How can we help you?

Topics
  1. Live Chat, VPN Setup, Troubleshooting | NordVPN Customer Support
  2. FAQ
  3. NordVPN setup tutorials

How to set up VPN on Tomato

What is Tomato firmware used for?

Tomato is a custom firmware for routers. It offers OpenVPN client support and is available on a wide variety of routers. You can check if your router supports Tomato firmware here. An article on how to install Tomato firmware on a router can be found here.

First things first, these changes are made in the web configuration panel of your router. You can access it by visiting the local IP of your router from your web browser. The two most common, the default local IPs that most routers have are 192.168.1.1 or 192.168.0.1 – you can access these by opening http://192.168.1.1 or http://192.168.0.1 in your browser. The default IP, username and password are listed in your router’s User Manual.

Here is how to set up VPN on Tomato firmware:

  1. Open the router settings page on your browser by entering the router local address (192.168.1.1 by default).
  2. On the left side menu, click VPN Tunneling -> OpenVPN Client.

    2.png
     
  3. Set the following options:

    Start with WAN - Check the box.
    Interface Type - Select TUN.
    Protocol - Choose either UDP or TCP and keep it in mind as this will be important later on.
    Server Address/Port:

In the first field, enter the hostname of the server you want to connect to. 

Follow the steps below to find the best server for your connection:

  1. Log into your Nord Account, and click NordVPN.


     
  2. Scroll down to Advanced Settings and click Set up NordVPN manually.


     
  3. Select the Server recommendation tab. According to your location, the best server will be recommended.


     
  4. By pressing Advanced filters you can further customize the recommended servers by selecting the Server type and the Security protocol.




     

You can find your NordVPN service credentials (service username and service password) in the Nord Account dashboard.

Follow the steps below to find the service credentials for manual connection setup:

  1. Log into your Nord Account, and click NordVPN.


     
  2. Scroll down to Advanced Settings and click Set up NordVPN manually.


     
  3. Select the Service credentials tab, where you'll find the Username and Password needed to connect manually.
For the second field, depending on the protocol chosen earlier, input 1194 for UDP or 443 for TCP


Firewall - Automatic.
Authorization Mode - TLS.
Username/Password Authentication - Checked. Enter your NordVPN service credentials in the fields below.

Username Authen. Only - Unchecked (default).
Extra HMAC authorization (tls-auth) - Choose Outgoing (1) from the drop-down list.
Create NAT on tunnel - Checked.

Some Tomato routers may not have any fields for entering OpenVPN credentials. In such a case, go to Administration -> Scripts and the commands below into the Init field. Make sure to change the username and password to your NordVPN service credentials:

echo username > /tmp/password.txt
echo password >> /tmp/password.txt
chmod 600 /tmp/password.txt
 

  1. Click on Advanced tab and set the following options:

    Poll Interval: 0
    Redirect Internet traffic: Checked
    Accept DNS configuration: Strict
    Encryption cipher: AES-256-CBC
    Compression: Disabled
    TLS Renegotiation Time: -1
    Connection retry: -1
    Verify server certificate: Unchecked

    Custom Configuration:

    remote-cert-tls server
    remote-random
    nobind
    tun-mtu 1500
    tun-mtu-extra 32
    mssfix 1450
    persist-key
    persist-tun
    ping-timer-rem
    reneg-sec 0
    auth sha512
    #log /tmp/vpn.log
    #Delete `#` in the line below if your router does not have credentials fields
    #auth-user-pass /tmp/password.txt

    tomato.png
     
  2. Open the Keys tab. Open a configuration file downloaded at step 3.

    Static key - paste text from <tls-auth> to </tls-auth> block.
    Certificate Authority - paste text from <ca> to </ca> block.

    It should look like this:

    5.png
     
  3. Click Save at the bottom of the settings page to confirm and save all settings. To establish a connection, click Start Now. In order to check if you have connected successfully, visit the Status page.
  4. Configure the router to use NordVPN DNS servers to prevent DNS leaks:

    DNS Server: Manual
    DNS 1: 103.86.96.100
    DNS 2: 103.86.99.100

    7.png

Optional Kill Switch set up (for advanced users):

Navigate to Administration Scripts and under Firewall paste one of the following scripts.

  • Every client in LAN will lose internet connection in case of a VPN drop:

    WAN_IF=`nvram get wan_iface`
    iptables -I FORWARD -i br0 -o $WAN_IF -j REJECT --reject-with icmp-host-prohibited
    iptables -I FORWARD -i br0 -p tcp -o $WAN_IF -j REJECT --reject-with tcp-reset
    iptables -I FORWARD -i br0 -p udp -o $WAN_IF -j REJECT --reject-with udp-reset
     
  • Only a specified IP address will lose internet access in case of a VPN drop:

    WAN_IF=`nvram get wan_iface`
    iptables -I FORWARD -i br0 -s `ip address` -o $WAN_IF -j REJECT --reject-with icmp-host-prohibited
    iptables -I FORWARD -i br0 -s `ip address` -p tcp -o $WAN_IF -j REJECT --reject-with tcp-reset
    iptables -I FORWARD -i br0 -s `ip address` -p udp -o $WAN_IF -j REJECT --reject-with udp-reset
Was this article helpful?
Thanks!

Related articles