Turn Your Tomato Router into a NAS Server with TomatoUSB. Настройка роутера tomato

Setup OpenVPN on Tomato Router with PureVPN's Tutorial Guide

In order to get a router pre-configured with PureVPN settings, visit our partner – FlashRouter

The following guide will help you setup PureVPN OpenVPN on your Tomato router.

Things to Consider:

Before you begin, please make sure that:

  • You have a working internet connection
  • A Supported Router.
  • A Premium PureVPN account (if you haven’t bought it yet, click here to buy)

It is very easy to configure OpenVPN on Tomato Router. Here’s an easy step-by-step guide:

1 Go to the ‘Control Panel’ and select ‘VPN Tunneling.’ Click on ‘OpenVPN Client’ and select ‘Client 1’ to enter the following details under the ‘Basic Tab’:

  • First Select the option ‘Start with Wan’
  • From Drop Down in ‘Interface Type’ select “TUN”
  • In Protocol Drop down, select “UDP”
  • To fill the Server Address Details, open the downloaded .ovpn file on notepad, copy the address of your desired server and paste it in the field
  • Insert “53” for UDP in the port field
  • Select “Automatic” in firewall
  • Select “TLS” in Authorization Mode
  • Select on “Username / Password Authentication”
  • Enter your Username and Password provided to you by PureVPN
  • Uncheck the ‘Username Authen. Only’
  • Select ‘Outgoing (1)’ in the drop down of “Extra HMAC authorization (tls-auth-)”
  • Check “Create NAT on tunnel”

Note: For TCP port, you need to change the port from ‘UDP’ to ‘TCP’ and select ‘80’ instead ‘53’ in the port field.

2 Go to Advance Tab and do as follows:

  • Enter ‘0’ in the field Poll Interval
  • Uncheck ‘Redirect Internet Traffic’
  • Select ‘Relaxed’ in the drop down of “Accept DNS Configuration”
  • Select ‘AES-256-CBC’ in the drop down of “Encryption Cipher”
  • Select ‘Adaptive’ in Compression
  • Enter ‘-1’ in “TLS Renegotiation”
  • Enter ‘30’ in “Connection Retry”
  • Uncheck the option “Verify server certificate (tls-remote)”

3 Go to the tab titled ‘Keys’ and do as follows:

  • For ‘Static Key,’ open the WDC.key in a notepad, copy all content and paste the content in the field.
  • For “Certificate Authority”, open CA.crt in a notepad, copy all its content and paste the content in the field.
  • For “Client Certificate”, open Client.crt in a notepad, copy all of the content and paste the content in the field.
  • For “Certificate Key”, open Client.key in a notepad, copy all its content and paste the content in the field.

4 Click on the “Save” button and then click on the “Start Now” button. After a few seconds, your VPN connection will be established. You can verify the VPN connection status by clicking on the ‘Status Tab.’


Wouter — A Router with Built-In Security & Accessibility. Get It Now!

Please use the comment box for your suggestions & feedback. For additional help, please submit support ticket with errors and screen shots (if possible) or contact our 24/7 live chat.


Configure OpenVPN on Tomato Flashed Router

Configure Ace SSL VPN on Tomato Flashed Router – 1 Router Setup – Simple Ace VPN 2016-11-09T16:33:04+00:00

If you came to this page without reading the introduction please go back for a brief introduction, the advantages of this method and how it works.

Use this setup if you already have a DD-WRT router in your network and plan to configure Ace VPN on it for entire house protection.

  • This tutorial requires basic knowledge about routers and networks. If you have no prior knowledge we suggest you to familiarize about routers and networks before you continue
  • Flashing third party firmware can void your routers warranty
  • AceVPN.com is not responsible for any damage to the hardware, systems, or personal injury if you do attempt this!
  • Only attempt if you are confident in your skills!
  • You have the Tomato router configured and can access Internet.
Router Configuration Steps
  • Connect a PC to the Lan port of the Router
  • Using your browser, login to the admin page of Router B. By default this is available at
  • Go to VPN Tunneling > Client Settings tab and set values as per below
    • Client1 > Basic tab
    • Start with WAN: Checked
    • Interface Type: Tun
    • Protocol: UDP
    • Server Address/Port: 443
    • Firewall: Automatic
    • Authorization Mode: TLS
    • Extra HMAC authorization (tls-auth): Disabled
    • Create NAT on tunnel: Checked

