Setup OpenVPN on Tomato (firmware) and enjoy secure browsing / access to your network

**InsaneNutter** · 27-09-11, 12:57

What is a VPN?

A VPN is a virtual private network that uses a public network such as the internet to connect private networks together, securely, at multiple locations.

Why would I want to setup a VPN?

A VPN can have a number of uses, these include:

Secure access to your network from an insecure location, such as a free Wi-Fi hotspot.
Privacy – when connected to a VPN all your internet traffic can be routed through the VPN, this is useful as no one else connected to the free Wi-Fi hotspot can see what you’re doing on the internet.
Bypass content restrictions – maybe you are visiting a country that is very restrictive with what can be access on the internet. Say you are in China for example and you wanted to access a blocked website, such as Facebook. You could connect to your home VPN, now any website you access will be going through the VPN to your home internet connection, so will not be blocked.

What is Tomato?

Tomato is a custom firmware for various routers that add’s many additional features and improvements over the manufactures stock firmware. You can read more about Tomato and the various versions of the firmware here: http://en.wikipedia.org/wiki/Tomato_(firmware)

What is OpenVPN?

OpenVPN is a free and open source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections.

Getting started:

We will presume your router is already running a version of the Tomato firmware that supports VPN’s.

Log on to your routers web interface, by default this is: http://192.168.1.1/

Click the VPN tunnelling menu, then select server.

In the basic tab:

Select: Start with wan
Interface type: TAP
Protocol: UDP
Port: 1194
Firewall: Automatic
Authorization Mode: Static key

In the advanced tab:

The settings here can be left as default (seen in the picture below) all you need to do is add

Code:

push "redirect-gateway def1"

in the custom configuration box

In the keys tab:

We need to generate a secure key that will be used by the VPN Server to authorise VPN clients, to do this we must install OpenVPN, I would recommend you do this on the computer you wish to connect to the VPN connection as you will need it installed on that anyway.

Go to \OpenVPN\Utilities in the start menu, then right click on Generate a static OpenVPN key and select run as admin

A static key should be generated for you and saved in: C:\Program Files (x86)\OpenVPN\config\key.txt

Open key.txt and copy the following (your key will be different to this)

Code:

-----BEGIN OpenVPN Static key V1-----
1da2b47d87abcc1fd6407d2dd817ff36
65712f4ebd846d167339a15edcf767a3
3c66ca12d3fd44d2c20a61cac9eff2f8
dbb09e1626d4effa62d98b370a43213f
3fc6a9a0bf224984fefb44c9ace94fc8
2b03b25d0b3f6763059a8abaa1c5c882
79afd1a345e29f2234f94529139a333d
202d34fb61bda5cb5ebaee89cb2768a6
4fed1c91eb5863df61d9fe769f5422e1
b14d8a304e0e5fff345fed76f71db9d7
6159fbbca53c174aeee614948d7cb542
cccdf965421c65f368fd7487d62ca065
e2c5d0c8fcc8c793724dbdf80b2d4765
489f4352b84b938829711ceca18ad30c
a6f8fab49f86501d3cb2441acd77c7a9
c6c7b7c08277ffe0ecf83adea156dd04
-----END OpenVPN Static key V1-----

Now paste this key in to the keys tab on the routers web interface

Now save your settings and press the start now button, all been well your router will now be running a VPN server.

If you have a dynamic IP address it would be a good idea to setup a Dynamic DNS service, this will update your hostname with the Dynamic DNS provider every time your ip address changes.

For example if I setup digiex.no-ip.org everytime my router detected my ip address had changes it would update digiex.no-ip.org with my new IP, ensuring I can always access my VPN at digiex.no-ip.org.

Tomato support many Dynamic DNS providers that can be configured under Basic > DDNS

I have personally used No-IP - Dynamic DNS, Static DNS for Your Dynamic IP for many years now with no problems what so ever

Configuring your OpenVPN client:

Now your router is setup as an OpenVPN server, we need to configure OpenVPN on the computer you wish to connect to the VPN with.

Open the Key.txt file you generated earlier in Notepad, and go File > Save As and type “static.key” as the file name, then for filetype select all files and save the key.

Now we need to create a config file for OpenVPN, copy and paste the configuration below in to Notepad

Code:

remote digiex.no-ip.org
port 1194
dev tap
secret static.key
proto udp
comp-lzo
route-gateway 192.168.1.1
redirect-gateway def1
float
route-method exe
route-delay 2

Change “remote digiex.no-ip.org” to either your static ip address or the Dynamic DNS hostname that will resolve to your Dynamic IP address e.g. “mynetwork.no-ip.org”

The rest of the settings should be fine for your home network, if your routers ip address is not 192.168.1.1 change this to what ever your routers ip address is.

Now go to and go File > Save As and type “Home Network.ovpn” as the file name, then for file type select all files and save the config settings.

Copy your static.key and Home Network.ovpn settings in to C:\Program Files (x86)\OpenVPN\config

Now run OpenVPN GUI with admin rights (right click, run as Administrator)

Now you can right click on the system tray icon and connect to your VPN, if you have more than one VPN config you will be able to select which VPN you wish to connect to.

Your VPN should connect and you can now access your home network and the internet, securely from anywhere in the world.

How can i check the VPN is working and my traffic is secure?

To check your internet traffic is going through the VPN go to Digiex IP Address Detector before connecting to the VPN and make a note of your IP address.

