Support Center / Setup and use / How to setup Proton VPN on a Tomato router

How to setup Proton VPN on a Tomato router

FreshTomato is the now only version of the Tomato community-developed custom firmware for routers still actively supported. We therefore recommend upgrading to FreshTomato and configuring it using our How to setup Proton VPN on FreshTomato routers guide. This legacy guide is therefore primarily for reference only. 

A step-by-step guide to setup Proton VPN on your Tomato router.

Proton VPN can be set up on your Tomato powered router to automatically connect to a Proton VPN server available to your subscription whenever the internet connection is established. Below is a step-by-step guide to set up your Proton VPN router. These changes are made in the web configuration panel of your router which you can access by visiting the local IP of your router from your web browser. The two most common, the default local IP’s that most routers have are 192.168.1.1 or 192.168.0.1.

Opening the Router configuration panel

Open your browser and enter 192.168.1.1 or 192.168.0.1 in your browser bar. If these don’t work, you can find the default IP, username, and password in your router’s User Manual.

DNS Settings (connecting via OpenVPN protocol)

Start by configuring your DNS server requests to use Proton VPN DNS server to prevent DNS leaks (Note, once this is set, DNS queries will not resolve unless you are successfully connected to Proton VPN in the later stages).

  1. In the left menu, under Basic -> Network
  2. In the DNS 1 field enter the following: 10.8.8.1
  3. In the DNS 2 field enter the following: 1.1.1.1

    Screenshot of DNS settings

Openvpn Basic router settings (connecting via OpenVPN protocol)

On menu located on the left side of the screen click on the VPN Tunnelling tab and then click on OpenVPN Client tab.

As shown in the screenshot, set the following options:

  • Start with WAN – Check the box
  • Interface Type – TUN
  • Protocol – Choose UDP
  • Server Address/Port – Enter server address in the first field and port in the second one – 1194 to you set Protocol to UDP
  • Use configuration files name as server address field (example in the screenshot)
  • Firewall – Automatic
  • Authorization Mode – TLS
  • Username/Password Authentication – Checked. Enter your OpenVPN username and password in the newly shown fields from your Proton Account page. Note 1: Your OpenVPN username and password are not the same as your regular Proton Account username and password. Note 2: to use our NetShield DNS filtering feature, append the suffix +f1 to your username to block malware, or +f2  to block malware, ads, and trackers (for example 123456789+f2).
  • Username Authen. Only – Unchecked (default)
  • Extra HMAC authorization (TLS-AUTH) – Choose Outgoing (1) from the drop-down list
  • Create NAT on tunnel – Checked

 

Tomato routers that don’t have any fields for entering OpenVPN credentials:

Some Tomato routers do not have any fields for entering OpenVPN credentials. If this is the case for yo, go to Administration -> Scripts and enter these lines into the Init field where you should change username and password to your Proton VPN credentials:


echo username > /tmp/password.txt
echo password >> /tmp/password.txt
chmod 600 /tmp/password.txt

For additional config, please enter these:

tls-client
remote-cert-tls server
remote-random
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
auth sha512
comp-lzo no

Keys settings and starting the VPN connection (OpenVPN Client Configuration)

  1. Proceed by clicking on Keys tab.
  2. Download the Proton VPN configuration files and extract them.
  3. Find a configuration file for the server you were setting up and open it (in this case de-03.protonvpn.com.udp1194.ovpn).
    • Static key – in this field copy and paste text from <tls-auth> to </tls-auth> block.
    • Certificate Authority – in this field copy and paste text from <ca> to </ca> block.
      It should look like this: 
  4. Confirm and save all changes by clicking on Save button at the bottom of the settings page.
  5. To establish a connection, click on Start Now button. In order to check if you have connected successfully please visit the Status page.

