In this tutorial I will be using an Advanced Tomato router to demonstrate how to set up an OpenVPN client that will encrypt all outgoing Internet traffic on your LAN.
Many VPN providers limit the number of simultaneous clients you can have connected to their service. This can be frustrating in a household where you might have multiple PCs, smartphones, gaming consoles, etc. that you would like to all have protected. Running a VPN client on your router also greatly simplifies configuration, as you only have to configure your router, instead of each individual device.
Advanced Tomato is a descendant of the original Open Source Tomato firmware developed by Jonathan Zarate in 2008. Some of the more notable forks of Tomato are Advanced Tomato, Tomato by Shibby, and TomatoUSB. Tomato is a popular Open Source router firmware that runs on many popular router architectures and is a great example of a highly successful Open Source project.
Although this tutorial is demonstrated on Advanced Tomato, other Tomato forks will be similar. If you have not installed Advanced Tomato on your router, you can check out my how to.
I also set up OpenVPN clients with a couple of different VPN services and I will point out where your provider’s configuration may be different and how to determine your configurations based on your provider’s OpenVPN config files. So, let’s get started!
Tomato OpenVPN setup tutorial
Step 1: Login to your router and select “OpenVPN Client”
- Login in by pointing your browser to your router’s IP and entering the administrator username and password.
- Click the VPN menu and then select the OpenVPN Client submenu.
- Pick Client 1 or Client 2 from the menu tabs depending on your preference.
Step 2: Enter basic OpenVPN configuration information
Now is a good time to open your OpenVPN config file in your favorite editor or viewer. Your provider should offer OpenVPN config files for download; they are simple text files.
You can refer to your local OpenVPN man page or you can refer to the online version to understand what each option does.
Now that you have selected which client you wish to configure, select the Basic tab if it is not already selected.
Now we will look at each individual option on the Basic tab:
Start with WAN:
This option will automatically connect to your OpenVPN server every time that your WAN device is connected to the Internet.
You might want this enabled if you always want all of your traffic to utilize the VPN. However, I would suggest that we make sure that your OpenVPN client configuration is working properly before you enable this option.
Most OpenVPN implementations utilize a TUN device. If you look in your config file you should see a line “dev tun“. If you see “dev tap” then you will need to select a TAP devide from the pulldown. Your client TUN/TAP device must match that of your server.
In most cases you are going to want to use UDP as it is typically more efficient. However, there are some cases where TCP will work better.
Check your config file for the option remote or proto. Most providers will specify the protocol on the remote option. The syntax of which is remote host [port] [proto]. So, you will see something like “remote server.vpn.net 1194 udp“.
You will need either the IP address or the FQDN for your OpenVPN server. Typically the port will be on the remote option in your config file but like the protocol it can occur on its own port line. If you can not find the port in your config file, use the default OpenVPN port – 1194.
Set this to Automatic.
Set this to TLS.
Check this box which will reveal the following fields;
Username: Enter your VPN username here.
Password: Enter your VPN password here.
Username Authen. Only:
Hopefully, your VPN provider requires more than just your username and password. This option needs to be unchecked to do HMAC authentication.
Extra HMAC authorization (tls-auth):
HMAC authentication is recommended for any server accepting requests from any IP address, which means most VPN providers. In your config file you should see an option tls-auth. The syntax of which is tls-auth file [direction]. It is also permissible to embed certificates into the config file, and you might see something like:
# 2048 bit OpenVPN static key
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
In your config file. We will be using the key file or cutting and pasting the inline certificate later on. If your config file has an inline certificate, then it should have a config option key-direction.
Most providers I have used have an outgoing key or a direction of “1“. So, in this case we are going to use the drop down menu and select the option of Outgoing (1).
Create NAT on tunnel:
Almost everyone is going to want to check this to enable the NAT. Unless you are setting up static routes, or only want your router to be in the VPN. If you want your clients on your LAN to be in the VPN tunnel, check this.
Step 3: Enter the advanced OpenVPN configuration information
Click on the Advanced tab to continue the setup.
Set to 0 to disable. Otherwise this is a watchdog timer for the VPN connection in minutes.
Redirect Internet traffic:
Should NOT be checked. I am not clear on what this option does, but you might need it with the following option to stop DNS leaks.
Accept DNS configuration:
Set this to Disabled. You might need to set this to Exclusive to stop DNS leaks, if your VPN provider has their own nameservers. This will also require you to set up your LAN clients to query your router for DNS.
This option will need to match your VPN provider’s server. Often VPN providers will map different ciphers to different ports on their server. You should check your config file for an option cipher which follows the syntax of cipher algorithm.
AES is a strong popular cipher that often has hardware acceleration. Since most routers do not have fast processors, I would suggest AES-128-CBC as a good balance between security and performance.
In my experience this can be one of the more troublesome settings.
OpenVPN defaults to Adaptive compression. You can check your config file for an option comp-lzo which has a syntax of comp-lzo [mode]. If you see just the line comp-lzo with no [mode] then it is the OpenVPN default of Adaptive. More often than not, I find setting this to Adaptive to be the way to go.
