< Back

Tomato router tutorial

Tomato is a custom firmware for routers that offers OpenVPN protocol support which will be used to connect to Surfshark servers following this tutorial. You can install Tomato on a variety of routers. To check if your router supports Tomato firmware, please check this article. If it does, you can install it by following these instructions. Please note, that Surfshark is not to be held responsible for any damage done to the router or void of warranty that could be caused by flashing your router.

If you run into any difficulties while installing Tomato on your router, feel free to contact our customer support team by following this article.

This guide was made using the following firmware: Tomato Version: 3.5-140.

At first, you will need to get Surfhark service credentials. Those are the credentials, different from the ones that you use to log in to our website or the app.  To find them, go to the login page of our website here and log in. 

Once you log in, go to VPN -> Manual setup -> Router, click on the Credentials tab at the top of the page. You will find your service credentials there.


Switch to the Files tab where you will see the full list of Surfshark servers. You will need one server's hostname that you will find under its name (for example, al-tia.prod.surfshark.com, which is a hostname of Albania - Tirana).


1. Open the VPN > OpenVPN Client tab.


2. In the Basic settings tab enter the following information:

Start with WAN: Checked;
Interface Type: TUN;
Protocol: UDP or TCP;
Server Address: Enter the hostname of the server you wish to connect to. You can get it by navigating to the page here;
Port: 1194 if you selected UDP or 1443 for TCP connection;
Firewall: Automatic;
Authorization mode: TLS;
Username/Password Authentication: Checked;
Username: Your Surfshark Service username that you have collected in the beginning
Password: Your Surfshark Service password that you have collected in the beginning
Username Authen. Only: Unchecked;
Extra HMAC authorization (tls-auth): Outgoing (1);
Create NAT on tunnel: Checked.


3. Now select the Advanced settings tab and enter the following options:

Poll interval: 0;
Redirect Internet traffic: Checked;
Accept DNS configuration: Strict;
Encryption cipher: None;
Compression: Disabled;
TLS Renegotiation Time: -1;
Connection retry: -1;
Verify server certificate (tls-remote): Unchecked;

In the Custom Configuration please enter the following:

remote-cert-tls server
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
reneg-sec 0
auth SHA512
cipher AES-256-CBC
log /tmp/vpn.log


4. Select the Keys tab and open the configuration file, that you download from the link here. In the Static key enter the text from <tls-auth> to </tls-auth> block. Make sure to include -----BEGIN OpenVPN Static key V1----- and -----END OpenVPN Static key V1----- lines as well. In the Certificate Authority enter the text from <ca> to </ca> block. Make sure to include -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.


6. Apply the changes by pressing Save button at the bottom of the settings page. To establish a connection with a Surfshark server, press the Start VPN Client 1 at the top right corner (if you have an older client, you should find Start button at the bottom of the setup). To make sure you have connected successfully, please check the Status tab and this article.

To prevent DNS leaks, you may also configure your DNS addresses. To do so, please open Basic Settings > Network. In the WAN Settings tab, change the DNS Server to Manual and enter the following addresses:


That's it! You have now successfully connected to Surfshark via OpenVPN protocol using the Tomato firmware and should not experience any DNS leaks.

Was this article helpful?