< Back

Tomato router tutorial

In this tutorial, you will learn how to configure a Surfshark VPN tunnel on your Tomato router.

 

This method might be beneficial if you have devices that don't have VPN compatibility or you wish to protect all the Wi-Fi-connected devices at your home with a VPN.

 

You will learn how to:


To proceed, you need to have a router with Tomato firmware and an active Surfshark subscription

If you don’t have a subscription yet, you can get one here.

As for the Tomato firmware, you can install Tomato on a variety of routers. To check if your router supports Tomato firmware, please check this article. If it does, install it by following these instructions.

Okay, have everything you need? Cool! Let’s get started.

 

 

 

Find your login details

Surfshark service credentials are different from your Surfshark account credentials, namely your email address and your password. You’ll need Surfshark service credentials to connect to the VPN using the manual OpenVPN configuration method explained below.

Here is how you can get your Surfshark service credentials:

 

  1. Go to this page. This is the page where you will find all the details required for a manual connection.

    You may need to log in before proceeding to this page. In that case, enter your email address and your password, then click Log in.

  2. Click on the Credentials tab on top. You will find the Surfshark service username and password there.

    tomato1.png

    It is a good idea to keep this page open for now. You will need these credentials a bit later.


Choose a Surfshark server


Every server location has a hostname that you need to use on the router to connect to a particular server.

  1. Please switch to the Files section to find the list of all servers and their hostnames. Copy the hostname of your preferred location - you will use it a bit later. 

    tomato2.png

    You will need the hostname of the VPN server. You can find the hostname below the flag icon of each location. If you wish to connect to Poland, copy the hostname for Poland - Warsaw or Poland - Gdansk servers. If you prefer connecting to Finland, copy the hostname of the Finland - Helsinki server.

  2. Now, download your location by using the button on the right side.

    tomato3.png

  3. Once a prompt appears asking which protocol you prefer, select Download UDP to download the configuration file. 

    tomato4.png



 

Configure the OpenVPN client

 

  1. Log into your Tomato router using a browser. Open the VPN > OpenVPN Client tab.

    tomato5.png

  2. In the Basic settings tab, enter the following information:

    Start with WAN: Checked;
    Interface Type: TUN;
    Protocol: UDP or TCP;
    Server Address: Enter the hostname of the server you wish to connect to from the Choose a Surfshark server step.
    Port: 1194 if you selected UDP or 1443 for TCP connection;
    Firewall: Automatic;
    Authorization mode: TLS;
    Username/Password Authentication: Checked;
    Username: Your Surfshark Service username from the Find your login details step.
    Password: Your Surfshark Service password from the Find your login details step.
    Username Authen. Only: Unchecked;
    Extra HMAC authorization (tls-auth): Outgoing (1);
    Create NAT on tunnel: Checked.

    tomato6.png

  3. Now select the Advanced settings tab and enter the following options:

    Poll interval: 0;
    Redirect Internet traffic: Checked;
    Accept DNS configuration: Strict;
    Encryption cipher: None;
    Compression: Disabled;
    TLS Renegotiation Time: -1;
    Connection retry: -1;

    Verify server certificate (tls-remote): Unchecked;

    Under Custom Configuration, please enter the following:

    remote-cert-tls server
    remote-random
    nobind
    tun-mtu 1500
    tun-mtu-extra 32
    mssfix 1450
    persist-key
    persist-tun
    ping-timer-rem
    reneg-sec 0
    auth SHA512
    cipher AES-256-CBC
    log /tmp/vpn.log

    tomato7.png

  4. Select the Keys tab and open the configuration file (from the Choose a Surfshark server step) in a text editor. In the Static key enter the text from <tls-auth> to </tls-auth> block.

    Make sure to include -----BEGIN OpenVPN Static key V1----- and -----END OpenVPN Static key V1----- lines as well. In the Certificate Authority enter the text from <ca> to </ca> block. Make sure to include -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.

    tomato8.png

  5. Apply the changes by pressing the Save button at the bottom of the settings page.

    To establish a Surfshark server connection, press Start VPN Client 1 at the top right corner (if you have an older client, you should find the Start button at the bottom of the setup). To make sure your connection is successful, please check the Status tab and this article.

    To prevent DNS leaks, you may also configure your DNS addresses. To do so, please open Basic Settings > Network. In the WAN Settings tab, change the DNS Server to Manual and enter the following addresses:

    208.67.222.222
    208.67.220.220

    tomato9.png

 

Congratulations - you have successfully installed and configured Surfshark VPN on your router! As long as you’re connected, your location is private, and your sensitive data is secure.

 


If you have any further questions, our customer success team is here to help you 24/7 over live chat or email.

You may also be interested in:

Was this article helpful?