Return to protonvpn.com Facebook   Twitter   Reddit   Instagram   Mastodon   ProtonMail
Support Center / Setup and use / How to setup ProtonVPN on FreshTomato routers

How to setup ProtonVPN on FreshTomato routers

FreshTomato is the only version of the Tomato community-developed custom firmware for routers still actively supported. If you are using an older version of Tomato, we recommend upgrading to FreshTomato. 

In this guide, we show you how to set up ProtonVPN on a Tomato router running the FreshTomato firmware using the OpenVPN VPN protocol. 

A step-by-step guide to setting up ProtonVPN on your Tomato router.

ProtonVPN can be set up on your FreshTomato-powered router so that it will automatically connect to a ProtonVPN server (available on your subscription) whenever an internet connection is established. 

Below is a step-by-step guide to set up a FreshTomato router to ProtonVPN. These changes are made in the web configuration panel of your router, which you can access by visiting the local IP address of your router in your web browser. 

The default local IP address for most Tomato routers is 192.168.1.1.

Prerequisites for the FreshTomato VPN setup:

  • A preconfigured and working FreshTomato router (ideally with the FreshTomato firmware freshly installed or factory reset)
  • A computer on the LAN network to remotely access the FreshTomato configuration interface
  • Any ProtonVPN OpenVPN configuration file. You can download the configuration files from the Downloads section of your ProtonVPN account.

OpenVPN basic router settings

1. Open your browser and enter 192.168.1.1 in your browser bar (or whatever your router’s local IP address is).

2. On the menu bar located to the left side of the screen, click VPN Tunneling -> OpenVPN Client. If more than one OpenVPN client is supported on your device, you can select which one to configure. 

3. As shown in the screenshot below, set the following options in the Basic setup tab:

  • Start with WANcheck the box.
  • Interface TypeTUN.
  • ProtocolUDP.
  • Server Address/Port – Enter the server address in the first field and the port number in the second field. To find the server address, open the OpenVPN configuration file you downloaded and look for a line that looks like remote 37.120.217.168 1194. The IP address in this case is 37.120.217.168, and the port number is 1194. Port 1194 is the default port used by UDP. 
  • FirewallAutomatic.
  • Create NAT on tunnel  – check.
  • Inbound Firewall – check.
  • Authorization ModeTLS.
  • TLS control channel security (tls-auth/tls-crypt) – Choose Outgoing (1) from the drop-down list.
  • Username/Password Authenticationcheck. Enter your OpenVPN username and password in the newly shown fields (not your regular ProtonVPN credentials). Note: to use our NetShield DNS filtering feature, append the suffix +f1 to your username to block malware, or +f2  to block malware, ads, and trackers (for example 123456789+f2).
  • Username Authen. Only – do not check (default).
  • Auth digest – Select SHA512 from dropdown list.

OpenVPN advanced router settings

Now click on the Advanced tab. As shown in the screenshot, set the following options:

  • Poll interval0
  • Redirect internet traffic – select All from dropdown list.
  • Accept DNS configuration – select Exclusive from dropdown list.
  • Data ciphers – the most secure setting is AES-256-GCM. For improved reliability you can input AES-256-GCM:AES-256-CBC.
  • Compression – select None from dropdown list.
  • TLS Renegotiation Time0
  • Connection retry-1
  • Verify Certificate (remote-cert-tls server)check
  • Verify Server Certificate Name (verify-x509-name)No
  • Custom configuration – add the following lines to the text field:
tls-client
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping-timer-rem

Advanced OpenVPN setup

OpenVPN key settings

Select the Keys tab and open the OpenVPN configuration file you are using in a text editor. Set the following options:

  • Static key — copy and paste the text from the <tls-auth> to </tls-auth> block in your OpenVPN configuration file into the text field.
  • Certificate Authority — copy and paste the text from the <ca> to </ca> block in your OpenVPN configuration file into the text field.

OpenVPN key settings

Starting the VPN connection (OpenVPN Client Configuration)

  • Confirm and save all changes by clicking on the Save button at the bottom of the settings page.
  • To establish a connection, click on the Start Now button. In order to check if you have connected successfully, please visit the Status page.

Note: if you are starting from a fresh installation or hard reset, it is possible that the connection will fail because the router does not have the time setup. A router reboot normally fixes the issue by updating the date and time from the internet, which allows the VPN connection to be successfully established.

