Thursday, August 06, 2009

How to Setup Openvpn in Tomato

There are 2 ways to setup Openvpn in Tomato, either way you will need to install is to install the openVPN modded version of the tomato firmware, then set it up from the tomato admin screen. There are many ways to setup Openvpn, in this tutorial we will set it up with a single static key. This setup is recommended if you only need 1 user to connect to your home network to access things locally, or just to hide your traffic when you surf on unsecured channel.
I will assume that you have a router that is tomato/dd-wrt/openwrt enabled, with a variation of the firmware installed, that way it is very easy to flash to the tomato openvpn enabled firmware. Your best friend to this information is google.

First download the firmware.

you can download the binaries, and the latest update is 1.25vpn3.3 release as of this article.

Then go to your tomato router and flash it with the firmware from the Administration Screen.

Notice that I am already using the OpenVpn Modded Tomato, I have attached that screen so users can really see what they are doing.

After you have loaded the firmware and rebooted the router you will see the VPN Tunneling Option in your menu. What you need now is to download openVpn and generate a key, a good tutorial would be to read the materials in Openvpn's main page.

Click on the VPN tunneling option in your router menu. And you will be presented with the following screen

Then you can select the following
Interface Type:TAP
Firewall Custom
Authorization Mode:Static Key

Ignore advanced and goto keys, and you will reach the following screen

Insert the key with the static key you have generated in your copy of OpenVpn. Remember not to share this key with anyone.

Then you should go to your firewall and forward the port 1195 to your router's IP address. In my case, I forward external UDP port 1195 local port 1195 at my router's IP address which is

If you do not have static ip with your ISP, it is easier if you configure a DDNS host. You can join free service in either or Then you can connect from anywhere to your

After that you should configure your local config file for openvpn and save the settings to a configuration file, in our example we name it connect.ovpn.

# Use the following to have your client computer send all traffic through your router
# (remote gateway)
remote replace this with your server's address or
port 1195
dev tap
secret static.key
proto udp

Then place your static key in a file in the same directory as your connect.ovpn, make sure the name of the file is "static.key".

You can now connect to your host by right-clicking on your connect.ovpn and select connect option


johnnymacm said...

Great post; quick question. My router does not indicate that the OPENVPN service is running. I get this: "Server is not running or status could not be read." on the status page. Any ideas?

John So said...

Hey you could try to connect from within your network first, make sure that it's not the port forwarding that's having the problem. So you can nail down the problem one by one.

Unknown said...

such simple instructions, very easy read! question - do you know if such a config could be used to circumvent the great firewall of china? i know they block facebook and twitter most of the time.


John So said...

Short answer, yes. However you need to setup your openvpn server outside of China. This is more of a openvpn question rather than with tomato. Openvpn opens a tunnel between yourself and your server, thus people cannot read when they are forwarding the traffic for you. Since you have a key, this setup can access all your facebook and twitter from China with no problem. Even Cnn, and most of your mongolia, Taiwan sites. I hope I haven't typed enough keywords for the Chinese to block me.

Unknown said...

your configs worked perfectly. all i had to do was force the TAP interface metric to something lower than my internet interface. dropped it to 10, and all traffic got throw over the openvpn. even skyping through it!

Empa said...

I've tried this HOW-TO and I'm really new to this.
What I can't get to work is the config file. I've tried to create one in a text editor and then I've put the file into my bin folder. Am I doing this wrong? Cause I can't right-click on the file and select connect.
Thanks in advance!

Anonymous said...

have you try tinc with tomato?

i think it is a nice part of software.



Unknown said...

Are the firewall changes on the router or your PC? The router firewall does not control routing, it is a different tab.

Great overall instructions!

John So said...

Hey glad to know that people are getting this to work. Thanks for your comments.

John So said...

I haven't tried Tinc,I will take a look. Thanks

Anonymous said...
This comment has been removed by a blog administrator.
Anonymous said...

Works perfect inside my lan. I will have to test this when i'm on the road :)

thank you

Anonymous said...
This comment has been removed by a blog administrator.
Anonymous said...

