Network privacy
Home Network Privacy
Your router is one of the best places to enforce privacy defaults. Instead of relying on every phone, laptop, TV, printer, and guest device to behave perfectly, you can move DNS filtering, VPN routing, guest isolation, and network segmentation into the network itself.
This guide walks through building a practical privacy-focused home network with a GL.iNet router, NextDNS, Mullvad VPN, separate device policies, safer Wi-Fi settings, and a maintenance routine that normal people can actually keep using.
What this solves
Use the router as your privacy control layer
Most people try to fix privacy one device at a time. That works until one device is misconfigured, a guest joins your Wi-Fi, a smart TV starts talking to tracking domains, or a phone silently bypasses your preferred DNS settings.
A privacy-focused router setup gives you a stronger default. It can reduce ISP visibility, block many tracking and malware domains at the DNS layer, route chosen devices through a VPN, separate risky devices from trusted ones, and make travel networks safer to use.
Limits
Do not confuse router privacy with anonymity
A router VPN does not make your accounts anonymous. If you log into Google, Amazon, Instagram, your bank, or your work account, those services still know it is you. A router also does not stop browser fingerprinting, payment records, shipping records, account recovery links, or device-level identifiers.
Use this setup to improve network privacy and reduce common exposure. Do not treat it as a replacement for browser compartmentalization, device hardening, email aliases, phone-number separation, payment separation, address privacy, or Tor Browser when anonymity is the actual goal.
Step 1
Choose the right GL.iNet router
GL.iNet routers are a strong fit for privacy-focused home and travel networks because they make VPN routing, DNS control, guest networks, and device policies much easier than most consumer routers. The right model depends on whether you want a simple home/travel setup, a more powerful home router, or a serious mobile network you can take anywhere.
Travel privacy note
Change your wireless identity when you move locations
Before taking your router on the road, go into Wireless, disable Wi-Fi networks, and change your SSID. You should also change your SSID each time you move locations to reduce tracking based on a repeated wireless network name.
A travel router is useful because your devices can keep connecting to a router you control, but the router itself should not broadcast the same unique network name everywhere you go.
Before you begin
Clean up your ISP router
Many homes already have an ISP modem/router combo. If you plug a privacy router into it but keep using the ISP Wi-Fi, you have not moved your household onto the new setup.
Whenever possible, put the ISP gateway into bridge mode, connect your GL.iNet router into your ISP-provided one via Ethernet, and let the GL.iNet act as the real router. If bridge mode is not available, disable the ISP Wi-Fi, change the password, turn off WPS, and make sure your devices connect only to the GL.iNet network.
Step 2
Update firmware and harden the router admin panel
- Update the router firmware immediately in System > Upgrade.
- Change the router admin password to a long, unique password stored in your password manager, in System > Security.
- Disable IPv6 in Network > IPv6.
- In Network > Port Management, turn on Random MAC Mode.
- Use a generic router hostname.
The router is now part of your security boundary. Treat the admin password like an important account password, not like a disposable device code.
Step 3
Use a generic SSID and a strong Wi-Fi password
Your Wi-Fi name should not identify you, your family, your apartment, your business, or your sense of humor.
Avoid SSIDs like SmithFamily, JohnsWiFi, Apartment4B, or anything
tied to your real-world identity.
Use something boring and generic. The goal is not to look clever, cough cough FBI_Surveillance_Van.
The goal is to avoid broadcasting useful identity information to everyone nearby.
Do not rely on hiding your SSID as a serious privacy measure. It is not meaningful protection and can create connection problems. A boring SSID, strong encryption, and proper segmentation matter far more.
Step 4
Segment the network by trust level
A major goal of this setup is preventing every device from living in the same flat network. A smart TV, printer, speaker, guest phone, and work laptop should not automatically have the same level of access as your personal laptop or phone.
Put guest devices, smart TVs, printers, speakers, cameras, appliances, and other IoT devices on the guest network whenever possible. Treat them as untrusted by default. These devices are often noisy, poorly supported, and built around data collection.
Do not connect random appliances or devices to the internet unless they actually need internet access. Most smart devices are easier to secure when they are not connected at all.
In Network > Guest Network, enable AP Isolation and Block WAN Subnets. This can break things like printing over Wi-Fi and may need to be turned off temporarily from time to time, but you can almost always find a workaround for whatever issue comes up.
Step 5
Set up NextDNS as the DNS filtering layer
DNS filtering is not magic, but it is one of the easiest ways to reduce junk traffic across an entire network. NextDNS can block many known tracking, advertising, malware, phishing, and telemetry domains before devices connect to them.
Create a NextDNS profile for your home network.
- Create a NextDNS account and profile.
- Enable everything under Security unless you specifically need something disabled.
- Start with a blocklist like HaGeZi - Multi PRO++ under Privacy.
- Add any Native Tracking Protection options for devices that will be on your network.
- Choose Switzerland under Settings for your log storage location and choose the shortest log retention that still lets you troubleshoot, or disable logs if you do not need them.
- Fix broken domains with allowlist entries instead of disabling filtering entirely.
- Configure the router to use your NextDNS profile, using the instructions under Setup.
- Enable DNS Rebinding Attack Protection and Override DNS Settings of All Clients on your router in Network > DNS.
