Tomato is a custom firmware for routers. It offers OpenVPN client support and is available on a wide variety of routers. You can check if your router supports Tomato firmware here. An article on how to install Tomato firmware on a router can be found here.
First things first, these changes are made in the web configuration panel of your router. You can access it by visiting the local IP of your router from your web browser. The two most common, the default local IPs that most routers have are 192.168.1.1 or 192.168.0.1 – you can access these by opening http://192.168.1.1 or http://192.168.0.1 in your browser. The default IP, username and password are listed in your router’s User Manual.
- Open the router settings page on your browser by entering the router local address (192.168.1.1 by default).
- On the left side menu, click VPN Tunneling -> OpenVPN Client.
- Set the following options:
Start with WAN - Check the box.
Interface Type - Select TUN.
Protocol - Choose either UDP or TCP and keep it in mind as this will be important later on.
Server Address/Port:
In a first field, enter the hostname of the server you want to connect to. You can find it at /servers/tools/ page. Additionally, download the server's configuration file on the same page below a hostname.
For the second field, depending on the protocol chosen earlier, input 1194 for UDP or 443 for TCP.
Firewall - Automatic.
Authorization Mode - TLS.
Username/Password Authentication - Checked. Enter your NordVPN service credentials in the fields below.
You can find your NordVPN service credentials at the Nord Account dashboard. Copy the credentials using the buttons on the right.
Some Tomato routers may not have any fields for entering OpenVPN credentials. In such a case, go to Administration -> Scripts and the commands below into the Init field. Make sure to change the username and password to your NordVPN service credentials:
Username Authen. Only - Unchecked (default).
Extra HMAC authorization (tls-auth) - Choose Outgoing (1) from the drop-down list.
Create NAT on tunnel - Checked.
echo username > /tmp/password.txt
echo password >> /tmp/password.txt
chmod 600 /tmp/password.txt
- Click on Advanced tab and set the following options:
Poll Interval: 0
Redirect Internet traffic: Checked
Accept DNS configuration: Strict
Encryption cipher: AES-256-CBC
Compression: Disabled
TLS Renegotiation Time: -1
Connection retry: -1
Verify server certificate: Unchecked
Custom Configuration:
remote-cert-tls server
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping-timer-rem
reneg-sec 0
auth sha512
#log /tmp/vpn.log
#Delete `#` in the line below if your router does not have credentials fields
#auth-user-pass /tmp/password.txt
- Open the Keys tab. Open a configuration file downloaded at step 3.
Static key - paste text from <tls-auth> to </tls-auth> block.
Certificate Authority - paste text from <ca> to </ca> block.
It should look like this:
- Click Save at the bottom of the settings page to confirm and save all settings. To establish a connection, click Start Now. In order to check if you have connected successfully, visit the Status page.
- Configure the router to use NordVPN DNS servers to prevent DNS leaks:
DNS Server: Manual
DNS 1: 103.86.96.100
DNS 2: 103.86.99.100
Optional Kill Switch set up (for advanced users):
Navigate to Administration > Scripts and under Firewall paste one of the following scripts.
- Every client in LAN will lose internet connection in case of a VPN drop:
WAN_IF=`nvram get wan_iface`
iptables -I FORWARD -i br0 -o $WAN_IF -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD -i br0 -p tcp -o $WAN_IF -j REJECT --reject-with tcp-reset
iptables -I FORWARD -i br0 -p udp -o $WAN_IF -j REJECT --reject-with udp-reset
- Only a specified IP address will lose internet access in case of a VPN drop:
WAN_IF=`nvram get wan_iface`
iptables -I FORWARD -i br0 -s `ip address` -o $WAN_IF -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD -i br0 -s `ip address` -p tcp -o $WAN_IF -j REJECT --reject-with tcp-reset
iptables -I FORWARD -i br0 -s `ip address` -p udp -o $WAN_IF -j REJECT --reject-with udp-reset