Setting up KillSwitch on Tomato router

  • Navigate to Administration -> Scripts and under Firewall please type in:
    WAN_IF=`nvram get wan_iface`
    iptables -I FORWARD -i br0 -o $WAN_IF -j REJECT --reject-with icmp-host-prohibited
    iptables -I FORWARD -i br0 -p tcp -o $WAN_IF -j REJECT --reject-with tcp-reset
    iptables -I FORWARD -i br0 -p udp -o $WAN_IF -j REJECT --reject-with udp-reset
  • (Every client in LAN will loose internet connection in case of VPN drop.)
    WAN_IF=`nvram get wan_iface`
    iptables -I FORWARD -i br0 -s `ip address` -o $WAN_IF -j REJECT --reject-with icmp-host-prohibited
    iptables -I FORWARD -i br0 -s `ip address` -p tcp -o $WAN_IF -j REJECT --reject-with tcp-reset
    iptables -I FORWARD -i br0 -s `ip address` -p udp -o $WAN_IF -j REJECT --reject-with udp-reset
  • (Only specified IP address will loose internet access in case of VPN drop.)

Related Articles: 

How to setup Proton VPN on DD-WRT Routers

How to setup Proton VPN on Windows

How to setup Proton VPN on Mac

How to setup Proton VPN on Linux

Post Comment

10 comments

  1. Justin

    Running MacOS, and I just flashed my router. How do you get the CA and Static Keys from the downloaded server config to paste in the “Keys” section? I try opening it and it just asks what program I want to use to open it.

  2. ProtonVPN Team

    Hello. You have to open those files with a text editor software. There are many online that you can use for example : Sublime Text 3

  3. bugimen

    Hi there! Should I add “keealive 10 60” to client config -> Advanced -> Custom Configuration box?

  4. ProtonVPN Team

    Hello Bugimen. This setting is pushed from the server side so it does not matter what you type in the config.

  5. linksys tech support

    ProtonVPN gives more security to a router. Your tips are very informative and anyone can set VPN in a very simple way. Nice article for the user.

  6. Fred

    You say

    In the left menu, under Basic -> Network
    In the DNS 1 field enter the following: 10.8.8.1
    In the DNS 2 field enter the following: 8.8.4.4

    The IP 8.8.4.4 connects to Google DNS servers which I don’t want to use. If I remove that entry, and leave only the 10.8.8.1 IP, I get no DNS service. If I add a different public DNS service e.g. openDNS 208.67.222.222 I get DNS services back again. This indicates that protonvpn’s DNS server at 10.8.8.1 is not working for me. What do I need to do to get protonvpn to provide me with DNS services. Thanks.
    (Linksys WRT54G with tomato firmware ver.1.28)

  7. ProtonVPN Team

    Hello Fred, each of our servers has an integrated DNS server inside them. OpenDNS and Google Domain name servers are dedicated, we do not provide a separate Domain Name Server yet. When you connect to a VPN server, DNS should be fetched automatically from it. If you are experiencing DNS leaks, please write us an e-mail via https://protonvpn.com/support-form and we will do some extensive troubleshooting.

  8. User

    Please fix the wrong How to: https://protonvpn.com/support/vpn-tomato-router

    Still no VPN Connection by useing 10.8.8.1 as only one DNS server.
    No problems to get VPN connection ba useing good known DNS server like 8.8.4.4 or other.

    Proton VPN service mean by email:
    – proton VPN dont provide DNS server on this time
    – 10.8.8.1 are no DNS serever

  9. ProtonVPN Team

    Hello, If you are using free servers, then you have to use 10.8.0.1 in the DNS settings, if not, 10.8.8.1 will work and will provide the DNS servers of the VPN server.

  10. Tatibyte

    Thanks guys, works fine the connection! thanks for all!

Comments are closed.