- Test that queries are showing under the correct profile.
Important limitation: router DNS can be bypassed by device VPNs, browser DNS-over-HTTPS settings, mobile networks, and some apps. That does not make it useless. It means DNS filtering is one layer, not the whole system.
Step 6
Set up Mullvad or Proton VPN on the router
Router-level VPN is useful because you can route entire devices through Mullvad or Proton VPN without installing a VPN app on every device. This is especially useful for TVs, guest devices, test devices, travel networks, and devices where you want a consistent network policy.
Mullvad VPN allows you to sign in directly on the router under VPN > WireGuard Client. Downloading the configuration file from your account on their website can allow for more customization. Use WireGuard unless you have a specific reason not to. Download your WireGuard configuration file and import it under VPN > WireGuard Client.
VPN location note
Choose VPN countries by use case
A VPN location is not just a privacy preference. It affects account behavior, banking reliability, streaming, CAPTCHAs, shopping, search results, fraud systems, and how normal your logins look.
For daily accounts, using your home country often creates less friction. Your bank, email provider, work tools, and shopping accounts are less likely to panic when your login pattern looks geographically normal.
For general browsing, research, or lower-account activity, a more privacy-respecting country such as Switzerland can be useful. Just do not confuse “foreign VPN server” with anonymity. If you log into personally identifying accounts, your account still identifies you.
Step 7
Create VPN policies for different devices
The best router VPN setup is not always “everything through one tunnel.” A better setup routes devices based on what they are and how much breakage you can tolerate. Go to VPN > VPN Dashboard and turn it from Global Mode to Policy Mode.
A recommended starter policy setup
Policy 1: No VPN
Only enable a device in here when needed. It is useful to have this policy available, but it should be used extremely rarely.
Policy 2: Primary Devices
Route: Mullvad Switzerland.
From: Specified Devices. Enable your daily-use computers and phones.
Policy 3: Primary Devices, home country
Route: Mullvad via your home country.
Use this when Switzerland is being flagged as unusual routing. From: Specified Devices. Enable your daily-use computers and phones.
Policy 4: Random Devices
Route: Mullvad via Switzerland, using a different VPN server than your primary devices.
From: Specified Devices. Enable Smart TVs, IoT devices like printers, appliances, security cameras, and other devices that need to be connected to the internet.
Most of these devices do not need to be connected to the internet at all.
Policy 5: Guests
Route: Mullvad via your home country.
From: Exclude Specified Devices. Enable all of your own devices so only new guest devices connect through this policy.
Step 8
Clean up local network metadata
Your local network can leak more than you think. Device names like John’s MacBook Pro,
Sarah’s iPhone, or Living Room TV reveal identity and household details to routers,
networks, and sometimes nearby devices.
Rename devices generically, from that device, not just in the router settings. Disable unnecessary local sharing. Be careful with AirDrop, SMB sharing, printer discovery, casting, and smart home discovery features. A private network is not only about outside traffic. It is also about what your devices reveal locally.
Step 9
Use the router on the road
One reason the Beryl 7 or Slate 7 Pro is attractive is that it can serve as both a home router and a travel router. When you are in a hotel, Airbnb, coffee shop, coworking space, or temporary office, connect the router to the local network and then connect your devices to your own trusted SSID.
This reduces the number of devices you expose directly to unfamiliar networks. It also lets you keep the same DNS and VPN policies while traveling.
- Connect the router to hotel or Airbnb Wi-Fi.
- Complete captive portal login if needed.
- Enable Mullvad after the captive portal is complete.
- Connect your devices only to your own router SSID.
- Use a generic travel SSID and a strong password.
Travel networks are not trustworthy. Do not use them as an excuse to log into sensitive accounts from sloppy browser profiles or unmanaged devices.
Testing
Run a real test before trusting the setup
Do not assume the router is doing what you intended. Test from each network and each policy group.
Maintenance
Keep the setup healthy
Privacy setups fail when people never revisit them. Build a simple maintenance routine.
Monthly
- Confirm Mullvad or Proton VPN is paid for.
- Check for router firmware updates.
- Review connected devices.
- Review NextDNS blocks if logs are enabled.
Quarterly, at least
- Remove old devices.
- Rotate guest Wi-Fi password.
- Re-test DNS, IP, and IPv6 leaks.
- Review whether IoT devices still need network access.
- Ensure all VPN policies are set up to cover all devices correctly.
Troubleshooting
Expect some things to break
This setup can cause friction. Banking apps may dislike VPN routing. Streaming devices may block VPN exits. Work devices may break behind a router VPN. Smart home apps may fail if you isolate IoT devices too strictly. Captive portals may require VPN to be temporarily disabled.
That is normal. The point is not to make the strictest setup possible. The point is to build a setup you can maintain without giving up and returning to ISP defaults.
Bottom line
Recommended home network baseline
For most readers, the right baseline is simple: GL.iNet Beryl 7, generic SSID, strong WPA3 or WPA2/WPA3 password, ISP Wi-Fi disabled, NextDNS configured, Mullvad available at the router, guest and IoT devices separated, and device-specific VPN policies instead of one careless tunnel for everything.
This gives you better defaults without pretending your home network can solve every privacy problem.
Back to Guides