You should access this site, and most websites, through a trusted VPN or Tor Browser.

See our recommendations for no-log VPNs here

Network privacy

Home Network Privacy

Your router is one of the best places to enforce privacy defaults. Instead of relying on every phone, laptop, TV, printer, and guest device to behave perfectly, you can move DNS filtering, VPN routing, guest isolation, and network segmentation into the network itself.

This guide walks through building a practical privacy-focused home network with a GL.iNet router, NextDNS, Mullvad VPN, separate device policies, safer Wi-Fi settings, and a maintenance routine that normal people can actually keep using.

What this solves

Use the router as your privacy control layer

Most people try to fix privacy one device at a time. That works until one device is misconfigured, a guest joins your Wi-Fi, a smart TV starts talking to tracking domains, or a phone silently bypasses your preferred DNS settings.

A privacy-focused router setup gives you a stronger default. It can reduce ISP visibility, block many tracking and malware domains at the DNS layer, route chosen devices through a VPN, separate risky devices from trusted ones, and make travel networks safer to use.

Plain English: the router becomes the place where you enforce safer defaults before traffic leaves your home.

Limits

Do not confuse router privacy with anonymity

A router VPN does not make your accounts anonymous. If you log into Google, Amazon, Instagram, your bank, or your work account, those services still know it is you. A router also does not stop browser fingerprinting, payment records, shipping records, account recovery links, or device-level identifiers.

Use this setup to improve network privacy and reduce common exposure. Do not treat it as a replacement for browser compartmentalization, device hardening, email aliases, phone-number separation, payment separation, address privacy, or Tor Browser when anonymity is the actual goal.

Step 1

Choose the right GL.iNet router

GL.iNet routers are a strong fit for privacy-focused home and travel networks because they make VPN routing, DNS control, guest networks, and device policies much easier than most consumer routers. The right model depends on whether you want a simple home/travel setup, a more powerful home router, or a serious mobile network you can take anywhere.

High-load home router

Flint 4

The Flint 4 is the best fit if you want the GL.iNet router to be a very high-performance core of a busy home or work network. This is the option to watch for high-load homes, power users, SOHO setups, and light business environments where a small travel router may not be the best long-term center of the network.

Choose Flint 4 if your home has many users and devices, heavy LAN needs, or a very large physical footprint.

Advanced travel router

Slate 7 Pro

The Slate 7 Pro is a higher-end travel router built around tri-band Wi-Fi 7, a touchscreen, high-speed VPN use, and more advanced networking features. It is a stronger option for people who want a serious travel router or a small office-style router that is still portable.

Choose Slate 7 Pro if you want more power than the Beryl 7 but still want something portable enough for remote work, travel, and flexible network setups.

Simple recommendation: Beryl 7 for most people. Flint 4 for very device dense or physically large home network. Slate 7 Pro for a more advanced home + travel router.

Travel privacy note

Change your wireless identity when you move locations

Before taking your router on the road, go into Wireless, disable Wi-Fi networks, and change your SSID. You should also change your SSID each time you move locations to reduce tracking based on a repeated wireless network name.

A travel router is useful because your devices can keep connecting to a router you control, but the router itself should not broadcast the same unique network name everywhere you go.

Before you begin

Clean up your ISP router

Many homes already have an ISP modem/router combo. If you plug a privacy router into it but keep using the ISP Wi-Fi, you have not moved your household onto the new setup.

Whenever possible, put the ISP gateway into bridge mode, connect your GL.iNet router into your ISP-provided one via Ethernet, and let the GL.iNet act as the real router. If bridge mode is not available, disable the ISP Wi-Fi, change the password, turn off WPS, and make sure your devices connect only to the GL.iNet network.

GL.iNet basic setup guide: watch the setup video.

Step 2

Update firmware and harden the router admin panel

  1. Update the router firmware immediately in System > Upgrade.
  2. Change the router admin password to a long, unique password stored in your password manager, in System > Security.
  3. Disable IPv6 in Network > IPv6.
  4. In Network > Port Management, turn on Random MAC Mode.
  5. Use a generic router hostname.

The router is now part of your security boundary. Treat the admin password like an important account password, not like a disposable device code.

Step 3

Use a generic SSID and a strong Wi-Fi password

Your Wi-Fi name should not identify you, your family, your apartment, your business, or your sense of humor. Avoid SSIDs like SmithFamily, JohnsWiFi, Apartment4B, or anything tied to your real-world identity.

