I want to be able to access self-hosted services on my home network when I’m not at home and use this as an always-on solution, not just on occasion[1]. I had hoped to use Tailscale for this, but I found that their VPN client application is too battery hungry on Android[2]. The ASUS router I use has built-in VPN server, which can support OpenVPN, IPSec, or Wireguard. This seems like it may be the easiest way for me to get what I want (and I could then choose among all the mobile apps that support those protocols).
My question is, can the VPN server software on these routers be trusted to be secure (i.e. use sane configurations and receive needed security patches in a timely fashion)? I keep my router firmware updated, and I trust it to provide the NAT and firewall that constitute my home network boundary, but I’m not sure if the VPN server may be a bit more risky (in terms of nuances of configuration or frequency of patches for high-severity vulnerabilities). Maybe the answer is that these VPNs are all pretty mature and don’t get a lot of patches; I don’t know. I don’t expect that this is a question that really has a clear, objective answer, but I am looking for peoples’ opinions (and any factual evidence is even better).
One fall back option would be for me to self-host something like a Wireguard server (probably in a Docker container on my NAS) and use port forwarding to expose it to the WAN. But I’d prefer not to add the extra overhead of maintaining a separate server and container if the built-in server in the router will do the job.
I’m fine if a side effect is having all my traffic to the Internet routed through my home network. In the rare situations where that wouldn’t be acceptable, I’d just temporarily disable this VPN. ↩︎
I’ve found many other people complaining about high battery consumption by the Tailscale Android client over several years. By contrast, the Mullvad VPN app is not a problem for me. ↩︎
I trust my ASUS router running Asuswrt-Merlin enough to use it to VPN into my house. I figure that if I trust enough to be my firewall and router it isn’t too big a stretch to trust it as a VPN server.
That said, support for models is not infinite and once it stops getting security updates it is time to move on.
If you don’t trust the vendor, then perhaps you should consider router hardware that is supported by OpenWrt. Unfortunately, many (most? all?) ASUS routers use a Broadcom WiFi chip that does not have an open source driver so they are typically not fully supported by OpenWrt.
I have an older Asus router that unfortunately doesn’t support OpenWRT. It does support Merlin, so that’s the good news. Is Merlin trustworthy, and does it eliminate any possible telemetry being sent back to Asus? I wonder if Merlin’s code has ever been audited?
Afaik, most of the telemetry sent back has to do with their AI Protection/Cloud features, the malware scanning (forgot which vendor they partnered with) and some of the mobile app syncing features (for example, using their DDNS service requires account creation). I don’t think any of these features/services come with the Merlin builds.
Fwiw, back when I was using an Asus router, I needed to disable IPv6 even if my VPN provider supported it. This was because running a WireGuard VPN on router, I found it would leak my ISP issued IPv6 address. This happened on both stock firmware and Merlin. Probably could’ve negated it with firewall rules on Merlin, but I couldn’t be bothered at the time.
I don’t know if there has been a formal audit of Merlin’s code. But what he does is available in a GIT repository so it is publicly visible. However there are some proprietary blobs that are used which you have to take on faith rather than examination. If your threat level is high enough then you probably do not want to use ASUS routers for a base, even with custom firmware.
The older Merlin releases kept the AI stuff from Micro Trend but by default it is off. I understand that the newer releases will drop the Micro Trend stuff because that seems to be where nearly all the known security issues occur.
Merlin supports the Asus DDNS. But it also supports a long list of others including being able to create a custom entry for something that is not on the list.
In my case the router is still supported, and I regularly update it. I was going to enable the VPN server, but then I realized it might be useful to hear some perspectives on the safety, since I don’t know what I don’t know.
I don’t have any specific reason to be concerned. My only specific thought was that they don’t release firmware updates for these routers all that often, and I suspect the core functions (routing, NAT, and firewall) don’t require many updates, but I don’t know about the lesser-used functions like the VPN server. So I just wanted to see if people, for example, had any doubts as to whether they generally keep up with any needed security patches.
Since this was a question more about gut feelings than definitive solutions, I will probably go ahead and mark this reasonable response as the “solution” and maybe open up a poll instead to get a feel for prevailing opinion.