configured your own home VPN client on a router and made your digital life more secure. The GL.iNet GL-MT300N-V2 WLAN Router has a lot more to offer in terms of functionality (like all their models have), but it’s a perfect form factor for a VPN router purpose. You can even take this router with you and plug it in wherever you want to have secure WiFi. It is not bound to your home network. You can choose different server locations too and configure multiple OpenVPN profiles. Always be sure to watch what you share online to not jeopardize your private identity.

If you liked this article and want to share your own experiences and thoughts, comment below to get the conversation started!

Leave a Reply

Your email address will not be published. Required fields are marked *