Use something boring and generic. The goal is not to look clever, cough cough FBI_Surveillance_Van. The goal is to avoid broadcasting useful identity information to everyone nearby.

Recommended settings: WPA3 if all devices support it. WPA2/WPA3 mixed mode if older devices require it. Use a long random Wi-Fi password. Do not reuse the password from an old network or anything else.

Do not rely on hiding your SSID as a serious privacy measure. It is not meaningful protection and can create connection problems. A boring SSID, strong encryption, and proper segmentation matter far more.

Step 4

Segment the network by trust level

A major goal of this setup is preventing every device from living in the same flat network. A smart TV, printer, speaker, guest phone, and work laptop should not automatically have the same level of access as your personal laptop or phone.

Put guest devices, smart TVs, printers, speakers, cameras, appliances, and other IoT devices on the guest network whenever possible. Treat them as untrusted by default. These devices are often noisy, poorly supported, and built around data collection.

Do not connect random appliances or devices to the internet unless they actually need internet access. Most smart devices are easier to secure when they are not connected at all.

In Network > Guest Network, enable AP Isolation and Block WAN Subnets. This can break things like printing over Wi-Fi and may need to be turned off temporarily from time to time, but you can almost always find a workaround for whatever issue comes up.

Step 5

Set up NextDNS as the DNS filtering layer

DNS filtering is not magic, but it is one of the easiest ways to reduce junk traffic across an entire network. NextDNS can block many known tracking, advertising, malware, phishing, and telemetry domains before devices connect to them.

Create a NextDNS profile for your home network.

  1. Create a NextDNS account and profile.
  2. Enable everything under Security unless you specifically need something disabled.
  3. Start with a blocklist like HaGeZi - Multi PRO++ under Privacy.
  4. Add any Native Tracking Protection options for devices that will be on your network.
  5. Choose Switzerland under Settings for your log storage location and choose the shortest log retention that still lets you troubleshoot, or disable logs if you do not need them.
  6. Fix broken domains with allowlist entries instead of disabling filtering entirely.
  7. Configure the router to use your NextDNS profile, using the instructions under Setup.
  8. Enable DNS Rebinding Attack Protection and Override DNS Settings of All Clients on your router in Network > DNS.
  9. Test that queries are showing under the correct profile.
Coming soon: NextDNS Setup guide. This deserves its own guide because profiles, logs, blocklists, allowlists, rewrites, DNSSEC, and bypasses need more detail than this page should carry.

Important limitation: router DNS can be bypassed by device VPNs, browser DNS-over-HTTPS settings, mobile networks, and some apps. That does not make it useless. It means DNS filtering is one layer, not the whole system.

Step 6

Set up Mullvad or Proton VPN on the router

Router-level VPN is useful because you can route entire devices through Mullvad or Proton VPN without installing a VPN app on every device. This is especially useful for TVs, guest devices, test devices, travel networks, and devices where you want a consistent network policy.

Mullvad VPN allows you to sign in directly on the router under VPN > WireGuard Client. Downloading the configuration file from your account on their website can allow for more customization. Use WireGuard unless you have a specific reason not to. Download your WireGuard configuration file and import it under VPN > WireGuard Client.

Recommended VPN: Mullvad VPN paid via Monero for maximum privacy/anonymity. Proton VPN if you do not feel the need to segment your data outside of the Proton privacy-respecting ecosystem you already pay for. Use router VPN policies deliberately, discussed in the next step.

VPN location note

Choose VPN countries by use case

A VPN location is not just a privacy preference. It affects account behavior, banking reliability, streaming, CAPTCHAs, shopping, search results, fraud systems, and how normal your logins look.

For daily accounts, using your home country often creates less friction. Your bank, email provider, work tools, and shopping accounts are less likely to panic when your login pattern looks geographically normal.

For general browsing, research, or lower-account activity, a more privacy-respecting country such as Switzerland can be useful. Just do not confuse “foreign VPN server” with anonymity. If you log into personally identifying accounts, your account still identifies you.

Step 7

Create VPN policies for different devices

The best router VPN setup is not always “everything through one tunnel.” A better setup routes devices based on what they are and how much breakage you can tolerate. Go to VPN > VPN Dashboard and turn it from Global Mode to Policy Mode.

Policy options: Kill Switch: On. Services from GL.iNet Use VPN: Off. Allow Remote Access the LAN Subnet: Off. IP Masquerading: On.

A recommended starter policy setup

Policy 1: No VPN

Only enable a device in here when needed. It is useful to have this policy available, but it should be used extremely rarely.