It would look like below screenshot when above steps are completed

    Client1 > Advanced tab
  • Redirect Internet Traffic: Checked
  • Accept DNS Configuration: Strict
  • Encryption cipher: Use Default
  • Compression: Enabled
  • TLS Renegotiation Time: -1
  • Connection Retry: 30
  • Custom Configuration:#NOTE: Get additional IP’s from the configuration fileremote 443ns-cert-type serverauth-user-pass /tmp/openvpn-client1-userpass.confscript-security 3reneg-sec 0

It would look like below screenshot when above steps are completed

    Client1 > Keys tab
  • Certificate Authority: Paste the contents of acevpn-ca.crt
  • Client Certificate: Paste the contents of acevpn-user.crt
  • Client Key: Paste the contents of acevpn-user.key. This is the password file. Do not share this with anyone.
  • Hit the Save button to save changes

It would look like below screenshot when above steps are completed

It would look like below screenshot when above steps are completed

Now reboot your router and wait for a minute for the router to establish a secure tunnel with Ace VPN gateway. Now open up a browser and go to Ace VPN home page to make sure the VPN tunnel is established.


If you’re unable to connect to the VPN server or can occasionally but not for more than a few minutes at a time, and you use a WAN device that does PPPoE onboard (Like a SpeedStream 5100b DSL Modem) — You may have to disable the onboard PPPoE and use the PPPoE on the WRT54G. The GRE that’s needed for the VPN sometimes gets messed up by your WAN device, probably because it uses a buggy layer 3 stack that corrupts or doesn’t pass the GRE packets to your WRT.

You may also have disconnects if the actual network that the client is on is the same subnet that the server is on (e.g. client subnet is and the VPN server subnet is This causes IP collisions. The best solution is to change the subnet of your client network to something unique, such as (i.e. an IP range of with a netmask of

If you have additional questions or need help please contact us


How to Setup a VPN Server with Tomato VPN + OpenVPN

June 30, 2014 by LearnTomato

In this tutorial, you’ll learn how to setup a VPN server with Tomato VPN and OpenVPN. We’ll assume that your router is already running Tomato VPN or at least a version of Tomato that has it built-in. We will also assume that you have Dynamic DNS configured on your router to allow inbound requests to your LAN via www.yourdomain.com. You should also have the OpenVPN software installed on your client computer.

In this section, we’re going to setup your router as a Tomato VPN server. We will do so using OpenVPN static key authentication. This method is the most simple to setup and provides fast connectivity. However, you should be aware that the static key is shared between the client and the server. Therefore, this method supports only one VPN client.

If this is your first time setting up a VPN server, you might want to stick around and try your skills using this method first. But if you need to support multiple clients simultaneously, you will eventually need to use the OpenVPN TLS/SSL method instead.

Generate OpenVPN Static Key

First, we’re going to generate a key and create a profile for the client machine. Then, we’ll configure the VPN server settings within the router, copy the key and ‘Start’ the VPN server. Let’s start by generating the key.

OpenVPN software

  1. Click ‘Start’ > OpenVPN > Utilities.
  2. Right-click on ‘Generate a static OpenVPN key’.
  3. Choose ‘Run as administrator’.

The CMD prompt will open.

OpenVPN keygen

Press any key to generate the static key file. The command prompt window will close when the file has been created.

The static key will be saved in the following directory:

C:\Program Files\OpenVPN\config\key.txt.

OpenVPN static key file

  1. Open the key.txt file.
  2. Click ‘File’ > ‘Save As’
  3. Rename the file ‘staticvpn.key’ and change save type to ‘All Files’.
  4. Save the file to C:\Program Files\OpenVPN\config.

Setup the OpenVPN Client Profile

Now, we’ll generate the client configuration profile. This is what the OpenVPN client application will use to initiate the connection to our VPN server. It tells OpenVPN where to connect, what port to use, what protocol to use, the name of the key file, etc.

Client config file

  1. Open a text editor such as NotePad. Enter the text as seen in the image above. Replace www.mypublic.net with your domain name or public IP address. If your routers private IP is not, change this to whatever your routers IP address is.
  2. Click ‘File’ > ‘Save As’, then change the file type to ‘All Files’.
  3. Name the file ‘My Network.ovpn’ and click ‘Save’
  4. Save the file to C:\Program Files\OpenVPN\config.

