Living in Xi'an and trying to use Firewalla the same way you would back home? Welcome to one of the most frustrating problems in modern computing. The good news: the right protocol stack makes Firewalla feel exactly like it does anywhere else. The bad news: 90% of mainstream VPN providers don't ship that stack.
Why Firewalla Is a Router-First Problem
App-based VPNs cover one device at a time. The moment you add a smart TV, a gaming console, an Apple TV box, a Hue bridge, a robot vacuum or a guest's phone, the model breaks. A VPN router solves this once: every byte leaving your home is tunneled, with nothing to install and nothing for family members to remember.
Inside mainland China, the case gets stronger. A single hardware tunnel is more stable under DPI scrutiny than dozens of mobile connections, survives reboots and Windows updates, and gives you a single place to update your subscription URL.
Hardware That Actually Holds Up
VPN throughput is CPU-bound, not antenna-bound. A flashy router with weak silicon will give you 38 Mbps over VPN; a $205 router with the right SoC will deliver 409 Mbps+ on the same link.
What to look for:
- Cortex-A55 quad-core or better — anything older falls over above 88 Mbps
- At least 512 MB RAM (more is better with V2Ray + Xray running side-by-side)
- WiFi 6 (802.11ax) — half the protocol overhead at the physical layer
- Hardware AES instructions — software AES tanks throughput by 4–6×
Firmware Choice in 2026
| Firmware | Best For | Notes |
|---|---|---|
| GL.iNet OpenWrt | Travelers, plug-and-play | VLESS + Reality preinstalled on most models |
| Asus + Merlin | Polished UI, prosumer | Needs custom scripts for VLESS in China |
| Vanilla OpenWrt | Maximum control | Steepest learning curve, broadest protocol support |
| MikroTik RouterOS | Network engineers | Excellent for advanced routing, weaker for proxy chains |
Step-by-Step Setup
1. Get an OxeraVPN subscription URL
dashboard.oxeranet.cloud → Subscribe section → copy the URL. The free plan is enough to confirm the router works before you upgrade.
2. Flash or boot the right firmware
If GL.iNet: it's already there. If Asus: install Merlin from snbforums. If you're going vanilla OpenWrt: pick the build for your exact model from openwrt.org.
3. Add your subscription
Paste the URL into the router's V2Ray/Xray panel. Pull updates. Pick the closest server (usually Singapore or Hong Kong from China).
4. Pin the right protocol
For mainland China: VLESS + Reality for stealth, Hysteria2 when you need maximum throughput on a flaky line. Outside restricted regions, WireGuard is fine if your router supports it.
5. Turn on hardware acceleration
The single most-skipped step. In Asus/Merlin, enable CPU Affinity and pin the proxy process to one core. In OpenWrt, turn on software/hardware flow offloading. Throughput often jumps 5–10×.
Real-World Numbers from Shenzhen
Tested 2026-05-02 on a 366 Mbps fiber line:
- VLESS + Reality to Osaka: 409 Mbps down, 89 Mbps up, 45 ms ping
- Hysteria2 to Tokyo: 421 Mbps down, 23 ms ping
- Plain HTTPS (no VPN) to a Chinese site: 373 Mbps
The takeaway: a properly tuned router gives up almost nothing for stealth.
Combine With the OxeraVPN WiFi Router
If hand-tuning sounds like too much work, OxeraVPN sells a pre-configured router for ¥1200 with VLESS + Reality already wired up, the Chinese-domain bypass list preloaded, and zero-touch failover between protocols. See the Router page.
Frequently Asked Questions
What's the fastest way to get started?
Sign up at dashboard.oxeranet.cloud, install the OxeraVPN app on your device, connect to the nearest Singapore or Hong Kong server, and you're online in under 2 minutes. The free plan is enough to test Firewalla end-to-end.
Do I need to buy a special router?
If you only have one or two devices, the OxeraVPN app is enough. If you have a smart TV, gaming consoles, IoT devices, or a family that wants Just Works™ coverage, a pre-configured VPN router is far less hassle than installing apps on every device.
Will a VPN router slow down my non-VPN traffic?
Only if you route all traffic through it. The recommended setup uses a bypass list so Chinese services like Taobao, Bilibili, and WeChat take the direct route — keeping local apps fast while overseas traffic stays tunneled.
Which protocol should I use for Firewalla in 2026?
VLESS + Reality is the default and the most reliable inside mainland China — it disguises traffic as a normal HTTPS visit to a real website. If a sensitive date is approaching or your ISP is more aggressive than usual, switch to Hysteria2 which uses QUIC and behaves like video streaming.
Is OxeraVPN really free to try?
It is. Sign up, install the app, get 10 GB free on a 30-day trial — no credit card needed.
The Bottom Line
A VPN router is the cleanest, quietest, most family-friendly answer to Firewalla — especially in restrictive regions. Build one yourself with OpenWrt, or skip the work entirely and order the pre-configured OxeraVPN router. Either way: every device, every visitor, every smart-home gadget in your home, transparently protected.