Policy 2: Primary Devices

Route: Mullvad Switzerland.

From: Specified Devices. Enable your daily-use computers and phones.

Policy 3: Primary Devices, home country

Route: Mullvad via your home country.

Use this when Switzerland is being flagged as unusual routing. From: Specified Devices. Enable your daily-use computers and phones.

Policy 4: Random Devices

Route: Mullvad via Switzerland, using a different VPN server than your primary devices.

From: Specified Devices. Enable Smart TVs, IoT devices like printers, appliances, security cameras, and other devices that need to be connected to the internet.

Most of these devices do not need to be connected to the internet at all.

Policy 5: Guests

Route: Mullvad via your home country.

From: Exclude Specified Devices. Enable all of your own devices so only new guest devices connect through this policy.

All Other Traffic: turn this off so internet access is not allowed outside of your set policies.

Step 8

Clean up local network metadata

Your local network can leak more than you think. Device names like John’s MacBook Pro, Sarah’s iPhone, or Living Room TV reveal identity and household details to routers, networks, and sometimes nearby devices.

Rename devices generically, from that device, not just in the router settings. Disable unnecessary local sharing. Be careful with AirDrop, SMB sharing, printer discovery, casting, and smart home discovery features. A private network is not only about outside traffic. It is also about what your devices reveal locally.

Step 9

Use the router on the road

Travel privacy note: Before taking your router on the road, go into Wireless, disable Wi-Fi networks, and change your SSID. Change your SSID each time you move locations to reduce tracking based on a repeated wireless network name.

One reason the Beryl 7 or Slate 7 Pro is attractive is that it can serve as both a home router and a travel router. When you are in a hotel, Airbnb, coffee shop, coworking space, or temporary office, connect the router to the local network and then connect your devices to your own trusted SSID.

This reduces the number of devices you expose directly to unfamiliar networks. It also lets you keep the same DNS and VPN policies while traveling.

  1. Connect the router to hotel or Airbnb Wi-Fi.
  2. Complete captive portal login if needed.
  3. Enable Mullvad after the captive portal is complete.
  4. Connect your devices only to your own router SSID.
  5. Use a generic travel SSID and a strong password.

Travel networks are not trustworthy. Do not use them as an excuse to log into sensitive accounts from sloppy browser profiles or unmanaged devices.

Testing

Run a real test before trusting the setup

Do not assume the router is doing what you intended. Test from each network and each policy group.

ISP Wi-Fi disabled or ISP gateway placed into bridge mode where possible.
GL.iNet router firmware updated before serious use.
Router admin password changed to a long unique password.
WPS disabled.
Remote admin access from WAN disabled.
Wi-Fi uses WPA3-Personal, or WPA2/WPA3 mixed mode if older devices require it.
SSID is boring and non-identifying.
Guest and IoT devices are separated from trusted devices.
NextDNS is configured and tested.
Mullvad WireGuard is configured and tested.
VPN policies are assigned by device or use case.
IPv6 is either correctly handled through your VPN/DNS setup or disabled to prevent leaks.
DNS leak, IPv6 leak, and public IP tests pass.
Router configuration is backed up after setup.

Maintenance

Keep the setup healthy

Privacy setups fail when people never revisit them. Build a simple maintenance routine.

Monthly

  • Confirm Mullvad or Proton VPN is paid for.
  • Check for router firmware updates.
  • Review connected devices.
  • Review NextDNS blocks if logs are enabled.

Quarterly, at least

  • Remove old devices.
  • Rotate guest Wi-Fi password.
  • Re-test DNS, IP, and IPv6 leaks.
  • Review whether IoT devices still need network access.
  • Ensure all VPN policies are set up to cover all devices correctly.

Troubleshooting

Expect some things to break

This setup can cause friction. Banking apps may dislike VPN routing. Streaming devices may block VPN exits. Work devices may break behind a router VPN. Smart home apps may fail if you isolate IoT devices too strictly. Captive portals may require VPN to be temporarily disabled.

That is normal. The point is not to make the strictest setup possible. The point is to build a setup you can maintain without giving up and returning to ISP defaults.

Bottom line

Recommended home network baseline

For most readers, the right baseline is simple: GL.iNet Beryl 7, generic SSID, strong WPA3 or WPA2/WPA3 password, ISP Wi-Fi disabled, NextDNS configured, Mullvad available at the router, guest and IoT devices separated, and device-specific VPN policies instead of one careless tunnel for everything.

This gives you better defaults without pretending your home network can solve every privacy problem.

Back to Guides