Your ‘config’ directory should look like this:

OpenVPN config folder

Setup Your Router as a Tomato VPN Server

Navigate to: VPN Tunneling > OpenVPN Server

Tomato VPN server settings (basic)

  1. Ensure that the ‘Server 1’, and ‘Basic’ tabs are selected.
  2. Set your settings as seen in the image above.
  3. Click ‘Save’.

Go to the ‘Advanced’ tab.

Tomato VPN server settings (advanced)

Set your settings as seen in the image above. Be sure to include the Custom Configuration text exactly as follows:

push "redirect-gateway def1"

This command tells the Tomato VPN server to push the clients web traffic through the VPN. This way, instead of just accessing devices within your network, you’re now able to browse the Internet through your home network as well.  In fact, the VPN server will issue your client device a private IP (192.168.1.x) and your public IP address will appear as if you are browsing the Internet from home –regardless of where you are connecting from!

Click the ‘Keys’ tab.

Static key

  1. Navigate to: C:\Program Files\OpenVPN\config.
  2. Open the key.txt file. Copy and paste the key into the text area. Click ‘Save’ to save the key.
  3. Click ‘Start’ to start the OpenVPN server.

Start the OpenVPN client (Run as Admin).

OpenVPN client software

  1. Navigate to: Start > All Programs > OpenVPN
  2. Right-click on ‘OpenVPN GUI’ and choose ‘Run as Administrator’.

Connect to your Tomato VPN server

VPN setup complete

Right-click the OpenVPN icon in your system tray. Choose connect. The status window will open and notify you that the initialization sequence has completed. Upon a successful connection, the icon in the task bar will run green. Now that you are up and running, let’s make sure you understand what is going on behind the scenes.


Advanced Tomato Setup – Hide My Ass! Support

Learn how to set up an Advanced PPTP connection on your Tomato router in under 4 minutes! Check out our video tutorial below:

To begin with the Advanced Tomato PPTP setup, navigate to "Basic Settings" in the left-side menu. Then click on the "Network" subtab. This will open the "WAN / Internet" settings where you can begin with the setup. Modify the settings as explained and shown below:
  • Type: Choose "PPTP" as your connection type.
  • Username: Enter your HMA! account username
  • Password: Here, enter your special HMA! PPTP password. It can be found by logging into the VPN Control Panel and clicking on "Software & Help". Then click on "View" next to "Manually set-up VPN - No software". Copy your PPTP password from that page into this "Password" field.
  • VPN server: Log into the VPN Control Panel and click on "Software & Help". Then click on "View" next to "Manually set-up VPN - No software". Here, you will find the VPN hostname to either connect to the least loaded server in a specific server group (e.g. al.us.hma.rocks) or a random server in a specific server group (e.g. random.al.us.hma.rocks). You can also enter the IP address of the server you wish to connect to (e.g. Copy a VPN hostname or VPN IP address and paste it into the "VPN Server" field.
  • Options: require-mppe-128
  • Check the "Use DHCP" option
  • Subnet Mask: Enter
  • Connect Mode: Choose "Keep Alive"
  • Redial Interval: 10 seconds

Now scroll down to the "LAN" settings and modify the following:

  • Static DNS: 

Once you're done, scroll down and click "Save".

Go to "Status" in the left-side menu, where you will the "Connect / Disconnect" button.Now click on "Overview", which  will give you and overview of your connection status.

Check your location

If you wish to check your location when connected to VPN, please go to http://geoip.hidemyass.com/. When you wish to disconnect, simply click on "Disconnect".

Watch our video tutorial on how to set up an Advanced OpenVPN connection on your Tomato router in 6 minutes:

To begin with the Advanced Tomato OpenVPN Setup, click on the "VPN" tab in the left side menu. Then click on the "OpenVPN Client" sub-tab. This will open the VPN Client Setup page, where you should start off with the "Basic" tab as shown in the image below. Please edit the settings as explained below:

  • Start with WAN: Enable this option
  • Interface Type: Choose "TUN" from the drop-down menu
  • Protocol: Choose between "UDP" and "TCP" from the drop-down menu
  • Server Address/Port: Log into the VPN Control Panel and click on "Software & Help". Then click on "View" next to "Manually set-up VPN - No software". Click on the "Individual Servers" tab and choose a VPN IP address to enter into this field. In the second part of the field, enter "553" (If you previously chose UDP) or "443" (If you previously selected TCP), as shown below.
  • Firewall: Select "Automatic" from the drop-down menu
  • Authorization Mode: Choose "TLS" from the drop-down menu
  • Username/Password Authentication: Enable this option
  • Username: Type in your HMA! account username
  • Password: Type in your HMA! account password
  • Username Authen.Only: Leave this option disabled
  • Extra HMAC authorization (tls-auth): Choose "Disabled" from the drop-down menu
  • Create NAT on tunnel: Enable this option

