Set Up a VPN Server on Your Router

Running a VPN server on your home router lets you securely access your home network from anywhere — reach files on your NAS, use your home IP address on public Wi-Fi, and connect to local devices as if you were on the same network. WireGuard is the modern choice: faster, simpler, and built into many current routers.

Before You Start: Check for CGNAT

A home VPN server requires incoming connections from the internet to reach your router. This fails if your ISP uses CGNAT (Carrier-Grade NAT), which places multiple customers behind a single shared public IP. Check whether you have a true public IP:

• Look up your public IP at a service like whatismyip.com
• Log into your router and find the WAN IP address
• If the two addresses match, you have a public IP and can proceed
• If the router's WAN IP is in the 100.64.0.0/10 range, you are behind CGNAT

If you are behind CGNAT, contact your ISP and request a dedicated public IP address. Many ISPs provide this free or for a small fee. Without it, incoming VPN connections cannot reach your network.

WireGuard vs OpenVPN

Two protocols dominate home VPN server setups. WireGuard is the better choice for new installations:

• WireGuard: Modern cryptography (ChaCha20, Curve25519), ~4,000 lines of code, built into the Linux kernel since 5.6. Connections establish in milliseconds rather than seconds. Handles network switching (Wi-Fi to cellular) gracefully. Uses UDP only, defaults to port 51820.
• OpenVPN: Mature and battle-tested, available on virtually every platform, can run on TCP port 443 to blend with HTTPS traffic — useful in restrictive environments. Slower connection setup, higher CPU usage on older router hardware, larger attack surface due to code complexity.

If your router supports both, use WireGuard. Fall back to OpenVPN only if your router does not support WireGuard or if your client network blocks the WireGuard UDP port.

Step 1: Set Up Dynamic DNS

Your home IP address changes periodically. Your VPN client needs to connect to a hostname that always points to your current IP. Set up a free DDNS service before configuring the VPN server — the DDNS hostname becomes the server address in your VPN client config.

Options: Duck DNS (free, simple), No-IP (free tier available), or Cloudflare DNS with a script. Configure your router to update the DDNS record automatically whenever your IP changes. Most routers have a built-in DDNS section under WAN settings. See the DDNS setup guide for detailed steps.

Step 2: Configure WireGuard on ASUS

ASUS routers with firmware 3.0.0.4.388 or newer have native WireGuard support:

• VPN → VPN Server → WireGuard → Enable
• Set the server port (default 51820 UDP)
• Set the server IP address (internal tunnel address, e.g., 10.6.0.1/24)
• Add a client: click Add Client, enter a name, set the client IP (e.g., 10.6.0.2/32)
• Download or copy the generated client configuration file
• Import the config file into the WireGuard app on your phone or laptop

The router generates key pairs automatically. The client config file contains everything needed — the server's public key, endpoint (your DDNS hostname:port), and the client's private key.

Step 3: Open the Firewall Port

WireGuard requires UDP port 51820 (or whichever port you configured) to be reachable from the internet. On most routers, VPN server mode handles this automatically. If connections fail, verify the port is open:

• Check that your router's firewall is not blocking the WireGuard port on the WAN interface
• If your router is behind another router (double NAT), you also need to forward the port on the upstream router
• Avoid double NAT by putting your ISP modem/router in bridge mode

Split-Tunnel vs Full-Tunnel

Your VPN client configuration controls routing. The AllowedIPs field in the WireGuard client config determines which traffic goes through the tunnel:

• Full-tunnel: AllowedIPs = 0.0.0.0/0, ::/0 — all traffic routes through your home connection. Internet traffic appears to come from your home IP. Consumes your home upload bandwidth for all browsing.
• Split-tunnel: AllowedIPs = 192.168.1.0/24 (your home subnet) — only traffic destined for your home network goes through the tunnel. Internet traffic goes directly. Much lower bandwidth impact.

Split-tunnel is the better default for remote access use cases where you want to reach home devices without routing all browsing through your home connection.