NordVPN Help Center
One place for all the information you need

Tomato router setup

Updated

Tomato is a custom firmware for routers, it offers OpenVPN, L2TP and PPTP protocol support and is available on a wide variety of routers. You can check if your router supports Tomato firmware here . An article how to install Tomato firmware on a router can be found here .

First things first, these changes are made in the web configuration panel of your router. You can access it by visiting the local IP of your router from your web browser. The two most common, default local IPs that most routers have are 192.168.1.1 or 192.168.0.1 – you can access these by opening http://192.168.1.1 or http://192.168.0.1 in your browser. The default IP, username and password are listed in your router’s User Manual.

Choose a VPN protocol below:

OpenVPN

Here is a tutorial how to connect via OpenVPN protocol:

  • 1. On your browser, open router settings page by entering its address in the address bar (the address is 192.168.1.1 by default).
  • 2. On menu located on the left side of the screen click on the VPN Tunneling tab and then click on OpenVPN Client tab.
    2.png
  • 3. As shown in the screenshot, set the following options:
    Start with WAN - Check the box.
    Interface Type - TUN.
    Protocol - Choose either UDP or TCP.
    Server Address/Port - Enter server address in the first field and port in the second one - 1194 if you set Protocol to UDP or 443 if you chose TCP.
    Please visit our server list to find out address of the server you wish to connect to (You need to be logged in to see server address field).
    Firewall - Automatic.
    Authorization Mode - TLS.
    Username/Password Authentication - Checked. Enter your NordVPN credentials in the newly appeared fields.
    Username Authen. Only - Unchecked (default).
    Extra HMAC authorization (tls-auth) - Choose Outgoing (1) from the drop down list.
    Create NAT on tunnel - Checked.
  • 3.1. Some Tomato routers could not have any fields for entering OpenVPN credentials. If this is your case - please go to Administration -> Scripts and enter these lines into the Init field where you should change ​username​ and password​ to your NordVPN credentials:
    echo username > /tmp/password.txt
    echo password >> /tmp/password.txt
    chmod 600 /tmp/password.txt
  • 4. Click on Advanced tab and set the following options, as shown in the screenshot:

    Poll Interval: 0
    Redirect Internet traffic: Checked
    Accept DNS configuration: Strict
    Encryption cipher: AES-256-CBC
    Compression: Adaptive
    TLS Renegotiation Time: -1
    Connection retry: -1
    Verify server certificate: Unchecked
    Custom Configuration:
    remote-cert-tls server
    remote-random
    nobind
    tun-mtu 1500
    tun-mtu-extra 32
    mssfix 1450
    persist-key
    persist-tun
    ping-timer-rem
    reneg-sec 0

    #log /tmp/vpn.log

    #Delete `#` in the line below if your router does not have credentials fields:
    #auth-user-pass /tmp/password.txt

    #Delete `#` in the line below when connecting to our newest servers:
    #auth sha512
    tomato_custom_conf.png

  • 5. Proceed by clicking on Keys tab. Download OpenVPN configuration pack and extract it. Find a configuration file for the server you were setting up and open it (in this case at1.nordvpn.com.udp1194.ovpn).
    Static key - in this field copy and paste text from <tls-auth> to </tls-auth> block.
    Certificate Authority - in this field copy and paste text from <ca> to </ca> block.
    It should look like this:
    5.png
  • 6. Confirm and save all changes by clicking on Save button at the bottom of settings page. To establish a connection, click on Start Now button. In order to check if you have connected successfully please visit Status page.
  • 7. You should also configure the router to use NordVPN DNS servers to prevent DNS leaks. Here's an image on how the setting looks:
    7.png
  • 8. In order to setup a killswitch on Tomato router please do the following:

    Navigate to Administration -> Scripts and under Firewall please type in:

    WAN_IF=`nvram get wan_iface`
    iptables -I FORWARD -i br0 -o $WAN_IF -j REJECT --reject-with icmp-host-prohibited
    iptables -I FORWARD -i br0 -p tcp -o $WAN_IF -j REJECT --reject-with tcp-reset
    iptables -I FORWARD -i br0 -p udp -o $WAN_IF -j REJECT --reject-with udp-reset
    							

    (Every client in LAN will loose internet connection in case of VPN drop.)

    WAN_IF=`nvram get wan_iface`
    iptables -I FORWARD -i br0 -s `ip address` -o $WAN_IF -j REJECT --reject-with icmp-host-prohibited
    iptables -I FORWARD -i br0 -s `ip address` -p tcp -o $WAN_IF -j REJECT --reject-with tcp-reset
    iptables -I FORWARD -i br0 -s `ip address` -p udp -o $WAN_IF -j REJECT --reject-with udp-reset
    							
    (Only specified IP address will loose internet access in case of VPN drop.)

Close ↑

L2TP
Please Note: Although technically you can use the L2TP / PPTP protocols, they have serious security flaws. Whenever possible, we recommend choosing OpenVPN or IKEv2/IPSec instead.

This tutorial explains how to connect your Tomato firmware router to NordVPN using the L2TP protocol.

Please note, that L2TP alone does not encrypt your traffic, it only reroutes you through one of our servers. Please use it at your own risk. This does not apply to L2TP/IPsec.

To use L2TP protocol on your Tomato router follow these steps:

1. Go to Basic - > Network

2. Fill in these fields:

Type: L2TP
Username: Your NordVPN username
Password: Your NordVPN password
L2TP Server: any server from our list: https://nordvpn.com/servers/ , for example: de85.nordvpn.com
Use DHCP: Check
Subnet Mask: 255.255.255.0
Connect Mode: Keep Alive
Radial Interval: 30
MTU: Default

image.png

3. Click on Save.

Close ↑

PPTP
Please Note: Although technically you can use the L2TP / PPTP protocols, they have serious security flaws. Whenever possible, we recommend choosing OpenVPN or IKEv2/IPSec instead.

This tutorial explains how to connect your Tomato firmware router to NordVPN using the PPTP protocol.

Please note that PPTP is a very old VPN protocol, and is considered unsafe. Please use it at your own risk.

Try using PPTP protocol to connect to VPN:

1. Go to VPN Tunneling – > PPTP Client;
2. Enable Start with WAN feature;
3. Into the Server Address field enter the address of the server you want to connect to. Our server list can be found here: https://nordvpn.com/servers/ ;
4. Enter your NordVPN username and password;
5. Check the Stateless MPPE connection;
6. Set Accept DNS Configuration to Exclusive;
7. Enable Redirect Internet Traffic and Create NAT on tunnel features;
8. Save the settings you have changed;

image-1.png

9. Connect to the VPN.

Close ↑