Does having a VPN product (ExpressVPN in this case) on my router protect the data between an individual device (i.e. Laptop, PC, Phone, etc.) and the router or does it only protect traffic from the router out to the internet and from the internet back to the router? Could someone having direct access to my LAN (Wifi or Ethernet) intercept unencrypted data (i.e. packet sniffer, etc.) from an individual device on the LAN before it gets to the router and also any responding data from the router to the device? I have been using a software VPN (again, ExpressVPN) on each of my individual devices for some time and am now considering purchasing a router-based solution but am concerned (especially in a Wifi-based scenario) about security from within the LAN environment itself.
It does only protect the data between the VPN Client (running on your router) and the VPN-Server (ExpressVPN Server) Before and after the VPN has no impact. But Wifi connection is usually protected with WPA2 oder WPA3 or it seems to be a physical access via cable. Everthing after the VPN Server ist not protected as well.