Your location: Your IP: Your status:ProtectedUnprotected · To the tests »

OpenVPN on a router with FreshTomato

FreshTomato: Change password | OpenVPN on a router with FreshTomato

Log into the router interface. If you haven’t done so already, you should change the default password under Administration > Admin Access.

Administration > TomatoAnon: Deactivate TomatoAnon if you don't want it | OpenVPN on a router with FreshTomato

By default the Tomato firmware uses a script called TomatoAnon which will send certain information back to the developer for feedback. This information includes:

  • MD5SUM of WAN+LAN MAC addresses (identifies the router)
  • Router model
  • Tomato version
  • Build type
  • Tomato MOD (e.g. FreshTomato)
  • Uptime
The information is submitted anonymously but if you want to not send back anything you can opt-out by going to Administration -> TomatoAnon and choose Yes, I do and want to make a choice and then No, I definitely wont enable it.

Basic > Networking: Configure DNS | OpenVPN on a router with FreshTomato

To configure DNS go to Basic -> Networking. You have two choices: If you only wanted to use the Internet while the router is connected to VPN, you can use Perfect Privacy name servers. You can find the DNS IP addresses on the DNS nameserver page in the download section.

If you want to have Internet connectivity without VPN you should use publicly available name servers. You can use either Google’s DNS or any servers from the OpenNIC project. When connected to VPN all DNS requests will go through the VPN tunnel so they are anonymized.

Enter the name servers as shown in the screenshot on the left, in this example we are using Google’s name servers 8.8.8.8 and 8.8.4.4.

Basic -> IPv6: Enable IPv6 | OpenVPN on a router with FreshTomato

In order for OpenVPN to work you need to activate IPv6. Under Basic > IPv6 change the IPv6 Service Type to 6rd from DHCPv4 (Option 212).

VPN Tunneling > OpenVPN Client: Set options as shown | OpenVPN on a router with FreshTomato

To configure the VPN connection, go to VPN Tunneling > OpenVPN Client. Under the Basic tab set the options as shown in the picture on the left. In this example we use the IP address of Amsterdam1 from the Amsterdam.conf. For Username and Password use your Perfect Privacy username and password.

If you activate the checkbox Start with WAN, the router will automatically establish the VPN connection on boot. If you rather want to establish the VPN connection manually you will instead have to use the Start Now button later.

Advanced: Set options as shown | OpenVPN on a router with FreshTomato

Under the Advanced tab set the options as shown in the picture on the left. Copy the text below into the Custom Configuration

tun-mtu 1500
fragment 1300
mssfix
hand-window 120
inactive 604800
mute-replay-warnings
remote-cert-tls server
persist-remote-ip
ping 5
ping-restart 120
reneg-sec 3600
route-delay 2
route-method exe
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLSDHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSAWITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES256-CBC-SHA:TLS-RSA-WITH-CAMELLIA-256-CBCSHA:TLS-RSA-WITH-AES-256-CBC-SHA
tls-timeout 5
verb 4
key-direction 1

VPN Tunneling > OpenVPN Client: Keys Keys tab enter key and certificates from downloaded OpenVPN configuration file | OpenVPN on a router with FreshTomato

Under the Keys tab you will need to enter the certificates and keys from the OpenVPN configuration file that you downloaded earlier. Open the *.conf file for the server you are using, in this example Amsterdam.conf.

Into Static Key copy and paste the content between the <tls-auth></tls-auth> tags from the ovpn file.

For Certificate Authority use the content between the <ca></ca> tags.

Into Client Certificate copy the content between the <cert></cert> tags and for Client Key use the content between the <key></key> tags.

Administration > Scripts > Firewall: Enable firewall protection | OpenVPN on a router with FreshTomato

NOTE: This step will activate the firewall protection (Kill-Switch). If you add the firewall rules below, the Internet connection will only work if VPN is connected. If you want to use your router to access the Internet without VPN, either skip this step or remove the firewalls rules below again.

For the firewall configuration (leak protection) go to Administration > Scripts > Firewall. Insert the following lines into the window below:

iptables --flush FORWARD
iptables -P FORWARD DROP
iptables -I FORWARD -o tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -j ACCEPT
iptables -t nat -I POSTROUTING -o tun+ -j MASQUERADE

Now save the configuration and reboot the router!

Perfect Privacy Check-IP | OpenVPN on a router with FreshTomato

You can check on any device connected to the Internet via the router that the connection is working correctly by visiting our Check IP page.

VPN Tunneling > OpenVPN Client: Disable automatic start of VPN connection | OpenVPN on a router with FreshTomato

If you want to access the internet without VPN, navigate to VPN Tunneling > OpenVPN Client > Basic and deactivate the checkbox Start with WAN.

Don't forget to also remove the firewall rules if you have added any before. Also you have to use publicly available name servers instead of the ones from Perfect Privacy.

After saving the settings click on the button Stop Now.

VPN
?!
This website uses cookies to analyze the traffic and to control our advertising. By using this site, you agree to the use of cookies. More information can be found in our privacy policy.