How to set up up a kill switch on your Tomato router

To set up a kill switch, navigate to Administration -> Scripts -> Firewall. For a kill switch where every device on your LAN will lose its internet connection in the event of a VPN dropout, enter the following lines:

WAN_IF=`nvram get wan_iface`
iptables -I FORWARD -i br0 -o $WAN_IF -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD -i br0 -p tcp -o $WAN_IF -j REJECT --reject-with tcp-reset
iptables -I FORWARD -i br0 -p udp -o $WAN_IF -j REJECT --reject-with udp-reset

Or for a kill switch where only devices with the specified IP addresses on your LAN will lose their internet connection in the event of a VPN dropout, enter the following lines:

WAN_IF=`nvram get wan_iface`
iptables -I FORWARD -i br0 -s `ip address` -o $WAN_IF -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD -i br0 -s `ip address` -p tcp -o $WAN_IF -j REJECT --reject-with tcp-reset
iptables -I FORWARD -i br0 -s `ip address` -p udp -o $WAN_IF -j REJECT --reject-with udp-reset

 

Leave a Reply

Your email address will not be published. Required fields are marked *

Don't find your answer? We're happy to help you!     Contact Our Support Team

Secure your internet

Get ProtonVPN

For customer support inquiries, please submit the following form for the fastest response:
Support Form

For all other inquiries:
contact@protonvpn.com


-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: OpenPGP.js v4.10.10
Comment: https://openpgpjs.org

xsBNBFiYeeIBCACpwuYcTsACyjQaqY3tOUonokamGZf3VDuLvcA9nQnu4vlB
n1RFFUJa5Pmf2yZ9EjJFSldTl5lreE3tFf53CcZ9wKa1R6aMnN/0VqURJho0
ZTqevQlCvuJ9kKHkDck3Em0/1WWnhDJgabp+fOa5HAHoAvcNy5gVPuexTT/N
wp6QcfB7w+qFhf73s0bcSn5RC+FAYlQxZVFhFtA7/7LthBVatDJrYLYP9XJd
zOZqz9AX0XZwKal25RcVeGHkNKgloo0bTgro4D88MR7saqXFHTRhy3+Wss7c
uqrh0uIkVmqtadoK/rAbqOyFXQ2DlvSMVrEMLUvwlZbC0taqcKDfNA+FABEB
AAHNLWNvbnRhY3RAcHJvdG9udnBuLmNvbSA8Y29udGFjdEBwcm90b252cG4u
Y29tPsLAfwQQAQgAKQUCWJh54wYLCQcIAwIJEN4dfnhhw11TBBUIAgoDFgIB
AhkBAhsDAh4BAAoJEN4dfnhhw11T6PwIAKgIHTUaEcCFQ5WfmwGpdhRgFe7H
gnHR8UOFPrRKnbCOQgTVPGwCFt8UVFhEgbmtroThU89DpxFSYUOD6nZ2k1X3
X4Q9OsItFUUuhPtLJrkz5ghtZLmsAH/edTRbVU1Ew1E8KbylLFI1J5yId7zR
GdnaTXv/E7P3po5X/b08TFAhXSyYYUbMeQuthbJajtpFygr53lm47cOWa4N8
udqLhmpheaQj04DuqYXOGC08JQn+XbHzhFl5Yvlt9Idk8+7c2UJ0qgWKQ5ZV
mquRAw5HDCQM5OqF1MoImDxOH+tK3PUlvFDsLZ1WPEOHK/EN12sPBx0x1R04
fcPTPdbMwgISGM3OwE0EWJh54gEIALqhrLUpvarPc0nkuHpyJC/MsrIDPLuV
qMc49tgjgDBsyIKJFEP9qCnkSOEixaFi+nTljUSpkHGR+PvEGecmcOdW6djN
QGxon/nwBT9d8HbtxJesaEIzwRAxmqQW9MqNq4UsfNQ0VvUYqV9wEbYfdDT/
jZfz9N0hjFELF1sg3UPcCRijhf162bp+rLQdO9vWVUbOdMQvsM/kyUJ6JMXR
xUtyKC05ddxii2SMr4XUW45ostPbxJybOF5oSZpEb1EIlrTLLPAe/498XlBW
hpRAPe+9ZfNs7drMvUEFnnOXahrXAuaaZpyaS/XBaloqSb1+v2AkUep3dbSF
PaRtbXRMS+kAEQEAAcLAaAQYAQgAEwUCWJh54wkQ3h1+eGHDXVMCGwwACgkQ
3h1+eGHDXVMZ4Qf4hu5N8/uYNDqJMFRIWSCpPGxmyIVXGARG4hgR8gwPZY9K
fReAUndX3uODBNIgZU7I3YntawU1DlP6GpP6yyR/8lfUMNCAXPDmd+zTFYIJ
UDHD8sw2GRrFVzFOKUpAapWFOI4XjSMP2UiK4HgrpUjAhe1wSaa7nEjtAuYT
zFx1QSuQD1iYcOF/FAm7EuhBIfWITjYAobGM6gonPbp3IPHM52rUbulllcdV
vCLs+blcyiVCGZlNcmlg3eibAJJL19TQLqT2DbQvQ/SyVBJGjoT+y4TTRtmZ
cebEjt2KJcc4x2lzPq3z2KJNyJTOTMB+aYD9Ma9IObDds+M/+5XDWi7f
=ueTT
-----END PGP PUBLIC KEY BLOCK-----

You can also Tweet to us:
@ProtonVPN