Router Setup

Tomato OpenVPN Setup Guide

Basic Tomato Setup

This guide was produced using FreshTomato version 2020.3
  1. Launch the web browser and enter the IP address of your router -, by default.

  2. Navigate to VPN Tunneling > OpenVPN Client > Basic.

  3. Enter the following configuration:

    • Start with WAN: Check
    • Interface Type: TUN
    • Protocol: UDP
    • Server Address/Port: Enter a server name from the server status page, e.g. and Port 2049
    You can also use ports UDP: 53, 80, 443, 1194, 2050 & TCP: 80, 443, 1443
    • Firewall: Automatic
    • Create NAT on tunnel: Check
    • Inbound Firewall: Check
    • Authorization Mode: TLS
    • TLS control channel: Outgoing Auth (1)
    • Username/Password Authentication: Check. Enter your account ID that begins with letters ‘ivpnXXXXXXXX’ or ‘i-XXXX-XXXX-XXXX’ (case-sensitive) and any password (ie. ivpn).
    • Auth digest: SHA1
    • Click Save.

  4. Navigate to Advanced tab and enter the following configuration:

    • Poll interval: 0

    • Redirect Internet traffic: All

    • Accept DNS configuration: Strict

    • Cipher Negotiation: Enabled (with fallback)

    • Negotiable ciphers: AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC

    • Legacy/fallback cipher: Use Default

    • Compression: None

    • TLS Renegotiation Time: -1

    • Connection retry: 30

    • Verify server certificate: Unchecked

    • Custom Configuration:

      tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA
      key-direction 1
      resolv-retry infinite
      keepalive 10 60
      verb 3
    • Click Save.

  5. Proceed to Keys tab > copy and paste Static Key and Certificate Authority into corresponding fields. Click Save.

  6. Navigate to Status tab and click the Start Now button to connect.

Configuring DNS

  1. Navigate to Basic - Network

  2. Specify one of the following DNS servers in the DNS 1 field:

    • = redular DNS with no blocking
    • = standard AntiTracker to block advertising and malware domains
    • = AntiTracker Hardcore Mode to also block Google and Facebook

    ..and in the DNS 2 field.

  3. Click Save.

Configuring a Kill-Switch

  1. Navigate to Administration > Scripts > Firewall
  2. Enter the following: iptables -I FORWARD -i br0 -o `nvram get wan_iface` -j DROP
  3. Click Save and reboot your router.

Final steps

  1. Reboot your router and wait for a minute or two for everything to settle, then reboot your computer system.

  2. Check the assigned public IP address on our website and run a leak test at from one of the devices connected to your Tomato router.

Please note: If you plan to use a Multi-hop setup please see this guide and replace the port number in Step 3 with the chosen Exit-hop server Multi-hop port.

Spotted a mistake or have an idea on how to improve this page?
Suggest an edit on GitHub.