Top 5 Best OpenWrt Routers for VPN in 2023

OpenWrt - Wireless Freedom. Why it matters?

Software is like sex: it's better when it's free.

Linus Torvalds.

• Is your router 2-3+ years old and the vendor don't want to release security updates anymore? Just like any smartphone.

• Do you want to use WPA3, the modern authentication protocol? But it's more profitable for hardware companies to force their users to buy new devices.

• Do you get monthly reports with strange output traffic reports and have thoughts that your router might be part of a botnet?

• Do you want to use VPN, Wireguard VPN or advanced features like encrypted DNS on your router 'cause the hardware is powerful enough, but the vendor wants you to buy more expensive model?

• Do you have a few old routers and want to create a Mesh network in your home, school, library, but there's no such feature in the firmware?

• Do you want to use IPv6 or connect to a tunnel broker, but there's no firmware support.

Well, OpenWrt can do all of the above and more. All you need is love supported device.

VPN on a router: the pitfalls

A good VPN is essential for personal or corporate privacy. Today, two types of VPN are most popular: older OpenVPN and modern Wireguard. Wireguard is faster and uses less system resources, so naturally we will focus on Wireguard.

If you have a lot of devices, VPN setup on different devices and operating systems can be painful and time consuming. So installing VPN on router and routing all traffic through it can be much easier solution - one device and one guide, setup on web interface or text configs, crazy flexible, just how I like it and hope you like it too!

Guides:

• Wireguard setup
• OpenVPN setup

How to buy the best device for VPN? It's not a hard task: a buyer must remember about the next factors:

• Good CPU: 2, 4 cores are good, slower CPU means slower speed.
• RAM: Access Point use some memory for each connection, so more memory - more benefits. Also OpenVPN uses more RAM than Wireguard, you're warned. We recommend devices with 256 MB RAM or more.
• Storage: some greedy Chinese vendors like Tp-Link or D-Link still produce devices with 8/16/32 MB flash/NAND drives like as if it were still 1999! They do this mess for the following reasons: to save pennies on cheaper drives and force their customers to pay for hi-end devices. This also affects OpenWrt user experience, 'cause Linux kernel grows from release to realease and less storage is left for additional software like the Wireguard client. We recommend buying a device with 64 MB and more storage.

WPA3

WPA3 is the advanced authentication protocol that's more secure than WPA2 and is recommended for use in home and business networks.

Let's highlight the key improvements in WPA3:

• New handshake: Simultaneous Authentication of Equals (SAE) instead of PSK
• 192-bit encryption in WPA3-Enterprise
• Resistant to offline decryption - dictionary attacks.
• Forward secrecy - eavesdroppers can't snoop on traffic between the access point and it's client. So WPA3 also protects against deauth events, so hackers can't DDoS Wi-Fi routers with enforced WPA3 connection protocol.
• Opportunistic Wireless Encryption - based a Diffie-Hellman key exchange mechanism to encrypt all connections between a device and the router.
• Device Provisioning Protocol - a new, more secure replacement of Wi-Fi Protected Setup (WPS).

Internal or external antennas

Are external antenas better? Short answer - yes! External antennas allow to get better signal level, so you can see a ton of videos on Youtube where people modify their devices with external antennas hoping to get better coverage. Another important step is a good manufacturer device calibration - to get optimal and stable signal levels on all supported frequencies. The calibration data is often located on ART partition, so backup it! Since the data in unique for each router, you can't easily restore it from another router without issues.

Encrypted DNS - DoH vs DoT

Your ISP has access to all your DNS traffic and can read it, analyle it or sell to data mining agencies. It's not a crime, 'cause the DNS protocol was never designed to be encrypted. There's DNSSEC extension, but its only for domain verification and the ISP still watching all the domains you're visiting all night and day long.

Eventually, not all people like this desing, so there are two popular alternatives at the moment:

• DoH - DNS over HTTPS - available in browsers, 'cause it's HTTP protocol, nothing else.
• DoT - DNS over TLS, without HTTP, listening port 953.

We recommend using DoH for better privacy, because DNS queries generate the same traffic as casual web surfing.

