FreshTomato is the now only version of the Tomato community-developed custom firmware for routers still actively supported. We therefore recommend upgrading to FreshTomato and configuring it using our How to setup Proton VPN on FreshTomato routers guide. This legacy guide is therefore primarily for reference only.
A step-by-step guide to setup Proton VPN on your Tomato router.
Proton VPN can be set up on your Tomato powered router to automatically connect to a Proton VPN server available to your subscription whenever the internet connection is established. Below is a step-by-step guide to set up your Proton VPN router. These changes are made in the web configuration panel of your router which you can access by visiting the local IP of your router from your web browser. The two most common, the default local IP’s that most routers have are 192.168.1.1 or 192.168.0.1.
Opening the Router configuration panel
- Open your browser and enter 192.168.1.1 or 192.168.0.1 in your browser bar. If these don’t work, you can find the default IP, username, and password in your router’s User Manual.
DNS Settings (connecting via OpenVPN protocol)
Start by configuring your DNS server requests to use Proton VPN DNS server to prevent DNS leaks (Note, once this is set, DNS queries will not resolve unless you are successfully connected to Proton VPN in the later stages)
- In the left menu, under Basic -> Network
- In the DNS 1 field enter the following: 10.8.8.1
- In the DNS 2 field enter the following: 184.108.40.206
Openvpn Basic router settings (connecting via OpenVPN protocol)
- On menu located on the left side of the screen click on the VPN Tunnelling tab and then click on OpenVPN Client tab.
- As shown in the screenshot, set the following options:
Start with WAN – Check the box.
Interface Type – TUN.
Protocol – Choose UDP.
Server Address/Port – Enter server address in the first field and port in the second one – 1194 to you set Protocol to UDP.
Use configuration files name as server address field(Example in the screenshot).
Firewall – Automatic.
Authorization Mode – TLS.
Username/Password Authentication – Checked. Enter your OpenVPN username and password in the newly shown fields from your account page here – https://account.protonvpn.com/settings. Note: to use our NetShield DNS filtering feature, append the suffix +f1 to your username to block malware, or +f2 to block malware, ads, and trackers (for example 123456789+f2).
Username Authen. Only – Unchecked (default).
Extra HMAC authorization (TLS-AUTH) – Choose Outgoing (1) from the drop-down list.
Create NAT on tunnel – Checked.
Tomato routers that don’t have any fields for entering OpenVPN credentials:
Some Tomato routers do not have any fields for entering OpenVPN credentials. If this is your case:
- Go to Administration -> Scripts and enter these lines into the Init field where you should change username and password to your Proton VPN credentials:
echo username > /tmp/password.txt
echo password >> /tmp/password.txt
chmod 600 /tmp/password.txt
For additional config, please enter these:
tls-client remote-cert-tls server remote-random resolv-retry infinite nobind tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 persist-key persist-tun ping 15 ping-restart 0 ping-timer-rem reneg-sec 0 auth sha512 comp-lzo no
Keys settings and starting the VPN connection (OpenVPN Client Configuration)
- Proceed by clicking on Keys tab.
- Download the Proton VPN configuration files and extract them.
- Find a configuration file for the server you were setting up and open it (in this case de-03.protonvpn.com.udp1194.ovpn).
- Static key – in this field copy and paste text from <tls-auth> to </tls-auth> block.
- Certificate Authority – in this field copy and paste text from <ca> to </ca> block.
It should look like this:
- Confirm and save all changes by clicking on Save button at the bottom of the settings page.
- To establish a connection, click on Start Now button. In order to check if you have connected successfully please visit the Status page.
Setting up KillSwitch on Tomato router
- Navigate to Administration -> Scripts and under Firewall please type in:
WAN_IF=`nvram get wan_iface`
iptables -I FORWARD -i br0 -o $WAN_IF -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD -i br0 -p tcp -o $WAN_IF -j REJECT --reject-with tcp-reset
iptables -I FORWARD -i br0 -p udp -o $WAN_IF -j REJECT --reject-with udp-reset
- (Every client in LAN will loose internet connection in case of VPN drop.)
WAN_IF=`nvram get wan_iface`
iptables -I FORWARD -i br0 -s `ip address` -o $WAN_IF -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD -i br0 -s `ip address` -p tcp -o $WAN_IF -j REJECT --reject-with tcp-reset
iptables -I FORWARD -i br0 -s `ip address` -p udp -o $WAN_IF -j REJECT --reject-with udp-reset
- (Only specified IP address will loose internet access in case of VPN drop.)