How to configure Tomato - OpenVPN?
Steve M avatar
Written by Steve M
Updated over a week ago

These instructions are for routers that have Tomato firmware installed. You can use OpenVPN protocol to configure VPN on the router

1. In your browser, open router settings page by entering its address in the address bar (the address is 192.168.1.1 by default).

2. On menu located on the left side of the screen, click on the VPN Tunneling tab and then click on OpenVPN Client tab

3. As shown in the screenshot, set the following options:

Start with WAN – Check the box.

Interface Type – TUN.

Protocol – Choose either UDP 

Server Address/Port – Enter server address in the first field and port in the second one – The port is 1194
 You can find our server addresses here

Firewall – Automatic.

Authorization Mode – TLS.

Username/Password Authentication – Checked. Enter your LimeVPN credentials in the newly appeared fields.

Username Authen. Only – Unchecked (default).

Extra HMAC authorization (tls-auth) – Choose Outgoing (1) from the drop down list.

Create NAT on tunnel – Checked.

3.1. Some Tomato routers do not have fields for entering OpenVPN credentials. If this is your case – please go to Administration -> Scripts and enter these lines into the Init field where you should change username and password to your LimeVPN credentials:

echo username > /tmp/password.txt
echo password >> /tmp/password.txt
chmod 600 /tmp/password.txt

4. Click on Advanced tab and set the following options, as shown in the screenshot:

Poll Interval: 0
Redirect Internet traffic: Checked
Accept DNS configuration: Strict
Encryption cipher: AES-256-CBC
Compression: Adaptive
TLS Renegotiation Time: -1
Connection retry: -1
Verify server certificate: Unchecked
Custom Configuration:

remote-cert-tls server
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping-timer-rem
reneg-sec 0

#log /tmp/vpn.log

#Delete # in the line below if your router does not have credentials fields:
#auth-user-pass /tmp/password.txt

#Delete # in case the connection is not successful and try again
#auth sha512

5. Proceed by clicking on Keys tab. Download OpenVPN configuration files and extract it. Find a configuration file for the server you were setting up and open it 

Static key – in this field copy and paste text from <tls-auth> to </tls-auth> block.

Certificate Authority – in this field copy and paste text from <ca> to </ca> block.

It should look like this:

6. Confirm and save all changes by clicking on Save button at the bottom of settings page. 

To establish a connection, click on Start Now button. In order to check if you have connected successfully please visit Status page.

7. In order to setup a killswitch on Tomato router please do the following:

Navigate to Administration -> Scripts and under Firewall please type in:


(Every client in LAN will lose internet connection in case of VPN drop.)

WAN_IF=nvram get wan_iface
iptables -I FORWARD -i br0 -o $WAN_IF -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD -i br0 -p tcp -o $WAN_IF -j REJECT --reject-with tcp-reset
iptables -I FORWARD -i br0 -p udp -o $WAN_IF -j REJECT --reject-with udp-reset

(Only specified IP address will lose internet access in case of VPN drop.)

WAN_IF=nvram get wan_iface
iptables -I FORWARD -i br0 -s ip address -o $WAN_IF -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD -i br0 -s ip address -p tcp -o $WAN_IF -j REJECT --reject-with tcp-reset
iptables -I FORWARD -i br0 -s ip address -p udp -o $WAN_IF -j REJECT --reject-with udp-reset

Did this answer your question?