How can we help you?

Tomato setup with NordVPN

Tomato is a custom firmware for routers, it offers OpenVPN protocol support and is available on a wide variety of routers. You can check if your router supports Tomato firmware here . An article how to install Tomato firmware on a router can be found here .


First things first, these changes are made in the web configuration panel of your router. You can access it by visiting the local IP of your router from your web browser. The two most common, default local IPs that most routers have are or – you can access these by opening or in your browser. The default IP, username and password are listed in your router’s User Manual.


Here is a tutorial how to connect via OpenVPN protocol:


1. On your browser, open router settings page by entering its address in the address bar (the address is by default).

2. On menu located on the left side of the screen click on the VPN Tunneling tab and then click on OpenVPN Client tab. 


3. As shown in the screenshot, set the following options:

Start with WAN - Check the box.
Interface Type - TUN.
Protocol - Choose either UDP or TCP and keep it in mind as this will be important later on.
Server Address/Port - 1194 (or 443 if you are using TCP)

For the first field enter our server hostname you want to connect to. You should connect to a server suggested to you at . You can find the server hostname right under the server title.



For the second field, depending on what protocol you have chosen earlier, input 1194 for UDP or 443 for TCP
Firewall - Automatic.
Authorization Mode - TLS.
Username/Password Authentication - Checked. Enter your NordVPN credentials in the newly appeared fields.
Username Authen. Only - Unchecked (default).
Extra HMAC authorization (tls-auth) - Choose Outgoing (1) from the drop down list.
Create NAT on tunnel - Checked.

Some Tomato routers may not have any fields for entering OpenVPN credentials. If this is your case - please go to Administration -> Scripts and enter these lines into the Init field where you should change username and password to your NordVPN credentials:

echo username > /tmp/password.txt
echo password >> /tmp/password.txt
chmod 600 /tmp/password.txt


4. Click on Advanced tab and set the following options, as shown in the screenshot:

Poll Interval: 0
Redirect Internet traffic: Checked
Accept DNS configuration: Strict
Encryption cipher: AES-256-CBC
Compression: Disabled
TLS Renegotiation Time: -1
Connection retry: -1
Verify server certificate: Unchecked

Custom Configuration:

remote-cert-tls server
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
reneg-sec 0
auth sha512
#log /tmp/vpn.log
#Delete `#` in the line below if your router does not have credentials fields
#auth-user-pass /tmp/password.txt


5. Proceed by clicking on Keys tab. Open a configuration file for the server you have downloaded at step 3 and open it.

Static key - in this field copy and paste text from <tls-auth> to </tls-auth> block.
Certificate Authority - in this field copy and paste text from <ca> to </ca> block.

It should look like this:

6. Confirm and save all changes by clicking on Save button at the bottom of settings page. To establish a connection, click on Start Now button. In order to check if you have connected successfully please visit Status page.


7. You should also configure the router to use NordVPN DNS servers to prevent DNS leaks.


Here's an image on how the setting looks:



Optional Kill Switch set up (for advanced users):

In order to setup a killswitch on Tomato router please do the following:

Navigate to Administration -> Scripts and under Firewall please type in:

WAN_IF=`nvram get wan_iface`
iptables -I FORWARD -i br0 -o $WAN_IF -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD -i br0 -p tcp -o $WAN_IF -j REJECT --reject-with tcp-reset
iptables -I FORWARD -i br0 -p udp -o $WAN_IF -j REJECT --reject-with udp-reset

(Every client in LAN will lose internet connection in case of VPN drop.)

WAN_IF=`nvram get wan_iface`
iptables -I FORWARD -i br0 -s `ip address` -o $WAN_IF -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD -i br0 -s `ip address` -p tcp -o $WAN_IF -j REJECT --reject-with tcp-reset
iptables -I FORWARD -i br0 -s `ip address` -p udp -o $WAN_IF -j REJECT --reject-with udp-reset

(Only specified IP address will lose internet access in case of VPN drop.)

Related Articles

© Copyright 2020 all rights reservedSelf-service byNanorep