How can we help you?


How to set up VPN on Tomato

What is Tomato firmware used for?

Tomato is a custom firmware for routers. It offers OpenVPN client support and is available on a wide variety of routers. You can check if your router supports Tomato firmware here. An article on how to install Tomato firmware on a router can be found here.

First things first, these changes are made in the web configuration panel of your router. You can access it by visiting the local IP of your router from your web browser. The two most common, the default local IPs that most routers have are or – you can access these by opening or in your browser. The default IP, username and password are listed in your router’s User Manual.

Here is how to set up VPN on Tomato firmware:

  1. Open the router settings page on your browser by entering the router local address ( by default).
  2. On the left side menu, click VPN Tunneling -> OpenVPN Client.

  3. Set the following options:

    Start with WAN - Check the box.
    Interface Type - Select TUN.
    Protocol - Choose either UDP or TCP and keep it in mind as this will be important later on.
    Server Address/Port:

    In a first field, enter the hostname of the server you want to connect to. You can find it at page. Additionally, download the server's configuration file on the same page below a hostname.


    For the second field, depending on the protocol chosen earlier, input 1194 for UDP or 443 for TCP

    Firewall - Automatic.
    Authorization Mode - TLS.
    Username/Password Authentication - Checked. Enter your NordVPN service credentials in the fields below.

    You can find your NordVPN service credentials (service username and service password) in the Nord Account dashboard:
    1. Click Set up NordVPN manually.

    2. You will receive a verification code in your email that you use for NordVPN services. Type the code in: 

      2 (1).png
    3. Copy the credentials using the “Copy” buttons on the right:


    Username Authen. Only - Unchecked (default).
    Extra HMAC authorization (tls-auth) - Choose Outgoing (1) from the drop-down list.
    Create NAT on tunnel - Checked.

    Some Tomato routers may not have any fields for entering OpenVPN credentials. In such a case, go to Administration -> Scripts and the commands below into the Init field. Make sure to change the username and password to your NordVPN service credentials:

    echo username > /tmp/password.txt
    echo password >> /tmp/password.txt
    chmod 600 /tmp/password.txt

  4. Click on Advanced tab and set the following options:

    Poll Interval: 0
    Redirect Internet traffic: Checked
    Accept DNS configuration: Strict
    Encryption cipher: AES-256-CBC
    Compression: Disabled
    TLS Renegotiation Time: -1
    Connection retry: -1
    Verify server certificate: Unchecked

    Custom Configuration:

    remote-cert-tls server
    tun-mtu 1500
    tun-mtu-extra 32
    mssfix 1450
    reneg-sec 0
    auth sha512
    #log /tmp/vpn.log
    #Delete `#` in the line below if your router does not have credentials fields
    #auth-user-pass /tmp/password.txt

  5. Open the Keys tab. Open a configuration file downloaded at step 3.

    Static key - paste text from <tls-auth> to </tls-auth> block.
    Certificate Authority - paste text from <ca> to </ca> block.

    It should look like this:

  6. Click Save at the bottom of the settings page to confirm and save all settings. To establish a connection, click Start Now. In order to check if you have connected successfully, visit the Status page.
  7. Configure the router to use NordVPN DNS servers to prevent DNS leaks:

    DNS Server: Manual
    DNS 1:
    DNS 2:


Optional Kill Switch set up (for advanced users):

Navigate to Administration Scripts and under Firewall paste one of the following scripts.

  • Every client in LAN will lose internet connection in case of a VPN drop:

    WAN_IF=`nvram get wan_iface`
    iptables -I FORWARD -i br0 -o $WAN_IF -j REJECT --reject-with icmp-host-prohibited
    iptables -I FORWARD -i br0 -p tcp -o $WAN_IF -j REJECT --reject-with tcp-reset
    iptables -I FORWARD -i br0 -p udp -o $WAN_IF -j REJECT --reject-with udp-reset

  • Only a specified IP address will lose internet access in case of a VPN drop:

    WAN_IF=`nvram get wan_iface`
    iptables -I FORWARD -i br0 -s `ip address` -o $WAN_IF -j REJECT --reject-with icmp-host-prohibited
    iptables -I FORWARD -i br0 -s `ip address` -p tcp -o $WAN_IF -j REJECT --reject-with tcp-reset
    iptables -I FORWARD -i br0 -s `ip address` -p udp -o $WAN_IF -j REJECT --reject-with udp-reset
Was this article helpful?