VPN on Router vs. Server

I have been running a Wireguard VPN on my home server for a while, but I just got a new router and it has OpenVPN built-in as an option. Are there any pluses or minuses to using the router’s VPN vs. the one on my server?

If you just want to have a server to server connection then hosting the wireguard on the server is the best approach.

However if you want to use Wireguard to provide access to your LAN from a remote system then wireguard on OpenWRT is the correct approach.

Keep in mind that OpenWRT offers enterprise-style features for home newtorks. Like you can setup VLANs and truck connections out to a server so you can do things like run VMs in DMZs or whatever. Pretty much anything you can think of.

Yes. It’s logically simpler to use the router as a VPN server, but routers typically have less processing power so that might become a bottleneck. The question is how much traffic do you plan to push through the VPN and could you tolerate reduced performance? Keep in mind this could slow down the router’s other functions as well. Try it and see how it works for you.

in general Wireguard > OpenVPN so i would stick with the server just because of that :slight_smile:

Wireguard is far superior to OpenVPN in performance, security and attack surface.

I have been running an openvpn server on a netgear R7000 router (freshtomato) for years. There’s only only single client connecting to the server when needed (me). I have a shortcut for the connection on my android phone, I click it and it connects very fast.

I chose the router first because of the GUI, but also because I frequently fuck up my RasPi or experiment with something and that translates to down time. Changing the DNS for my network is quick through the router’s GUI when the raspi is down, but I don’t want the openvpn server to be down when I’m away.

If your server doesn’t experience downtime like my raspi, the sever (especially if something more power than ARM) is definitely better. Otherwise, the router is always on and is always accessible.

Server. Most routers don’t have the juice to do this well.