How to set up OpenVPN on a Tomato router

In this article, you will learn how to set up the OpenVPN client on a Tomato router.

To proceed, you first need an active Surfshark subscription. You can find the available plans on Surfshark’s pricing page.

As for the Tomato firmware, you can install it on various routers. To check if your router supports Tomato firmware, please check the official Tomato FAQ. If the router is supported, install it following Wiki Books Tomato Firmware/Installation and Configuration instructions.


You will learn how to:

  1. Get your credentials
  2. Choose a Surfshark server
  3. Configure the OpenVPN client
  4. Ensure your connection is successful


Get your credentials

NOTE: These are not your regular credentials, such as your email and password.

  1. Enter the Surfshark login page and log in. Then, click on VPN > Manual Setup > Router > OpenVPN to generate your credentials.

  2. Once there, make sure that you are in the Credentials tab and click on Generate credentials.

    NOTE: Keep this tab open as we'll need it later.


Choose a Surfshark server


  1. Open the same page on another browser tab, go to the Locations tab, and locate the server that you wish to connect to.

  2. Click on the download icon to the right of the server name and click on Download UDP


Configure the OpenVPN client


  1. Log into your Tomato router using a browser. Open the VPN > OpenVPN Client tab.

  2. In the Basic settings tab, enter the following information:

    Start with WAN: Checked
    Interface Type: TUN
    Protocol: UDP or TCP
    Server Address: Enter the hostname of the server (refer to Choose a Surfshark server section of this article)

    Port: 1194 if you selected UDP or 1443 for TCP connection
    Firewall: Automatic
    Authorization mode: TLS
    Username/Password Authentication: Checked
    Username: Your Surfshark service username (refer to Get your credentials section of this article)
    Password: Your Surfshark service password (refer to Get your credentials section of this article)
    Username Authen. Only: Unchecked
    Extra HMAC authorization (tls-auth): Outgoing (1)
    Create NAT on tunnel: Checked


  3. Now select the Advanced settings tab and enter the following:
    Poll interval: 0
    Redirect Internet traffic: Checked
    Accept DNS configuration: Strict
    Encryption cipher: None
    Compression: Disabled
    TLS Renegotiation Time: -1
    Connection retry: -1
    Verify server certificate (tls-remote): Unchecked

  4. Under Custom Configuration, please enter the following:
    remote-cert-tls server
    tun-mtu 1500
    tun-mtu-extra 32
    mssfix 1450
    reneg-sec 0
    auth SHA512
    cipher AES-256-CBC
    log /tmp/vpn.log


  5. Select the Keys tab and open the configuration file (refer to Choose a Surfshark server section of this article) in a text editor.

    In the Static key, enter the text from <tls-auth> to </tls-auth> block.

    Make sure to include -----BEGIN OpenVPN Static key V1----- and -----END OpenVPN Static key V1----- lines as well. In the Certificate Authority enter the text from <ca> to </ca> block. Make sure to include -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.


  6. Press the Save button at the bottom of the settings page.

    To establish a Surfshark server connection, press Start VPN Client 1 at the top right corner (if you have an older client, you should find the Start button at the bottom of the setup). 

    Ensure the connection is successful


    We always recommend checking if Surfshark VPN is working after setting it up for the first time. You can easily do it by performing Surfshark IP leak test and a DNS leak test. For your convenience, both are available on our website.

    Should any DNS leaks occur, you can try to configure your DNS addresses manually. To do so, open Basic Settings > Network. In the WAN Settings tab, change the DNS Server to Manual and enter the following addresses:




You may also be interested in:

Was this article helpful?
Thank you for your feedback!