TLS Renegotiation Time:
Select “-1” for the default which is 3600 seconds. You can look in your config file for the option reneg-sec n. This is an option that can be controlled by the OpenVPN server, so I would suggest just leaving this at the default but you can try and force the server to renegotiate by setting this to your desired value.
Most providers suggest setting this to 30 seconds. You can look for the connect-retry n directive in your config file which defaults to 5 seconds.
Verify server certificate (tls-remote):
Leave this unchecked. This option is deprecated.
This is a place for you to enter any custom OpenVPN configuration options that are not covered in the web GUI.
One option that I like to set is the log directive so that I can send the OpenVPN client’s logging to its own file.
You might find some options in your provider’s config files that you will need to add here. For example, VPN service VPN.AC uses the SHA256 algorithm for HMAC authentication rather than the default SHA1 hash.
Any custom configuration options entered here, will be added to the end of the config file that is generated when you start the client on the router.
Step 4: Enter your keys
Select the Keys tab and you will be offered 4 text areas to paste your certificates.
Most providers will use a static key as part of the TLS negotiation. This is the tls-auth directive that we discussed in the Basic tab settings where we set the direction.
This key could be embedded in your OpenVPN configuration file or most likely is a separate file that will start with a line like:
—–BEGIN OpenVPN Static key V1—–
Find this key and cut & paste it into the Static Key text area.
This is where you paste your certificate authority (CA) which is also known as the root certificate.
Like the static key this can be embedded in your config file. Look for the <ca>…</ca> section in your config file. Typically this is a separate file defined by the ca file option in your config file.
You will need to cut and paste the CA into this text area.
Client Key: Some providers utilize the client certificate key pair. The client certificate will be signed by the CA that you are using. Look for either the embeds <cert>…</cert> and <key>…</key> or the directives cert file and key file in your OpenVPN configuration file.
Cut and paste the key files between the embeds or the files pointed to by the directives.
Click the Save button to save your config. If you do not, you will lose all your hard work!
Step 5: Start your OpenVPN client
Click on the Status tab and look for the play icon “▶”. Click the icon to start the VPN!
Once you have started your connection use an IP lookup service to ensure that you are connected via your VPN IP and not your ISP IP.
Some Final Thoughts
I should mention that in my experience, I tend to achieve higher VPN throughput from individual devices as opposed to routers. This is dependent on a number of factors. Total ISP throughput being one of them.
As an example, my upload speed is capped at about 7Mbps, and I see about the same on my router or my workstation when encrypting through a VPN. However, I have about a 75Mbps download speed via my ISP. On a excellent VPN connection this will drop 20% on my workstation but might drop as much as 50% on my router.
But when compared with my 32 bit Atom tablet, I only saw a 10% decrease from my router, and my ARM Cortex-A9 router is faster than my ARM Cortex-A7 Android phone, i.e. my phone does better leaving the encryption to the router.
All of my platforms are about the same on the 7Mbps upload, so your mileage will vary. If you have gigabit fiber, I would imagine you will see some drastic performance hits. But if you are on a 1 Mbps DSL line, you probably won’t see a difference.
This has to do with the overhead of the encryption. Despite my router being a relatively fast dual core ARMv7 CPU, this can hardly compete with my 8 core 64 bit workstation processor.
I am also not sure if my router firmware is utilizing processor optimized encryption like my workstation is. I recommend using AES-128-CBC on your router as a good balance of encryption strength and performance.
The main advantage to using your router to create the VPN tunnel is you can rather easily encrypt all your local devices. In a house like mine, this covers all the gaming consoles, phones, laptops, tables, set top boxes etc. all in one simple device.
When friends come over to steal your Wi-Fi, you can tell them they are being encrypted too!
However, still got a question.
I have a modem supplied by my ISP.( bearly unmanagable)
i have to use this to make connection to Internet.
i have a tomato router after that modem, that manages my home network.
on this router i have configured openvpn as described above.
i doubt if this config work. >>on ip look up i see my isp adress and never another vpn adress as mine.
is it correct to assume that my isp modem must run the vpn client ?
Followed your directions to the T, and i cannot get it working :( I have an openVPN server that i can connect to no problem with the windows client, however when i try to connect using tomato client, it says connected however no clients connected get VPN traffic through it.
Is it possible to select specific devices to use the VPN and other devices to use the ISP connection? or it is All or Nothing?
any suggestions on which server to use on the other side?
This is a real nice tutorial, but the client will not start – and Tomato does not display any error message. Could you direct your readers to a troubleshooting guide that explains how to enable and view the OpenVPN log, so we can determine whats failing? =)
If you look under the “Custom Configuration:” section of this tutorial you will note that I talk about the “log” option as an additional option I like to set.
If you look at the “Advanced Tab” screenshot you will see under the “Custom Configuration” section the “log” directive I used.
You will either have to download the log file, or what I prefer to do is SSH in to the router and “tail -f” the logfile.