OpenVPN on routers with Tomato by Shibby

This documentation describes how to configure OpenVPN on routers with Tomato firmware by Shibby. For this documentation we used an Asus RT-AC56U but it should work on any router running Tomato. Here you can find a list of compatible tomato routers.

Go to the download section in the member area of the Perfect Privacy website and click on the router icon on the top right.

Choose your configuration type, we recommend using

  • Type: Servers grouped
  • Protocol: UDP
  • Encryption: AES-256-CBC

Then click on Download and save the file mobile_udp.zip on your PC.

Tip: Depending on the CPU performance of the router you may want to use the weaker encryption AES-128-CBC to improve bandwidth.

Log into the router interface. If you haven’t done so already, you should change the default password under Administration -> Admin Access.

By default the Tomato firmware uses a script called TomatoAnon which will send certain information back to the developer for feedback. This information includes:

  • Router model
  • Tomato version
  • Build type
  • Uptime

The information is submitted anonymously but if you want to not send back anything you can opt-out by going to Administration -> TomatoAnon and choose

  • “Yes, i do and want to make a choice”
  • “No, i definitely wont enable it”

To configure DNS go to Basic -> Networking. You have two choices: If you only wanted to use the Internet while the router is connected to VPN, you can use Perfect Privacy name servers. You can find the DNS IP addresses here.

If you want to have Internet connectivity without VPN you should use publicly available name servers. You can use either Google’s DNS or any servers from the OpenNIC project. WHen connected to VPN all DNS requests will go over the VPN tunnel so they are anonymized.

Enter the nameservers as shown in the screenshot on the left, in this example we are using Google’s name servers 8.8.8.8 and 8.8.4.4.

In order for OpenVPN to work you need to activate IPv6. Under Basic -> IPv6 change the IPv6 Service Type to 6rd from DHCPv4 (Option 212).

To configure the VPN connection, go to VPN Tunneling -> OpenVPN Client.

Under the Basic tab set the options as shown in the picture on the left. For Username and Password use your Perfect Privacy username and password.

If you activate the checkbox Start with WAN the router will automatically establish the VPN connection on boot.

Under the Advanced tab set the options as shown in the picture on the left.

Copy the text below into the Custom Configuration field:

tun-mtu 1500
fragment 1300
mssfix
auth SHA512
#float
hand-window 120
inactive 604800
mute-replay-warnings
ns-cert-type server
persist-remote-ip
ping 5
ping-restart 120
reneg-sec 3600
resolv-retry 60
route-delay 2
route-method exe
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA
tls-timeout 5
verb 4
key-direction 1

Under the Keys tab you will need to enter the certificates and keys from the OpenVPN configuration file that you downloaded earlier. Open the *.ovpn file for the server you are using, in this example Amsterdam.ovpn.

Into Static Key copy and paste the content between the <tls-auth></tls-auth> tags from the ovpn file.

For Certificate Authority use the content between the <ca></ca> tags.

Into Client Certificate copy the content between the <cert></cert> tags

and for Client Key use the content between the <key></key> tags.

NOTE: This step will activate the firewall protection (Kill-Switch). If you add the firewall rules below, the Internet connection will only work if VPN is connected. If you want to use your router to access the Internet without VPN, either skip this step or remove the firewalls rules below again.

For the firewall configuration (leak protection) go to Administration -> Scripts -> Firewall.

Insert the following lines into the window below Firewall:

iptables --flush FORWARD
iptables -P FORWARD DROP
iptables -I FORWARD -o tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -j ACCEPT
iptables -t nat -I POSTROUTING -o tun+ -j MASQUERADE

Now you can start the VPN connection by going to VPN Tunneling -> OpenVPN Client and clicking on Start Now.

You can check on any device connected to the Internet via the router that the connection is working correctly by visiting our check-ip website.

If you want to use the Internet without VPN go to VPN Tunneling -> OpenVPN Client -> Basic and deactivate the checkbox Start with WAN. Remember that you may need to remove the firewall rules for the leak protection if you have added them previously.

After saving click on the Stop Now button.

If you have any questions, comments or other feedback regarding this howto, please use the corresponding thread in our community forums.
This website uses cookies to analyze the traffic and to control our advertising. By using this site, you agree to the use of cookies. More information can be found in our privacy policy.