In an increasingly mobile world, it's often necessary for users outside the main office to access network resources inside the firewall. While the cloud has provided some new options, the most common way to securely connect with remote workers is still to use a virtual private network (VPN). Such VPNs have two components: a client for each system that connects to the network from the outside and a server to which those clients connect. Such a secure remote connectivity solution generally starts with your wireless router.
VPNs have a variety of protocols that are used to standardize such connections, and have varying levels of encryption they can use to protect traffic. The more encryption, the more secure the connection. But, generally, the slower the connection will run due to the processing needed to encrypt and decrypt what amounts to ever-longer strings of numbers.
For many IT administrators, finding just the right mix of connection reliability, encryption level, and throughput speed requires a level of customization they can't get with a standard, off-the-shelf router. If your business falls into this category or if you simply want more control over how your router, VPN, and remote connections work, then a customized router operating system (OS) is your solution. You've got several options in this area, but the most popular is to deploy the open-source, Linux-based Dresden-Wireless Router (DD-WRT) OS on a compatible router.
All the small and midsize business (SMB)-friendly routers in the table above were tested and reviewed by PC Labs and are each compatible with DD-WRT. And, if you can't find what you like there, then you can opt for something off this universal list of DD-WRT routers instead. Once you've decided on a hardware platform, the basic recipe for a business-grade, custom VPN router includes three key ingredients: Point-to-Point Tunneling Protocol (PPTP), OpenVPN, and DD-WRT.
What Is DD-WRT?
DD-WRT is Linux-based firmware for routers, comparable to Linux for PCs. It is installed on many different routers from Linksys, Buffalo Technologies, and others. It supports a number of advanced features, including not just VPNs but also granular Quality of Service (QoS) settings, Dynamic DNS (DDNS), IPv6, and more.
PPTP is one of the oldest VPN technologies and is generally supported by nearly everything. But it has a relatively low-level encryption scheme, making it easier to break than more modern protocols, though also putting less load on both the client and server systems. OpenVPN is an open-source, free server and client that offers more security than PPTP, with a somewhat higher load on the server and client systems. Recent mobile devices, including Android, iOS, and Windows Mobile, as well as laptops and tablets, are all able to use the OpenVPN client without too much difficulty. Many routers that have had the DD-WRT software installed can run the OpenVPN server to provide VPN connectivity to the clients.
DD-WRT is often used because the additional features it supports aren't available by using the manufacturer's own router OS—a router more than two or three years old, for example, may have security updates but it's seldom eligible for new or better functionality, such as adding VPN routing. A new consumer-grade router can often meet the needs of a small business with the addition of DD-WRT software, at a much lower cost than a business-grade router. The downside is that the hardware manufacturer will generally not provide support for DD-WRT. If you wind up with a hardware problem, then you may need to put the original software back to get service. On the upside, DD-WRT and OpenVPN have become de facto standards, so you'll find good support for them in most third-party infrastructure monitoring tools and services.
DD-WRT and VPNs
VPN support in DD-WRT includes both client and server options to allow the router to connect as a client to another VPN system at a main office, as well as operating as a server for a number of VPN clients outside the home network. Most routers offer the first option but relatively few (most business-oriented routers) offer the second.
Of the two VPN systems compatible with DD-WRT, namely PPTP and OpenVPN, PPTP is likely the most widely used. This is partially because it's included with the basic installation of DD-WRT and it's supported by many OSes, including mobile OSes. It's easy to set up and use, and adds little throughput overhead to a system. But, as stated earlier, it's less secure than OpenVPN. OpenVPN is more secure but requires a bit more effort to install and use, including a separate installation beyond the DD-WRT package as well as familiarizing yourself with the options available during configuration.
Installing DD-WRT
There are a few routers sold with DD-WRT already preinstalled but, on the whole, it's most often used to replace the existing OS of a commercial router. Fortunately, this isn't as difficult as it sounds.
A router is at its heart a small PC with two or more Ethernet ports and often a wireless Ethernet capability. There's not much difference between installing DD-WRT and installing Linux on a PC, except there's a greater variety of CPU chips and available memory and storage on routers. This means the first step is to find the version of DD-WRT that will run on the router you have. You can find that on the universal list linked to above or by digging into your router's technical specifications where it's usually mentioned.
There may be more than one version for your particular router. The latest version is usually the best, but some software versions include different sets of functionality, including OpenVPN and other add-ons to the basic software. In some cases, you'll need to install a specific version of DD-WRT and then a separate file for OpenVPN. In other cases, the two may be combined. The DD-WRT.com website will provide details for your specific router.
The steps for installing DD-WRT will vary slightly from router to router depending on the software upgrade sequence. The first step is to find and download the software image for your particular router. After that, you'll need to find the IP address for your router, log in, and upload the firmware to the router, and then reboot. The IP address may have changed (usually to 192.168.1.1) so you may need to find the router's address again, or reboot the PC you have connected to the router. At that point, you'll need to configure the router just as you would have when it was new.
DD-WRT has a reasonably simple interface, though it may not be as easy to navigate as the wizard-based installs of consumer-oriented products. It shouldn't be a problem for anyone with a basic understanding of networking. There are also tutorials and user groups on the internet that can help the novice through the process.
