TP-LINK TL-R600VPN SafeStream Gigabit Broadband VPN Router Reviewed

Photo of author

Doug Reid

SafeStream Gigabit Broadband VPN Router
At a glance
Product TP-LINK SafeStream Gigabit Broadband VPN Router (TL-R600VPN) [Website]
Summary Inexpensive PPTP / IPsec VPN router with Gigabit Ethernet ports
Pros • VPN for not a lot of $
• Gigabit ports
• Silent
• Internal power supply
Cons • No L2TP support
• Site-to-site IPsec only

• No IPv6
• No VLANs


I’ve had the opportunity to review several TP-LINK products, including their TL-ER6020 Dual-WAN VPN Router and the TL-SG2216 Smart Switch. Prior to reviewing these two products, I hadn’t heard of TP-LINK, so I was intrigued to read their goal is to become “one of the top 3 networking brands in the world…” That’s certainly a bold goal. At the conclusion of both of those reviews, I found no reason TP-LINK couldn’t reach that goal. Both of those products performed well and are competitively priced.

In this review, I’m going to look at another of TP-LINK’s VPN routers, the TL-R600VPN SafeStream Gigabit Broadband VPN Router. A look at TP-LINK’s product page lists three models of VPN “SafeStream” routers, including the top-end TL-ER6120, mid-range TL-ER6020 and entry-level (and best selling) TL-R600VPN.

The TL-R600VPN is a desktop router measuring 8.2″L x 4.9″W x 1.0″H. Adhesive rubber feet are included for desktop use. I love the fact that the TL-R600VPN is silent and has an internal power supply. The internal power supply means no external power brick, just a cord from the router to the outlet. Very nice! Further, the power supplies on all TP-LINK SafeStream VPN routers include “professional lightning protection,” designed to withstand an electrical surge up to 4KV.



As shown in the below front and rear shots, the LEDs are on the front panel while the RJ45 ports and power connector are on the back.



Under the Covers

The TL-R600VPN runs on a Realtek RTL-8198-GR ASIC which serves as both the router’s CPU and Ethernet controller. It also has 8 MB of Flash and 64 MB of RAM.

Below is photo of the TL-R600VPN’s main board. The power components are under the small panel to the left and the Realtek chip is in the center of the board. Note the lack of heatsinks.

Main Board

Main Board


Here’s a quick summary of the TL-R600VPN’s features.


  • (4) 10/100/1000 Ethernet LAN ports, (1) 10/100/1000 Ethernet WAN ports
  • NAT Throughput = 120 Mbps
  • Concurrent Sessions = 10,000
  • Bandwidth control
  • Dynamic DNS

SPI Firewall

  • DoS Protection (TCP/UDP/ICMP Flooding and Ping of Death)
  • IP/MAC/Domain Filtering
  • Port Forwarding, Port Triggering, DMZ
  • IP/MAC/Domain Name Filtering


  • (20) IPSec Tunnels and (16) PPTP Tunnels
  • IPSec: DES/3DES/AES128/AES192/AES256 Encryption, MD5/SHA-1 Authentication
  • IPSec Throughput = 20 Mbps


The TL-R600VPN was intuitive and easy to configure. Within 15 minutes of taking it out of the box, I configured the WAN interface, Dynamic DNS and Remote Access and an IPSec and PPTP tunnel up without using a configuration wizard or the manual.

The configuration menus on the TL-R600VPN are straightforward. There are 13 configuration menus, each with up to four submenus, with the exception of the System Tools menu that has 10 submenus for device management and troubleshooting. There are no additional tabs or separate configuration screens in the submenus. Table 1 summarizes the TL-R600VPN’s configuration options.

Menu Sub-Menu
Quick Setup
Network WAN LAN MAC Clone
DHCP Settings Client List Address Reservation
Forwarding Virtual Servers Port Triggering DMZ UPnP
Security Basic Advanced Local Mgt
Access Control Rule Host Target Schedule
PPTP VPN Server Account Status
Routing Static Route Table
Bandwidth Control Settings Rules
IP+MAC Binding Settings ARP Table
Dynamic DNS
System Tools Time Ping/Trace Firmware Reset Backup/ Restore
Reboot Password SysLog Remote Mgt Stats
Table 1: Menu tree

I liked that each submenu displays a help menu on the right side of the window. Basically, the TL-R600VPN brings up the appropriate page from the manual with each configuration screen as illustrated below. TP-LINK also provides an 80 page manual with a little more detail for configuration help.

