A subscription to a commercial VPN can be installed in two very different ways. Most people start by putting the VPN app on each phone, laptop, and tablet, one device at a time. The other approach is to configure the VPN once on the home router so every device on the network is covered automatically, including the smart TV, the streaming stick, and the doorbell camera. Both approaches work. They produce very different user experiences, different speeds, different failure modes, and different total costs. Knowing where each one fits keeps the household from ending up with the worst of both worlds: a VPN that works inconsistently, slows everything down, and still does not cover the device that prompted the purchase in the first place.
What software VPN on each device actually looks like
The familiar mode. NordVPN, Mullvad, ExpressVPN, ProtonVPN, and the rest all ship apps for Windows, macOS, iOS, Android, and Linux. Install the app, sign in, pick a server, and the deviceโs traffic now goes through the VPN tunnel.
The strengths of this approach are real. The app handles authentication, kill-switch, server selection, and split tunneling on a per-device basis. The encryption work runs on the deviceโs CPU, which is usually much more powerful than the routerโs. Speeds are typically high because the hardware is capable and the workload is per-device rather than aggregated. When you leave the house, the VPN continues to protect the laptop and phone automatically on whatever Wi-Fi they join next.
The weaknesses show up at the edges. Every new device requires a separate install. Devices that do not run VPN apps (smart TVs, streaming sticks, game consoles, IoT gear) are uncovered. Family members who do not enable the VPN are uncovered. The household ends up with a patchwork of protected and unprotected devices.
What router-level VPN actually looks like
A router VPN runs the VPN client on the router itself. Every device that connects to the router is automatically routed through the tunnel without any per-device configuration. The smart TV, the game console, the visiting friendโs phone, the smart speaker, the kidโs tablet, all of them are protected with no action required.
The strengths are the inverse of the software-VPN weaknesses. Universal coverage with no per-device setup. Devices that cannot run VPN apps get coverage automatically. A single subscription protects an unlimited household.
The weaknesses are real. The routerโs CPU is doing all the encryption, and consumer routers are usually weak. Most consumer Wi-Fi routers cap VPN throughput around 100 to 300 Mbps, which is fine for streaming and gaming but a real bottleneck on gigabit internet plans. Configuration requires either a router that natively supports VPN clients (Asus, GL.iNet, some Netgear) or custom firmware (Asuswrt-Merlin, OpenWrt, DD-WRT). The router VPN only protects devices on the home network, not the phone after it leaves the house.
The throughput story, with real numbers
VPN encryption is computationally heavy. The protocol choice matters more than the brand of VPN, and the hardware doing the encryption matters most of all.
| Setup | Typical real throughput |
|---|---|
| OpenVPN on a $100 consumer router | 50 to 150 Mbps |
| WireGuard on a $100 consumer router | 150 to 350 Mbps |
| WireGuard on a $300 prosumer router (Asus AX86U, GL.iNet Flint 2) | 400 to 900 Mbps |
| WireGuard on a small x86 box (pfSense, Protectli) | 1.5 to 5 Gbps |
| Software VPN on a recent laptop or phone | 500 Mbps to 2 Gbps |
WireGuard has displaced OpenVPN almost everywhere it is supported because the speed difference is large on the same hardware. If a VPN provider still defaults to OpenVPN, that is a sign of an older client. Most major providers now support WireGuard natively or through their own optimized derivative (NordLynx, Lightway, etc.).
Important: the speeds above are best-case. The actual throughput depends on the route to the VPN server, the load on that server, and the time of day. A 500 Mbps test result in the morning can become 100 Mbps in the evening when the server is busy.
Coverage, the practical question
The biggest practical difference between the two approaches is which devices get protected.
Software VPN per device: laptops yes, phones yes, tablets yes, anything with no VPN app no. Smart TVs, streaming sticks, game consoles, smart speakers, doorbell cameras, smart appliances, security systems all run unprotected.
Router VPN: every device on the network, automatically. Including the guest phone that just joined the Wi-Fi.
For households where the reason for buying a VPN is privacy from the ISP or geo-unblocking on the TV, the router approach covers the actual problem the household is trying to solve. For households where the reason is privacy on public Wi-Fi while traveling, software VPN on the laptop and phone is the better fit.
The both-and answer is often the right one: a router VPN at home for universal coverage, plus a software VPN app on the laptop and phone for use away from home. Most VPN subscriptions allow this combination on a single plan.
Kill switch and DNS leak behavior
A VPN kill switch blocks all internet traffic if the VPN connection drops, preventing the device from accidentally exposing its real IP. The implementations are different on each side.