Secure
your internet

Get Proton VPN
Get Proton VPN

For customer support inquiries, please submit the following form for the fastest response:
Support Form

For all other inquiries:
contact@protonvpn.com


-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: OpenPGP.js v4.10.10
Comment: https://openpgpjs.org

xsBNBFiYeeIBCACpwuYcTsACyjQaqY3tOUonokamGZf3VDuLvcA9nQnu4vlB
n1RFFUJa5Pmf2yZ9EjJFSldTl5lreE3tFf53CcZ9wKa1R6aMnN/0VqURJho0
ZTqevQlCvuJ9kKHkDck3Em0/1WWnhDJgabp+fOa5HAHoAvcNy5gVPuexTT/N
wp6QcfB7w+qFhf73s0bcSn5RC+FAYlQxZVFhFtA7/7LthBVatDJrYLYP9XJd
zOZqz9AX0XZwKal25RcVeGHkNKgloo0bTgro4D88MR7saqXFHTRhy3+Wss7c
uqrh0uIkVmqtadoK/rAbqOyFXQ2DlvSMVrEMLUvwlZbC0taqcKDfNA+FABEB
AAHNLWNvbnRhY3RAcHJvdG9udnBuLmNvbSA8Y29udGFjdEBwcm90b252cG4u
Y29tPsLAfwQQAQgAKQUCWJh54wYLCQcIAwIJEN4dfnhhw11TBBUIAgoDFgIB
AhkBAhsDAh4BAAoJEN4dfnhhw11T6PwIAKgIHTUaEcCFQ5WfmwGpdhRgFe7H
gnHR8UOFPrRKnbCOQgTVPGwCFt8UVFhEgbmtroThU89DpxFSYUOD6nZ2k1X3
X4Q9OsItFUUuhPtLJrkz5ghtZLmsAH/edTRbVU1Ew1E8KbylLFI1J5yId7zR
GdnaTXv/E7P3po5X/b08TFAhXSyYYUbMeQuthbJajtpFygr53lm47cOWa4N8
udqLhmpheaQj04DuqYXOGC08JQn+XbHzhFl5Yvlt9Idk8+7c2UJ0qgWKQ5ZV
mquRAw5HDCQM5OqF1MoImDxOH+tK3PUlvFDsLZ1WPEOHK/EN12sPBx0x1R04
fcPTPdbMwgISGM3OwE0EWJh54gEIALqhrLUpvarPc0nkuHpyJC/MsrIDPLuV
qMc49tgjgDBsyIKJFEP9qCnkSOEixaFi+nTljUSpkHGR+PvEGecmcOdW6djN
QGxon/nwBT9d8HbtxJesaEIzwRAxmqQW9MqNq4UsfNQ0VvUYqV9wEbYfdDT/
jZfz9N0hjFELF1sg3UPcCRijhf162bp+rLQdO9vWVUbOdMQvsM/kyUJ6JMXR
xUtyKC05ddxii2SMr4XUW45ostPbxJybOF5oSZpEb1EIlrTLLPAe/498XlBW
hpRAPe+9ZfNs7drMvUEFnnOXahrXAuaaZpyaS/XBaloqSb1+v2AkUep3dbSF
PaRtbXRMS+kAEQEAAcLAaAQYAQgAEwUCWJh54wkQ3h1+eGHDXVMCGwwACgkQ
3h1+eGHDXVMZ4Qf4hu5N8/uYNDqJMFRIWSCpPGxmyIVXGARG4hgR8gwPZY9K
fReAUndX3uODBNIgZU7I3YntawU1DlP6GpP6yyR/8lfUMNCAXPDmd+zTFYIJ
UDHD8sw2GRrFVzFOKUpAapWFOI4XjSMP2UiK4HgrpUjAhe1wSaa7nEjtAuYT
zFx1QSuQD1iYcOF/FAm7EuhBIfWITjYAobGM6gonPbp3IPHM52rUbulllcdV
vCLs+blcyiVCGZlNcmlg3eibAJJL19TQLqT2DbQvQ/SyVBJGjoT+y4TTRtmZ
cebEjt2KJcc4x2lzPq3z2KJNyJTOTMB+aYD9Ma9IObDds+M/+5XDWi7f
=ueTT
-----END PGP PUBLIC KEY BLOCK-----

You can also Tweet to us:
@ProtonVPN