Help Screen

Help Screen

As you can see, the TL-R600VPN has a pretty standard set of router/gateway features along with VPN capability. Features I often see in VPN routers that are not supported by the TL-R600VPN are IPv6, VLANs and routing protocols such as RIP. However, for a smaller network with no need for these features, why pay for what you won’t use?

Although many folks have little or no need for IPv6 now, I’d like to see network products and service providers support IPv6. Sooner or later, it will become a necessity. However, that day isn’t quite here yet. While working on this review, I contacted the two ISPs that provide Internet in my area (Windstream and Time Warner) to see if they provide IPv6 addresses. Both claim their networks are IPv6 ready, but neither could provide IPv6 addresses for residential service.


The TL-R600VPN supports IPSec site-to-site VPN tunnels and PPTP remote VPN tunnels. Up to 20 concurrent IPSec tunnels and 16 concurrent PPTP tunnels are supported. Note, PPTP is the only remote VPN solution on the TL-R600VPN. Remote client IPSec VPN solutions are not supported. In my mind, that isn’t a bad thing. PPTP is a simpler remote VPN solution than IPSec and PPTP software is included in Windows and MacOS operating systems, as well as on iOS and Android devices.

Setting up both are ridiculously easy. Enabling PPTP was a matter of clicking enable on the PPTP server and creating a user name and password. Once completed, I configured my Windows laptop and iPhone for PPTP and entered the WAN address of the TL-R600VPN plus my user name and password. Both were able to connect to the TL-R600VPN. The screenshot shows my active PPTP connection.

PPTP Status

PPTP Status

There are a few more steps in setting up an IPSec tunnel, but they’re pretty straightforward. I set up an IPSec tunnel to a Zyxel ZyWALL 110 using 3DES encryption and SHA-1 authentication. The options for configuring phase 1 (IKE) and phase 2 (IPSec) of the tunnel are simple drop-down menus, as shown below.

IPSec Config

IPSec Config

My tunnel came right up once my configurations were applied on both the TL-R600VPN and the ZyWALL 110, as shown in the screenshot below. Interestingly, the TL-R600VPN shows two connections for a single IPSec tunnel, with one connection representing Tx and the other representing Rx.

IPSec VPN Status

IPSec VPN Status

To measure VPN throughput, I used two PCs running 64-bit Windows with their software firewall disabled. Using TotuSoft’s LAN Speed Test client and server application, with a file size of 100 MB, I measured throughput over an IPSec tunnel to the Zywall 110 and over a PPTP tunnel to Windows client. Below are my throughput measurements.

VPN Tunnel Type Throughput (Mbps)
Client-Gateway Gateway-Client
IPsec Site to Site 20.9 19.4
PPTP Client 17.4 16.4
Table 2: VPN Throughput

The ZyWALL 110 is rated at 300 Mbps IPSec throughput, while the TL-R600VPN is rated at 20 Mbps, so the ZyWALL is not a limiting factor. As you can see from my chart, the TL-R600VPN matched its 20 Mbps VPN rating with a IPSec Transmit speed of 19.4 Mbps and Receive speed of 20.9 Mbps.

TP-LINK doesn’t provide a PPTP throughput rating for the TL-R600VPN. As you can see, I measured PPTP Transmit speed of 16.4 Mbps and Receive speed of 17.4 Mbps. Bottom line is unless your Internet connection is faster than 16 Mbps in both directions, the TL-R600VPN’s IPSec and PPTP VPN throughput should be more than sufficient.


The TL-R600VPN allows you to create bandwidth control rules to provide a minimum and maximum bandwidth for LAN devices accessing the WAN. Rules are defined based on source IP address, destination port and protocol, and bandwidth.

To measure the effectiveness of this feature, I measured my Internet connection speed through the TL-R600VPN via My Internet connection speed measured 12.68 Mbps down and 560 kbps up. I set the TL-R600VPN to limit my PC’s bandwidth to 3 Mbps down and 300 kbps up, as shown in the screenshot below.

Running a speedtest with this rule in place produced a result of 2.3 Mbps down and 210 kbps up. I tried several other rule settings, each producing actual throughput below the values I entered in the rule. Thus, it appears the TL-600VPN effectively limits bandwidth usage per PC, but you may have to play with the settings to get the desired limit.

Bandwidth Rule

Bandwidth Rule


Common firewall options that are supported include Port Forwarding, Port Triggering, DMZ and UPnP. Firewall rules can be created to allow or deny traffic from specific MAC addresses; to/from specific IP addresses or range of IP addresses; to domain names; by port, protocol (All, ICMP, TCP, UDP) or application (DNS, FTP, GOPHER, HTTP, NNTP, POP3, PPTP, SMTP, SOCK, TELNET); and by schedule based on day of week and time of day.