I didn't manage to make a connection using the firewall:Custom Setting. I don't know what went wrong.

However i changed Firewall: Automatic
and didn't use a port forward of the port to the internal address of the router.

This did work on my computer. Great news .. great post :)

Anonymous said...

Dear Author !
Rather the helpful information

John So said...

Thanks for the feedback. I found that the openvpn client works depending on the network you connect from. I can connect from anywhere except my work network.

Anonymous said...

Can anyone recommend the well-priced Remote Desktop software for a small IT service company like mine? Does anyone use or How do they compare to these guys I found recently: [url=] N-able N-central remote control
[/url] ? What is your best take in cost vs performance among those three? I need a good advice please... Thanks in advance!

PacketRider said...

It looks like this tutorial is for connecting a computer to the tomato VPN server and access resources behind this router. Is there a tutorial on how to do a site-to-site VPN connection using two 2 tomato VPN routers? I like to have a persistent 24/7 VPN connection between my home and office so I can use rsync to sync two file servers -- one at work and one at home.

Unknown said...

no matter what i do, i get a series of messages that say "invalid ip adress" when i try to save my settings. i've tried various settings and have not been able to save the settings i input.

I am currently running tomato v1.27.8742 on a wl520gu if it helps.

John So said...

Which part of the instruction are you stuck at?

Unknown said...

I would get to the last step of the server setup on my tomato router. When I clicked save, that is when I revieved the ip adress is invalid error. I played arround with it all last night and to get I to save my settings, I had to fill in every blank for the setup of server 1 and server 2.

I seem to have a new problem now though. I have th settings saved, but when I click the start button, nothing happens.

Is this a bug, or is it simpily user error?

Unknown said...

Thanks for the help.

In order for me to get it to work on my system, I had to leave it at the default port, and set the firewall to automatic.


A few questions and I've read through the threads, and I'm still struggling to get this to work.

1) are the firewall/portforwarding changes done in tomato or on the pc client? I believe the answer is in tomato, and all that needs to be done on the pc is to create a firewall exception.

2)is the external server addess the wan ip address of the modem, or the gateway address between the modem and the router. (Configuration is that my tomato router sits behind my cable modem).



I played around with this this evening as was able to get it to work.

- ip address is external
- port forwarding is done on tomato on the router
- firewall rules are on the PC

John So said...

Glad you got it to work


Just an update to my last post:

- ip address is external
- port forwarding is done on tomato on the router
- firewall rules are on the PC

I can connect through local LAN, but cannot connect over WAN.

When I change the settings so that
- firewall setting in tomato are automatic
- remove the portforwarding rules in tomato

I am able to connect through VPN both through LAN and WAN.

Unknown said...
This comment has been removed by the author.
Unknown said...

Great post! THANKS!!!!
I had to change the firewall settings on router to Automatic to be able to connect through WAN.
Thank you BATMANTAS for the idea.

Ihstiv said...

I have a naive question: Does setting up a local VPN like this make you anonymous to your own ISP? My hunch is no, but I'm having trouble finding confirmation.


John So said...

@Ihstiv you are correct, if you create a private VPN in your home network the IP address that you use to go out will be the same. Another way is to use your friend or family internet to install the VPN server. Connect to it and you will be seen as the same IP as your friend or family's IP.

Unknown said...

It doesn't work with windows 7 :( i tried it, it's green, but when i try there was the old ip address, not my routers.. :(

Unknown said...

If someone could help it would be GREATLY appreciated ... I've followed the guide as best I could (I'm using a FreeBSD server so it was a little different, but the server isn't the issue) but I'm having a problem and I've scoured google for about an hour now and can't seem to find a fix ...

I've got the authorization mode set to 'static key', and I put the 'client.key' I generated on the server while following into the Keys box, starting with the "-----BEGIN RSA PRIVATE KEY-----" line and ending with "-----END RSA PRIVATE KEY-----", but when I try to start the VPN it fails and I get the following in my /tmp/var/log/messages -

Jun 17 16:27:06 unknown daemon.err openvpn[1077]: Insufficient key material or header text not found found in file 'static.key' (0/128/256 bytes found/min/max)

It's seems like the key isn't making it from nvram to the file when it tries to start up ... if I knew where it was creating the temp file I'd just write the key there myself, but I have no idea ... if anyone knows how I can fix this it would make me extremely happy ...