The DoH setup on OpenWrt is super easy:

# opkg update && opkg install luci-app-https-dns-proxy
# service rpcd restart

Now go to LuCI → Network → DHCP and DNS to enable DoH and LuCI → Services → HTTPS DNS Proxy to configure it. The second step is only needed only if you need to enable non-Google-Cloudflare default, check the docs here for more details.

Best routers for VPN in 2023: Recommendations

Dynalink DL-WRX36

• CPU: Qualcomm IPQ8072A 2200 MHz, 4 cores
• RAM: 1 GB
• Storage: 256 MB NAND
• Gigabit ports: 4
• WLAN Hardware: Qualcomm QCN5024, Qualcomm QCN5054
• Frequencies: OFDMA + MU-MIMO, one 2.4GHz (QCN5024 2×2/40MHz ax), one 5GHz (QCN5054 4×4/80 or 2×2/160MHz ax)
• USB: 1 x USB3
• Website: https://dynalink.life/products/dynalink-wifi-router-wrx36
• OpenWrt device page: https://openwrt.org/toh/dynalink/dl-wrx36
• Price: Amazon - $79, Ebay - $75

"Hey, what's the white cylinder? Did you buy a new music box?" - that's dialogue is possible when you will decide to get Dynalink DL-WRX36. And it looks exactly like music box. $80 for 4-core CPU, 1 GB RAM and Wi-Fi 6 support - good investment for home or office networking. Coverage up to 4,800 sq ft - ideal for offices and large homes.

One small negative moment with Ethernet ports - WAN is 2.5GbE, but 4 LAN ports has only gitabit ports. People who don't transfer large 4K media files between devices will immediately start debating me, but I want a balanced experience - 2.5 Gigabit for all ports is better than saving a few dollars!

Wireless networking feels more consistent - up to 3.5 Gbps, 1024-QAM, Wi-Fi 6, 4x4 MU-MIMO. One point - no external antennas, with them the device will achive better signal levers and increased Wi-Fi coverage.

OpenWrt installation is seamless, 'cause the original firmware supports SSH - this is super cool! We can to SSH to the device just like normal Linux server, insert flash drive and copy the Linux kernel to it and boot it! All setup is well described here.

Another top feature is USB recovery: if something is broken, there's no need to connect via serial port with soldering - change the bootargs environment variable to boot from USB and do the standard boot if the USB boot failed. SSH support is superb here - the king feature without any doubt.

Wireduard VPN speed - up to 250 MBps, info from the OpenWrt forum

Xiaomi AX9000

• CPU: Qualcomm IPQ8072A 2200 MHz, 4 cores, with fan
• RAM: 1 GB
• Storage: 256 MB NAND
• Gigabit ports: 4 + 1 x 2.5 GbE port
• WLAN Hardware: Qualcomm Atheros QCA9889, Qualcomm Atheros QCN5024, Qualcomm Atheros QCN9024
• Frequencies: one 2.4GHz (QCN9024 4×4 ax), two 5GHz (QCN5024 4×4 ax + QCN9024 2×2/4×4 ax), one AIoT (QCA9889 1×1 ac/n)
• USB: 1 x USB3
• Website: https://www.mi.com/global/product/mi-router-ax9000/
• OpenWrt device page: https://openwrt.org/toh/xiaomi/ax9000
• Price: Amazon - $207, Ebay - $300

This device costs almost twice more than Dynalink DL-WRX36 - let's dig deeper and find out why. First of all, there are detachable antennas - 8 of them! "Built for gaming", as official website says. This device has one CPU fan fan - a small one, much smaller than desktop size, but if you desperately love silence it's time to look for another device.

Wireless equipment produce "tri-band experience": 5Ghz for gaming and entertainment plus 2.4Ghz for smart devices - 3 radios in total, there are 12 independent signal amplifiers. Not bad. There is also 4K QAM and 160Mhz channel width support.

Wired expirience are good too - 4 Gigabit ports and one 2.5GbE port. Huh, I started to dreaming about device with all 2.5Gb Ethernet ports!

OpenWrt experience isn't seamless this time:

• Rooting procedure in browser with loading JS exploit - kinda unusual experience, hope you'll get a lot of fun 🤓
• QCN9024 low 5 GHz band radio needs a workaround - doesn't work out the box
• PWM LED effects don't work
• Fan controller - no driver yet
• New single partition system needs flashing over UART with TFTP boot.

