How To Install

How to Install a VPN on a Router

Rebecca Duff
Rebecca DuffUpdated

It’s easy to set up a VPN on your router once you know what to look for in the settings. Some VPN providers offer a custom app but many require an element of manual configuration, which is what we focus on in this guide.

Adding a VPN to your router makes it really easy to secure and protect your browsing activity on multiple devices. It also saves you time creating VPN connections on every device individually.

Not all routers support VPN connections. Check your user guide to see if yours does. If your router was provided by your internet service provider, you could make a quick call to their technical support team to check before you begin.

What You’ll Need

There are four things you’ll need to complete this process:

  1. A VPN account, confirmed and ready to connect (remember to verify your email address). If you haven’t chosen one yet, why not check out our latest recommendations.
  2. Your provider’s PPTP connection details. If you have an ExpressVPN account, you’ll find these by logging in, then clicking Set up on More Devices, then Manual Config, and then PPTP & L2TP/IPSec
  3. A router that supports a VPN connection
  4. A backup of your current configuration — just in case.

Every router is different, and it isn’t possible for us to give you a guide for every model here. Likewise, every VPN provider has a slightly different set-up process. But if you use this guide in conjunction with your user manual, you should be able to navigate the process without a hitch.

Remember: you’ll need to log onto your router to follow this guide. The username and password may be printed on the underside of the router, or on a card that came with it.

Method 1: Manually Installing Your VPN on Your Router

We’re using the Draytek Vigor 2862ac router to demonstrate this process, and we’re going to log on with an ExpressVPN account. You don’t need to install the Smart VPN application on this particular router; the settings can all be accessed via the normal router interface.

To log on, try typing 192.168.0.1 into your browser’s address bar. This often brings up the login page. Otherwise, refer to your manual or your ISP’s instructions.

One final tip: turn off Auto Logout, if it’s active. You’ll need to fill out a large form, and if you’re logged out part-way through, the information won’t be saved.

To get started:

  1. Log on to your router’s admin interface.
  2. Find the VPN settings. This will be different for every model, but on our Draytek Vigor 2862ac, the menu option is on the left-hand side: VPN and Remote Access.A DrayTek router home screen
  3. We’re going to connect from one network to another, so we need to click LAN to LAN.DrayTek LAN-to-LAN screen
  4. Add your provider as a new profile in a spare slot. We’re using the slot marked 1. Click it to open the Profile page.DrayTek router new LAN-to-LAN profile
  5. Configure the profile as follows. The layout of the Draytek page here is not very intuitive, but if we’ve not mentioned an option, just leave it at the default. If your router differs, you should be able to figure out what you need by loosely following this example.
  6. Common Settings row:
  1. Profile Name: Any name; we’re using ExpressVPN
  2. Enable this profile: Check the box here
  3. VPN Dial-Out Through: Select the WAN port that you’re using here. If you’re not sure, check the Dashboard page, and come back.
  4. Call direction: Select the Dial-Out radio button
  5. Tunnel mode: Select Always On and leave the other fields on their default values
  1. Dial-Out settings row:
  1. Type of server: PPTP
  2. Server/IP Host Name for VPN: Paste in the name of the server that you copied from the ExpressVPN list
  3. Username and Password: Paste in your PPTP credentials from the ExpressVPN website; other credentials won’t work here
  4. PPP Authentication: Ensure PAP/CHAP/MS-CHAP/MS-CHAPv2 is selected
  1. Dial-In Settings box:
  1. Allowed Dial-In Type: Uncheck any boxes that are pre-selected
  2. Leave all other fields on their default values
  1. GRE Settings:
  1. Leave blank
  1. TCP/IP Network Settings:
  2. Remote network IP: Type an internal IP address here. Make sure it that is not an IP on your internal network or the public internet. Copy our example if you’re not sure what to put. Leave the other fields as they are. We’ll explain why this is necessary in the section about DNS leaks below.
  3. From first subnet to remote network, you have to: Select NAT
  4. Change default route to this VPN tunnel: Check this box. Note: this option only appears once you’ve selected NAT in the drop-down above it.DrayTek router LAN-to-LAN VPN tunnelClick OK to save the profile.
    Reconfigured LAN-to-LAN settings on a DrayTek router

Once you’ve saved everything, you’ll be returned to the LAN to LAN page you started on. Don’t panic if you initially see Offline in the status column here. Give it a few seconds, then click LAN to LAN again. You should now see Online in green.

DrayTek router LAN-to-LAN remote access

Under VPN and Remote Access on the left, click Connection Management to ensure that the encryption is correctly set up.

Method 2: Using Your Provider's App

Some routers provide apps, or plugins, that make configuration as easy as installing an app on your phone. If you have this option, it’ll be the quickest and easiest way to get your router connected.

You may also find apps for alternative methods. For example, some routers support OpenVPN, which is a third-party, open source protocol. That’s a great alternative if there’s no provider-specific app.

Resolving a DNS Leak

The final step is to test whether you pass the DNS leak test. Don’t skip this step!

Essentially, this tests to ensure that your IP is not being exposed to prying eyes: your employer, your ISP, or your network administrator. ExpressVPN has a handy test page that instantly tells you everything you need to know:

ExpressVPN DNS leak test

You can see we have a problem: our DNS requests are exposed. To fix this:

  1. Log back into your router’s admin interface
  2. Click LAN on the left-hand side
  3. Click the General Setup sub-menu item
  4. Next to LAN 1, click the Details Page button.DrayTek router details screen
  5. Under DNS Server IP Address, enter the IP address that you typed in the Remote Network IP box in step 5, above (we’re using 172.16.0.0)DrayTek router DNS server IP address manual entry
  6. Save your changes.
  7. Back on the General Setup page, check the Force router to use “DNS Server IP address” setting specified in LAN1 checkbox (change the drop-down if you’re using a different LAN in step 2).
  8. Turn your router off, wait a second, then turn it back on (or reboot if prompted)
  9. Head back to the ExpressVPN DNS leak test page.

Remember: the DNS leak test page may cache your results. So clear your cache before reloading it. Alternatively, use a different browser if you don’t want to lose your progress.

Need More Help?

There’s a huge variation in the way routers handle VPN installations, and your first port of call should be your user manual, or your vendor’s help pages.

If you can’t find the most basic connection details for VPNs in your router’s admin area, it’s entirely possible that your router doesn’t support VPNs at all. Your provider should be able to recommend a list of compatible routers, and they may be able to guide you if your connection is set up, but it’s not working for some reason.