Growing up in a country with high internet censorship, I always looked for ways to bypass restrictions and protect my online privacy. I experimented with different software and hardware solutions, such as installing OpenWrt on my router, Mikrotik, and pfSense, searching for the perfect VPN router setup for my home.
Hardware
One of my earliest tries at setting up a VPN router was to get a physical router that supported VPN out of the box. I spent hours researching and comparing different models, looking for one that was reliable, easy to set up, and had a good reputation among users.
One issue with popular router brands like Cisco and ASUS is that they only support a limited range of VPN protocols, such as OpenVPN. This can be a problem for users who need to use a different VPN protocol for their specific needs or want to use a more obscure or lesser-known protocol like VMess or Hysteria that may be less widely supported.
One problem with popular VPN protocols like OpenVPN and WireGuard is that their traffic can be easily detected by deep packet inspection (DPI) and Great Firewall (GFW) systems. These systems are used by governments and internet service providers (ISPs) to monitor and control internet traffic. They are specifically designed to detect and block VPN traffic.
As a result, VPN connections using these protocols can be dropped at any time by DPI and GFW systems, disrupting your internet connection and potentially exposing your online activities to surveillance. This can be especially problematic in countries with high levels of internet censorship, where VPN use is often heavily restricted or outright banned.
More advanced VPN protocols or technologies that are difficult for DPI and GFW devices to detect and block may be necessary to circumvent this problem. These protocols aren’t as extensively supported or user-friendly as more well-known ones like OpenVPN and WireGuard.
By using a VPN router, you can set up all of your devices to use the VPN through the router as their gateway, which allows them to use the VPN and even take advantage of split tunneling without the need to install any additional software on each device individually.
As I continued my search for a suitable VPN router setup, I decided to install alternative firmware on my existing router, such as OpenWRT, DD-WRT, or Tomato.
These firmware options offer more advanced features and customization options than the default ones. They can sometimes support a broader range of VPN protocols. For example, plugins like Passwall allow you to use different V2Ray protocols on your router.
However, it’s important to note that installing alternative firmware on your router is only sometimes a viable option. Different routers have different hardware capabilities; some may need more space or processing power to run these firmware options.
In addition, modern routers with more advanced hardware can be costly.
Another area for improvement with alternative firmware is that troubleshooting specific problems with your specific router model can take hours of searching through forums and other online resources, even if you’re lucky enough to find a solution.
For these reasons, I don’t recommend using special hardware marketed as “routers” for your home VPN setup.
Instead of using a “router”, you can use a Linux-based machine such as a Raspberry Pi with just a single network port as your VPN gateway.
Using a Linux machine as router gives you more flexibility and control over your VPN setup. You can customize and configure the device to your specific needs and preferences.
Software
Regarding software, I used pfSense with OpenVPN for a period of time to bypass internet censorship and protect my online privacy. However, eventually, OpenVPN was completely blocked in my country.
One issue I had with pfSense was their dogmatic approach to certain issues, such as their refusal to add WireGuard support to the software. I needed more flexibility and willingness to consider new technologies. In addition, pfSense/Netgate has been involved in petty behavior towards their competitor, OPNSense, which further turned me from using their software.
Sing-Box
Essential Components
- A Linux machine on your local network: This could be a Raspberry Pi, OpenWRT, a virtual machine, or even a docker container on your mikrotik! Single network port is enough.
Having Sing-box as a gateway on your network is the most efficient way to configure it.
You can set up the new gateway on each device without installing additional software. If you don’t have a Linux machine on your local network, you can still set up your VPS server with sing-box, but you’ll have to install a client on each device. - A VPS server: This is a Linux machine connected to the internet in a place with little to no censorship. This could be a cloud VPS server or a dedicated server. We will access blocked content through this server.
- A domain name (Optional): We need to issue valid SSL certificates and point a subdomain to your VPS IP. However, some configurations, such as ShadowTLS, don’t require a domain name.
- CDN accounts (Optional): Many CDN providers offer free tier services. We will hide our VPS IP behind the CDN. Only certain configurations require it.
Unlike OpenVPN and other VPN software that requires separate client and server applications, Singbox is able to function as both a client and server at the same time.
This means that you can set up multiple servers in a multihop configuration for enhanced security, all within the same software. To use Singbox, you can begin by installing it on both a VPS server and a local VPN router gateway machine.