After connecting to the VPN connection your IP address should change and be that of your home internet connection.

If you also check the Device List in Tomato you will see you have been assigned an IP address on your home network.

You should also be able access shared files, printers, media and any other services on your home network, just like you were physically connected to the network

Thats it, if you have any questions do ask and i will do my best to try answer them.

**garifo** · 13-04-12, 21:45

Great article. I have a quick question for you. Is there a way where say if I am at my office all
the traffic for the office network does not get directed to my vpn with your method. That way I can always have vpn on.
Here is the scenario, Office network has www.office-intranet.com with vpn on it will redirect the traffic through the vpn but I would not be able to access the site since it can
only be access within the office network. While If I want to go to yahoo.com then those requests should go through the VPN.
I am looking for a method where I can specify a range or block of the Office IP's and force those to not be redirected to my VPN.

Thanks in advance.

**InsaneNutter** · 14-04-12, 09:17

I'm not sure if / how you can do that, i would imagine it's possible however it goes beyond anything i know about OpenVPN.

I might have another solution for you though, from what you say i presume you basically want a secure way to browse the internet at work? and still be able to access pages on your works intranet?

If yes you can achieve what you want another way.

At home:

Enable the SSH daemon in Tomato

You need to allow remote access, i would run it on port 443 as you should be able to connect to it then even behind the most restrictive of firewalls. This is because port 443 is used for secure web traffic, so you connecting to your router via ssh will just look like your on an secure website.

Remote forwarding will allow us to tunnel our internet traffic through your router at home, an even open ports to allow remote desktop access to another pc on your home network if you wish.

Port 22 in the above screenshot is the port the ssh server is accessible on when you are on a pc at your home network.

Password login will allow you to connect using the same password you use to access your routers web interface.

At work:

Download putty: www.chiark.greenend.org.uk/~sgtatham/putty/

Load putty and enter the your home ip and the port ssh is running on:

Create a dynamic tunnel:

Now connect to your router via ssh

The username is root, the password is the same as what you use to log on to your routers web interface

You can now tunnel any application that supports socks proxy servers through your SSH tunnel, this is a secure, encrypted connection to your home network so it will not be possible for anyone to see what data is going through the tunnel.

The ip is localhost as you are running the socks proxy on your local pc, the post is 5555 as thats what we setup as the dynamic port foward in putty.

E.g. IE supports socks proxy servers

You could use one web browser for work stuff, then have another setup for secure browsing for anything else.
Or even select the bypass proxy server for local addresses to use the same browser for both secure and work stuff.

You can automate everything we did with putty with myentunnel: N2 - MyEnTunnel - A background SSH tunnel daemon

Hope that might help you, quick and easy way to browse securely anywhere, even works on an Android mobile phone too and is very easy to automate the connection / setup process.

**nlucchesi** · 17-01-13, 16:37

Great tutorial; worked like a charm!

But...

How about the set-up for

Authorization Mode=TLS

Thanks again!

- nello

**InsaneNutter** · 18-01-13, 12:15

I'm honestly not sure about that, i would have to play about sometime and see if i can get it to work. Its not something i have ever done.

**Leont** · 21-01-13, 15:14

Hi! thanks for your helpful tutorial

I took your advice and setup my vpn server without any problem. However, recently I change my phone from iPhone to Android, and the tap mode can not work on Android 4.x.

I have tried to change your settings to the tun mode and can't work successfully. Could you help to write another tutorial for the tun mode?

Thanks

!

**deepstar** · 06-02-13, 17:21

Thank you Sir

It works great !

**lng101010** · 24-04-13, 16:14

First, I'd like to thank you, Insane Nutter, for an insanely noob-friendly guide.

However, I can't get it to work properly. The lights on my OpenVPN client only goes to Yellow and not Green.

Stuck at the: Wed Apr 24 11:53:38 2013 UDPv4 link local (bound): [undef]Wed Apr 24 11:53:38 2013 UDPv4 link remote: [AF_INET]ip:1194

Any idea what's wrong? I also can't ping my home IP.

**InsaneNutter** · 24-04-13, 18:28

Where are you connecting from, if its from the workplace or college / uni then you could be behind a very strict firewall that blocks vpn connections.

Also check your don't have a double nat e.g. your modem has a firewall enabled, then your router running tomato is behind that. If you enable the web interface of your router to be accessed over the internet, can that be accessed at a remote location. That would be a good starting point just to ensure your router is reachable from the internet.

**lng101010** · 26-04-13, 19:12

Hm, that's useful info.

I'm trying to connect from another location that I have complete control over so it's not an issue. I can't connect to router via remote access, can't ping home IP. I will definitely check the Motorola modem that I'm using at home though. Hopefully it's that simple.

Thanks.

**illmatik** · 30-04-13, 17:34

Hello. First off, thank you so much for the well-written and easy to follow tutorial. I have gotten the VPN Server set up on my Linksys E3200 with Tomato F/W.

As of now, I can connect to my home network no problem with various different clients. I can access machines on my home network, and do what I sought out to do originally which is stream Live TV from my HD HomeRun Prime outside of my house. Beautiful!

The only problem now, is that when I am connected to my VPN, I cannot access the internet at all. Not sure if this is an issue but the client machines are only receiving internal IP Addresses, and I do note this error from the clients: write to TUN/TAP : Input/output error (code=5)

Any ideas?