VPN Router Functionality
Once everything has been installed and configured, connecting to the network behind the firewall is simple, secure, and provides access to all of the network resources a user would have if she was connected at the office. Printers, file shares, and apps all behave as they would if the user were local.
The VPN connection can be made very secure so that, even when a user is connecting through an airport or hotel wireless system, the data being sent over the connection will be at relatively little risk. This security includes both the encryption protocol (such as TLS), the encryption method (RSA, DSA, Diffie-Hellman), and the length of the encryption key from 1,024 bits to 4,096 or more. The more encryption bits you run, the more secure your traffic, but also the more it will impact performance. This is where some testing might be in order, however, because many late-model systems will see relatively little impact even at high levels of encryption because of the advances in CPU technology: faster processors crunch more numbers.
Using a VPN Client
Your IT administrator can easily create and email an OpenVPN client configuration file to any user who needs to connect. This nice thing about that is, it means users only need to run the installer and then use the configuration file as there's no need to lead the user through all the steps to configure the client. Once the client software is started and the configuration is loaded, the user will have whatever resources he or she would normally have when logging in locally. The OpenVPN server can be configured to automatically load whatever resources the administrator wants to make available to a user outside the firewall; this can include everything that user would normally have or it can be limited to specific resources if corporate policy dictates that some information not be available at all from outside the firewall.
The options for the client are not so much important in and of themselves as is making sure they match the settings for the server. If the clients are all relatively new hardware, then they should have little trouble getting a good connection regardless of the level of security (such as the length of the cipher, the length of the encryption key, and so forth). If there is a need to connect older, slower clients, then you'll want to familiarize yourself with the options available in your version of DD-WRT and OpenVPN so you can test their impact on system performance.
Installing a VPN Server
Once the basic configuration has been accomplished, the next step is to install the OpenVPN image file, if it's a separate file. This is done in the same manner as the DD-WRT file. You'll also need to install the OpenVPN client on systems that will need to connect to the network through the OpenVPN server.
Configuring the OpenVPN server is straightforward, and again, as with DD-WRT, there are documents, tutorials, and support groups to help you with all of the various options. These include decisions such as the protocol to use, key method, certificate authority, type of authentication, and method of encryption.
Once all of the decisions have been made and the configuration files created, the server will be available to accept client connections. The only other factor will be the total number of clients your configuration will support. Learning that is also a matter of testing, though the experts in DD-WRT user groups are a good resource to query if you want to get an experienced opinion on system parameters. Most systems will support a few connections and some will support 50 or more. Contrary to popular belief, the size of the router is not a good indicator, although the original price of the router may be since that will more accurately reflect the CPU and chipset muscle it contains.
Featured in This Roundup
Asus RT-AC88U Dual-Band Router
$299.99
%displayPrice% at %seller% The Asus RT-AC88U is a pricey dual-band router that is packed with features. It supports MU-MIMO technology and delivered solid 5GHz throughput in our tests. Read the full review ››-
D-Link AC5300 Ultra Wi-Fi Router (DIR-895L/R)
$379.99
%displayPrice% at %seller% The D-Link AC5300 Ultra Wi-Fi Router (DIR-895L/R) is a slick-looking, fully loaded tri-band router that delivers some of the fastest scores we've seen in throughput and file-transfer tests. Read the full review ›› -
Linksys EA6350 AC1200+ Dual-Band Smart Wi-Fi Wireless Router
$89.99
%displayPrice% at %seller% The Linksys EA6350 is a dual-band router that offers blazing 5GHz throughput speeds, four Gigabit LAN ports, and a fast USB port. And it rings up for less than $90, making it our top pick for budget Wi-Fi routers. Read the full review ›› -
Asus RT-AC5300 Wireless AC5300 Tri-Band Gigabit Router
$399.99
%displayPrice% at %seller% If you frequently game online or stream 4K video, the Asus RT-AC5300 is a tri-band router that delivers speedy 2.4GHz and 5GHz throughput and offers an abundance of management settings, as well as Multi-User Multiple Input, Multiple Output (MU-MIMO) data streaming. Read the full review ›› -
Linksys WRT3200ACM MU-MIMO Gigabit Wi-Fi Router
$249.99
%displayPrice% at %seller% The Linksys WRT3200ACM MU-MIMO Gigabit Wi-Fi Router is a moderately priced dual-band router that offers the latest Wi-Fi technologies and delivers blazing 5GHz and file transfer speeds. Read the full review ›› -
Netgear Nighthawk X4S Smart Wi-Fi Router (R7800)
$269.99
%displayPrice% at %seller% The Netgear Nighthawk X4S Smart Wi-Fi Router (R7800) delivers strong 5GHz and MU-MIMO throughput, and offers lots of management options in a user-friendly Web console. Read the full review ›› -
TP-Link AC1900 Touch Screen Wi-Fi Gigabit Router Touch P5
$204.99
%displayPrice% at %seller% The TP-Link AC1900 Touch Screen Wi-Fi Gigabit Router Touch P5 delivers solid 5GHz throughput performance, and its color touch screen makes it very easy to configure. Read the full review ›› -
TP-Link AC3150 Wireless MU-MIMO Gigabit Router Archer C3150
$249.99
%displayPrice% at %seller% The TP-Link AC3150 Wireless MU-MIMO Gigabit Router Archer C3150 is a well-equipped dual-band router that delivers speedy file transfers and gives you a wide assortment of management settings. Read the full review ››