Software VPN kill switches are per-app or per-device and usually work well. If the VPN drops, the app blocks all traffic on that device until reconnection.
Router VPN kill switches work at the network layer and protect every device on the network. If the VPN tunnel drops, the router can block all outbound traffic, send only a specific subset over the regular WAN, or fall back to direct connection (which defeats the privacy purpose). Choose firmware that supports the strict kill switch behavior. Asuswrt-Merlin, OpenWrt, and pfSense all do.
DNS leaks are a separate failure mode where the deviceโs DNS queries go outside the tunnel. Both approaches need explicit configuration to send DNS through the VPN or to a privacy-respecting public resolver. The DNS-level ad blocker conversation overlaps here because DNS configuration is shared.
Split tunneling
Split tunneling lets some traffic go through the VPN and other traffic go direct. The use cases are real: a work VPN that should not double-tunnel through a commercial VPN, a local NAS that should not be reached through an Iceland exit node, a streaming service that refuses to load over any commercial VPN.
Software VPN apps handle split tunneling on a per-app basis (which is easy to use) but only on the device running the app.
Router VPN split tunneling works on a per-device or per-IP basis. Configure the smart TVโs IP to use the VPN, leave laptops on the regular connection. This is a common setup for households that bought the VPN specifically to unlock streaming geo-restrictions on the TV but want the laptops at full local speed.
A reasonable 2026 decision
For households with one or two adults, no smart TV streaming needs, and primarily privacy-on-public-WiFi motivation: software VPN on each device is the simpler, faster choice. Skip the router VPN.
For households with a smart TV, streaming sticks, game consoles, multiple users, or any device that cannot run a VPN app: router VPN, ideally on a prosumer router or a small x86 box running pfSense or OpenWrt with WireGuard.
For households with both motivations: both layers. Router VPN for the home, software VPN apps on phones and laptops for travel. Most major providers allow this on a single subscription.
For the highest-throughput need (multi-gig internet, large file transfers, heavy use): a small dedicated x86 router running pfSense or OPNsense outperforms every consumer Wi-Fi router by a wide margin, and the cost ($200 to $400) is often less than a prosumer Wi-Fi router. Pair it with a separate Wi-Fi access point that you choose based on the coverage tradeoffs for the layout of the house.
VPN choice is one of those decisions where buying the right hardware once is much cheaper than retrying the wrong approach three times. Pick based on which devices need protection, not based on which app has the slickest landing page.
Frequently asked questions
Does a router VPN slow down my whole internet?+
Yes, but how much depends on the router's CPU. Encryption is computationally expensive, and most consumer routers have weak processors that cap VPN throughput around 100 to 300 Mbps regardless of the actual internet speed. WireGuard is much lighter than OpenVPN and roughly doubles the speed on the same hardware. Routers with dedicated VPN acceleration (some Asus and most enterprise models) push 500 to 1000 Mbps, which keeps gigabit plans usable.
Can I run a VPN on only some devices through the router?+
Yes, this is called policy-based routing or selective routing. Better consumer routers (Asuswrt-Merlin, OpenWrt, pfSense) let you route specific IP addresses or MAC addresses through the VPN and leave others on the regular connection. This is the standard solution for keeping a smart TV on the VPN for streaming geo-restricted content while letting laptops talk directly to local services or work VPNs.
Will a VPN on the router protect my phone when I leave the house?+
No, the router VPN only protects devices while they are on the home network. Outside, the phone uses cellular or other Wi-Fi networks directly. For full-time mobile protection, you also need a VPN app installed on the phone with the kill switch enabled. Many VPN providers count router connections as one device in their plan and let you cover the home network plus several mobile devices on the same subscription.
How do I handle the smart TV that does not support a VPN app?+
This is the single biggest reason to put the VPN on the router. Smart TVs, streaming sticks, game consoles, and most smart-home gear have no native VPN support. Either the router covers them, or they do not get VPN protection. A router VPN solves this once for the whole household. The alternative (running a Raspberry Pi as a VPN gateway and pointing the TV at it) works but is more setup than most households want.
Does using a VPN on the router break my access to local devices?+
It can, if the router pushes all DNS through the VPN. Local devices (printers, NAS, smart speakers) are still reachable by IP but may not resolve by hostname. The fix is to configure split DNS, where local domain queries go to the router's DNS and external queries go through the VPN. Most VPN-capable router firmwares (Asuswrt-Merlin, OpenWrt) have a setting for this, often called local-area network exempt or LAN bypass.
Priya Sharma
Priya Sharma writes for The Tested Hub.