You can install a VPN app on each device, or you can set it up once on your router and protect everything automatically. A router-level VPN covers devices that cannot run VPN apps at all: smart TVs, consoles, and every IoT gadget in your home.
This guide walks through setting up SACVPN on your router with WireGuard, whether you are a networking novice or an experienced admin.
Why Run a VPN on the Router
- Every device is protected automatically. TVs, streaming sticks, consoles, and guest devices are all covered with no per-device setup.
- Devices that cannot run a VPN are covered. Roku, Apple TV, Chromecast, PlayStation, Xbox, cameras, and smart home gear finally get protection.
- One config, unlimited devices. Add new devices to your network and they are protected the moment they connect.
- Always on. As long as the router runs, your network is protected. Set it and forget it.
Before You Start
You need a router that supports VPN configuration, an active SACVPN subscription, and admin access to the router.
Compatible routers include one of the following:
- Built-in WireGuard support on newer ASUS, MikroTik, and Ubiquiti models
- OpenWrt firmware, which adds WireGuard to many routers
- DD-WRT firmware with VPN capability
- pfSense or OPNsense, which have excellent WireGuard support
If your router does not support a VPN, consider an ASUS RT-AX model or dedicated pfSense hardware.
ASUS Routers (Firmware 388+)

- Generate your config. In your SACVPN dashboard, create a device named "Home Router" and download the WireGuard config.
- Open the admin panel. Go to your router address, usually
http://192.168.1.1orhttp://router.asus.com, and log in. - Find VPN settings. Go to VPN, then VPN Fusion, and select the WireGuard tab.
- Import the config. Choose Add profile, then Import .conf file, and upload your SACVPN config. The fields populate automatically.
- Enable it. Toggle the connection on and apply. You should see Connected within a few seconds.
- Set rules (optional). ASUS lets you route all traffic through the VPN or pick specific devices, useful when some devices need local access.
OpenWrt
- Install the packages. Over SSH or LuCI:
opkg update
opkg install luci-proto-wireguard wireguard-tools
- Create the interface. In LuCI, go to Network, Interfaces, Add new interface. Name it
sacvpnand choose WireGuard VPN as the protocol. - Enter your details from the SACVPN config: private key, listen port (usually 51820), and your assigned VPN IP.
- Add the peer with the server's public key, endpoint, allowed IPs of
0.0.0.0/0, and a persistent keepalive of 25 seconds. - Configure the firewall. Add the WireGuard interface to your WAN zone and enable masquerading.
- Set DNS and enable. Point DNS at SACVPN's servers to prevent leaks, then verify your public IP from a connected device.
pfSense
- Install the WireGuard package from System, Package Manager, Available Packages.
- Create a tunnel under VPN, WireGuard, Tunnels using your SACVPN private key and address.
- Add the peer with the server's public key, endpoint, and allowed IPs.
- Assign an interface and gateway pointing at the tunnel so you can route traffic through it.
- Create firewall rules to send the traffic you want through the VPN gateway, either all LAN traffic or specific devices.
Troubleshooting
Will not connect? Confirm the router has internet without the VPN, recheck every value, make sure UDP 51820 is not blocked, and try a different server endpoint.
Slow speeds? Check the router's CPU. VPN encryption needs processing power, and older routers can bottleneck. Try a closer server or a stronger router.
Some services break? Use split tunneling to exclude them. Some banks and streaming services block VPN IPs, so route that traffic outside the VPN.
DNS leaks? Point DNS at SACVPN's servers, disable the router's DNS proxy if needed, and test at dnsleaktest.com.
Best Practices
- Use policy-based routing. Not everything needs the VPN. Route only the devices or traffic types you want.
- Enable a kill switch. Add firewall rules that block internet access if the VPN drops, so nothing leaks.
- Monitor the connection. Set up alerts so you know if the tunnel goes down.
The Payoff
A router-level VPN is the most complete protection for a home or office. Every device gets encryption and IP masking with no individual setup. Your smart TV streams over an encrypted link, your IoT devices are shielded, and every guest on your WiFi is covered too.
The initial setup takes some effort, but the long-term payoff is real: your entire digital life, secured by one connection.
Cover every device at once. Start a 14-day SACVPN trial with no card required.
Ready to protect your connection?
Join SACVPN for fast, private, WireGuard-powered internet access. Start a 14-day free trial, no credit card required.
View pricing