As a test, I set up a rule to block traffic from my PC to Firewall rules on the TL-R600VPN require you to configure a source object, destination object and either use the default anytime schedule or create a schedule object. My rule is displayed in the below screen shot. With the rule enabled, my PC was blocked from accessing only, other PCs were not restricted.

Firewall Rule

Firewall Rule

Other Features

From a network standpoint, the TL-R600VPN supports a single subnet on the LAN. As mentioned earlier, port based and 802.1Q VLANs are not supported nor is IPv6, as previously noted. Common network options exist for reserving a DHCP provided address for specific hosts on the LAN, mapping MAC addresses to specific IP address, and Dynamic DNS. Supported Dynamic DNS providers are,,, and As mentioned earlier, I successfully configured a domain from to resolve to the WAN IP address of the TL-R600VPN.

Administration security is also basic on the TL-R600VPN. For example, it only supports a single user name to access the router, and there doesn’t appear to be an option to adjust the timer to log out an idle session. Thus, you remain logged in to the router, even if you’re no longer actively configuring it.

Routing Performance

Routing performance for the TL-R600VPN v2 loaded with firmware 1.2.2 build 140422 and using our standard test method is summarized in Table 3. Interestingly, TP-LINK’s ratings for the TL-R600VPN, as listed in their product specs, are lower than our measurements. TP-LINK rates NAT Throughput on the TL-R600VPN at 12.0 Mbps and Concurrent Sessions at 10,000.

Test Description TL-R600VPN
WAN – LAN (Mbps) 249.3
LAN – WAN (Mbps) 374.5
Total Simultaneous (Mbps) 372.1
Maximum Simultaneous Connections 31,064
Firmware Version 1.2.2 build 140422
Table 3: Routing Throughput performance

Our throughput tests for unidirectional download and upload speeds are shown in the composite IxChariot plot, which shows steady uplink throughput, but large variation in downlink.

Unidirectional Throughput

Unidirectional Throughput

The Simultaneous up / downlink plot below shows that downlink traffic stopped around 5 seconds into the one minute test. This wouldn’t be very helpful in real use!

Bidirectional Throughput

Bidirectional Throughput

When we reran the test with throughput limited to 100 Mbps, we got VERY smooth and equal results as shown in the plot below. So it looks like hitting the TL-R600VPN full blast may overload the routing engine. This could explain TP-LINK’s NAT Throughput rating of 120 Mbps.

Bidirectional Throughput - 100 Mbps Send rate limit

Bidirectional Throughput – 100 Mbps Send rate limit

Closing Throughts

The TL-R600VPN is comparable in features to several other single WAN VPN Firewall routers that I’ve reviewed, including the NETGEAR FVS318G, Cisco RV180, Linksys LRT214 and TRENDnet TW100-BRV214. I’ve summarized key performance numbers and prices for bunch in the chart below. (Pricing is from

Router Throughput (Mbps)
TL-R600VPN 249.3 374.5 20.93 $61.99
NETGEAR FVS318G 59.2 58.3 6.39 $118.98
Cisco RV180 798.3 811.2 50.9 $101.41
TRENDnet TW100-BRV214 92.8 92.2 3.32 $65.20
Linksys LRT214 697.0 732.9 63.0 $155.53
Table 4: Comparison summary

The TL-R600VPN lacks some of the features of the other routers in this group. For example, FVS318G has eight LAN ports and both the Cisco RV108 and Linksys LRT214 support VLANs and IPv6. On the other hand, the TL-600VPN is significantly less expensive than the Cisco, Linksys and NETGEAR. Further, the TL-R600VPN is a few dollars less than the TRENDnet and much faster.

As with previous TP-LINK products I’ve tested, I found the TL-R600VPN stable and its features easy to configure. Clearly, the TL-R600VPN is another TP-LINK product that beats the competition in a key area: Value.

Related posts

D-Link DHP-701AV PowerLine AV2 2000 Gigabit Network Extender Kit Reviewed

D-Link's DHP-701AV is another example of overblown powerline adapter marketing claims.

An Old Standby Reborn: NETGEAR FVS318G Reviewed

NETGEAR breathes new life into its go-to IPsec router.

Sonicwall TZ190 Review: UTM + WWAN

UTM (Unified Threat Management) appliances are the current hot trend. But Sonicwall has upped the ante by throwing in WWAN access.