Unknown said...
This comment has been removed by the author.
Unknown said...


Open up static.key file with a regular text editor, copy :

-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----

(including ---BEGIN and ---END lines)
and paste it into "VPN Tunneling\Server -> Keys" on the router. The only problem I had was the firewall. I had to set it to "Auto".
And you will need your "static.key" file to be in "OpenVPN\config" folder.

Shak said...

I don't understand this step:

>Then you should go to your firewall and forward the port 1195 to your router's IP address. In my case, I forward external UDP port 1195 local port 1195 at my router's IP address which is

Do you mean port forwarding? And isn't the VPN server residing on the router anyway? What exactly is being forwarded?

Help please. I can connect to my router but can't ping anything.

John So said...

@Istvan if you have setup everything in the router and you try to connect in Vista and Windows 7, I found that you have to run it as administrator, otherwise you won't be able to connect. What does the log say when you connect?

You are setting it up on the router, but you still have to forward the ports, some users have success with firewall setting in tomato set to automatic, and remove the port forwarding in the firewall router.

Thanks Batmandas

Unknown said...

what changes should I make to the config file for bridge mode?

Unknown said...

I got stuck at generate OpenVPN keys. I wasn't sure what to install and how to generate a key

Unknown said...

Great step by step tutorial. It worked out really fine. Thanks.

Kathleen Carleton said...

Great step by step instructions and if this can circumvent the firewall in China it must be a powerful piece of software.

Marshal Drake said...

Thanks for sharing this information. I'm still studying how Tomato works with OpenVPN.

chicago colocation

Willie Aames said...

I’ve been trying to set up a OpenVPN server plus a client(flashvpn, and I could connect them (with the server not being the router but an actual PC with ubuntu server), and the services would start just ok, but I have a problem. The client (Windows7) can ping the server through the VPN, no problem, but the server seems to not be that successful. I’ve been playing with static routes and iptables with not much success I must add.
Since this is an OpenVPN thread, does anyone might have a clue about what’s going on?
All help is appreciated :)

RealGangsta said...

Stay anonymous online by getting Ivacy VPN for just 0.99 USD.

UNKNOWN said...

Nice knowledge gaining article. This post is really the best on this valuable topic. 如何翻墙

mahnoor said...

Great job for publishing such a beneficial web site. Your web log isn’t only useful but it is additionally really creative too. VPN推荐

faizan said...

I am definitely enjoying your website. You definitely have some great insight and great stories. vpn软件

GearVPN said...

VPN is more and more widely used, it is used for study and work and daily communication. It is not recommended for free, it is very troublesome to use or can not be used at all. ExpressVPN is not bad and can recommend. 回国VPN

WallVPN said...

Great article, thanks for sharing. I have used free VPNs before, but they are not easy to use, or can not be used at all, 熊猫 VPN and Surfshark VPN is working fine so far. The price is relatively cheap.

The best VPN said...

Easy-to-use VPN reviews in 2022, click to receive discounts

meomeoer said...

Which VPNs are available for iOS in 2022?

Wall-Baby said...

One of the best VPN I've ever used VPN 推荐 doesn't slow down your bandwidth as much as the other VPNs I've used. The speed is top-notch, usually doesn't seems to slow down or have any latency issue

DesmondCuthbert said...

You get 2GB bandwidth per month as standard. But 翻墙VPN is easily upped to a more palatable 10GB if you're happy to give 翻墙软件 your email address. The 免费VPN lets you choose from 11 remote server locations including the UK, Hong Kong, Germany, Canada, Turkey and eight US VPN cities at last count).

adeeefew said...

Thanks for sharing,Another option you have is to get a 免费VPN, but I really don’t recommend it. Most电脑VPN plans set a limit on how much data you can use each day or month, throttle your speeds, VPN推荐limit the number of servers and countries you can access, may interrupt your browsing with ads, or even sell your online data to third parties for advertising purposes.