Despite all this, I have high hopes the all this will be fixed soon 'cause the device is powerful with good wifi coverage ('cant find the real numbers).

Wireguard speed - up to 343 Mbps, according to OpenWrt forum.

Buffalo WXR-5950AX12 - two 10 Gigabit ports!

• CPU: Qualcomm IPQ8074A, 4 cores, 2.4 GHz
• RAM: 1 GB
• Storage: 256 MB
• Gigabit ports: 3 x 1GbE ports plus 2 x 10 GbE ports!
• WLAN Hardware: Qualcomm IPQ8074A
• Frequencies: 8x8 5 GHz + 4x4 2.4 GHz
• USB: 1 x 3.1
• Website: https://www.buffalo.jp/product/detail/wxr-5950ax12.html
• OpenWrt device page: https://openwrt.org/toh/hwdata/buffalo/buffalo_wxr-5950ax12_1
• Price: Amazon - $273, Ebay - $343.

Powerful monster with two 10 Gigabit ports and a mass of 1.6 kg, made in Japan. Wow! The most powerful device in this review and worth every penny. It'a available in Amazon Japan and Holland at the moment of writing, but I have no doubts that this device will be available worldwide soon.

The wireless interface equipped with Qualcomm IPQ8074 with 1024 QAM, MU-MIMO, OFDMA and uplink scheduling.

OpenWrt experience is seamless: user need a TFTP server, image file and hold WPS button. No rooting, exploiting or whatever else magic required.

Buffalo WXR-5950AX12 supports dual-boot: one working image, the second is for upgrade or backup. This feature is very good for stable user experience when "something goes wrong, what to do?" happens.

GL.iNet GL-MT6000

• CPU: Mediatek MT7986A 2000 Mhz, 4 cores
• RAM: 1 GB
• Storage: 8192 eMMC
• Gigabit ports: 4 + 2 x 2.5GbE
• WLAN Hardware: 2.4GHz: MT7976GN 4T4R, 5GHz: MT7976AN 4T4R
• Frequencies: 4x4:4, OFDMA, Zero DFS, ESR MU-MIMO, 1024QAM, HE160, ePA
• USB: 1 x USB 3.0
• Detachable Antennas: 4
• Website: https://www.gl-inet.com/products/gl-mt6000/
• OpenWrt device page: https://openwrt.org/toh/hwdata/gl.inet/gl.inet_gl-mt6000
• Ebay - $112

The first Mediatek device here and with 8GB storage! These guys aren't trying to save a few pennies on the storage. Detachable antennas are a huge plus, the minus - there are only four of them. Overall, the price is good for people who wants a big compact device.

Wireguard speed - up tp 900 Mbps according to OpenWrt forum
https://forum.openwrt.org/t/gl-mt6000-up-to-900-mbps-using-wireguard/173524

ZyXEL EX5601-T0 with GPON (Fiber)

• CPU: MediaTek MT7986a 2000MHz,
• RAM: 1 GB
• Storage: 512 MB NAND
• Gigabit ports: 3 + GPON
• WLAN Hardware: Mediatek MT7976
• Frequencies: Wifi6 802.11ax 5 GHz 4x4 + 2.4GHZ 4x4
• USB: 1 x 3.1
• Website: https://service-provider.zyxel.com/global/en/products/ethernet-cpe/ethernet-iads/ex5601ex5600-t-series
• OpenWrt device page: https://openwrt.org/toh/hwdata/zyxel/zyxel_ex5601-t0
• Price: Ebay - $217

Fiber support with Wi-Fi 6 says it all: this device is perfect as a gateway. And solid 512 MB NAND storage with USB 3.1 support only adds points to this device. LAN and WAN are equipped with 2.5 GbE switches - what I wanted to see in another devices. If there will be external antennas we will get the ideal Wi-Fi 6 device.

Final point

So, which device is the best?

• Buffalo WXR-5950AX12 - the Japanese monster
• ZyXEL EX5601-T0 - excellent choice gateway with SPF (fiber) support
• GL.iNet GL-MT6000 - good budget option