How to set up OpenVPN on a Tomato router

In this article, you will learn how to set up the OpenVPN client on a Tomato router.

To proceed, you first need an active Surfshark subscription. You can find the available plans on Surfshark’s pricing page.

As for the Tomato firmware, you can install it on various routers. To check if your router supports Tomato firmware, please check the official Tomato FAQ. If the router is supported, install it following Wiki Books Tomato Firmware/Installation and Configuration instructions.

 

You will learn how to:

  1. Get your credentials
  2. Choose a Surfshark server
  3. Configure the OpenVPN client
  4. Ensure your connection is successful

 

Get your credentials


NOTE: These are not your regular credentials, such as your email and password.

  1. Enter the Surfshark login page and log in. Then, click on VPN > Manual Setup > Router > OpenVPN to generate your credentials.


  2. Once there, make sure that you are in the Credentials tab and click on Generate credentials.

    NOTE: Keep this tab open as we'll need it later.

 

Choose a Surfshark server

 

  1. Open the same page on another browser tab, go to the Locations tab, and locate the server that you wish to connect to.


  2. Click on the download icon to the right of the server name and click on Download UDP
     

 

Configure the OpenVPN client

NOTE: Please be informed that depending on the Tomato router version, some button locations/names may be different, although the functionality is still the same.

  1. Log into your Tomato router using a browser. Open the VPN > OpenVPN Client tab.
    tomato5.png

  2. In the Basic settings tab, enter the following information:

    Start with WAN: Checked
    Interface Type: TUN
    Protocol: UDP or TCP
    Server Address: Enter the hostname of the server (refer to Choose a Surfshark server section of this article)

    Port: 1194 if you selected UDP or 1443 for TCP connection
    Firewall: Automatic
    Authorization mode: TLS
    Username/Password Authentication: Checked
    Username: Your Surfshark service username (refer to Get your credentials section of this article)
    Password: Your Surfshark service password (refer to Get your credentials section of this article)
    Username Authen. Only: Unchecked
    Extra HMAC authorization (tls-auth): Outgoing (1)
    Create NAT on tunnel: Checked


    Please make sure that the Username/PasswordAuthentification tick box is selected.



  3. Now select the Advanced settings tab and enter the following:
    Poll interval: 0
    Redirect Internet traffic: Checked
    Accept DNS configuration: Strict
    Encryption cipher: None
    Compression: Disabled
    TLS Renegotiation Time: -1
    Connection retry: -1
    Verify server certificate (tls-remote): Unchecked

  4. Under Custom Configuration, please enter the following:
    remote-cert-tls server
    remote-random
    nobind
    tun-mtu 1500
    tun-mtu-extra 32
    mssfix 1450
    persist-key
    persist-tun
    ping-timer-rem
    reneg-sec 0
    auth SHA512
    cipher AES-256-CBC
    log /tmp/vpn.log

    tomato7.png

Please be informed that due to different Tomato versions, it may be possible to automatically upload the configuration as a file for an easier setup.

  1. Select the Keys tab and open the configuration file (refer to Choose a Surfshark server section of this article) in a text editor.

    In the Static key, enter the text from <tls-auth> to </tls-auth> block.

    Make sure to include -----BEGIN OpenVPN Static key V1----- and -----END OpenVPN Static key V1----- lines as well. In the Certificate Authority enter the text from <ca> to </ca> block. Make sure to include -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.

    tomato8.png

  2. Press the Save button at the bottom of the settings page.

    To establish a Surfshark server connection, press Start VPN Client 1 at the top right corner (if you have an older client, you should find the Start button at the bottom of the setup). 

    Ensure the connection is successful

     

    We always recommend checking if Surfshark VPN is working after setting it up for the first time. You can easily do it by performing Surfshark IP leak test and a DNS leak test. For your convenience, both are available on our website.


    Should any DNS leaks occur, you can try to configure your DNS addresses manually. To do so, open Basic Settings > Network. In the WAN Settings tab, change the DNS Server to Manual and enter the following addresses:

    162.252.172.57

    149.154.159.92

    TomDNS.png




You may also be interested in:

Was this article helpful?
Thank you for your feedback!