When you're done, please double-check the entered settings, and then click "Save"

Now move on to the "Advanced" tab and edit the settings as follows:

  • Poll Interval: Leave at "0"
  • Redirect Internet traffic: Enable this option
  • Accept DNS configuration: Choose "Disabled" from the drop-down menu
  • Encryption cipher: Select "AES 256" from the drop-down menu
  • Compression: Choose "Enabled" from the drop-down menu
  • TLS Renegotiation Time: Enter "-1" seconds
  • Connection retry: Enter "30" seconds
  • Verify server certificate (tls-remote): Leave this option disabled
  • Custom configuration: Enter "ns-cert-type server" as shown in the image below.

When done, double-check and click "Save"

Now click on the "Keys" tab.

To proceed, you will have to open certificate files and copy the content into the appropriate fields. Open them with a text editor (like Notepad or Wordpad). Select the entire content and copy it into the appropriate clipboard as shown below:


When you're done, click "Save"

Now in the "Status" tab, you can see the current status of your connection. To establish a VPN connection, click on the  button in the far right. 

Now that you've activated your VPN connection, you will see that the status of your connection has turned from "Stopped" to "Running". You can see this in the "Status" tab.

Check your location

If you wish to check your location when connected to VPN, please go to http://geoip.hidemyass.com/. When you wish to disconnect, simply click on the  button. 


Turn Your Tomato Router into a NAS Server with TomatoUSB

March 15, 2014 by LearnTomato

What is TomatoUSB?

TomatoUSB allows you to mount a USB drive to your Tomato router, creating a NAS server which can be used for media streaming and file sharing. For this feature to work, your Tomato router must be equipped with a USB connection and have a version of Tomato firmware that provides TomatoUSB support.

What is a NAS Server?

A NAS (Network Attached Storage) server will allow you to store files and folders conveniently in one central location and access them from anywhere in your LAN. You can also access your NAS remotely using FTP or a private VPN network. This way, you can turn off those power-hungry computers, and access your files from a low-power USB drive connected to your router. I cover how to do that in the videos, but for now, let’s proceed under the assumption that we are connecting from inside of our LAN. I’m just using an old spare 4GB USB 2.0 flash drive.

First, login to access your router admin page and navigate to: USB and NAS > USB Support


Enabling Core USB Support is what enables the router to traverse file sharing across the network. Together, the TomatoUSB firmware and the USB drive itself is what creates a “Router NAS.”

Enable the TomatoUSB core support option and select your drive format (Ext2/Ext3, NTFS, FAT). Ext2 and Ext3 are Linux file formats, and NTFS was designed for Windows. FAT file format is commonly used for USB flash drives because it is recognized by most major operating systems.

Click ‘Save’

Optionally, you can select ‘Automount’ to mount the USB drive automatically.

After you click ‘Save’, plug in your USB drive and the router should mount the USB drive. We are still on the same page at this point. If you scroll down, you should see that the USB has been mounted and is now available for use.

Mount USB

NOTE: Before disconnecting the USB drive, it is recommended that you login to the router, and click ‘Unmount’ and click ‘Save’. Doing so will prevent potential data loss when you disconnect the USB drive from the router.

Now let’s setup file sharing.

Now, navigate to: USB and NAS > File Sharing

File Sharing

From here, you can enable file sharing two different ways:

  1. Yes, No Authentication
  2. Yes, Authentication required

When ‘Yes, no authentication required’, is selected, anyone on your network will be able to browse files and folder on your NAS. With ‘Yes, Authentication required’ selected, you’ll be presented with the option to enter a username and password.

Click ‘Save’

Now let’s give our “NAS Server” a hostname.

Navigate to: Basic > Identification

Enter a hostname for your router.

Router ID / Hostname

The ‘Hostname’ is the name you will see when you browse network locations from your computer. You can name this whatever you like, but do not use spaces in the hostname.

Locate your NAS Server

Now, locate your new TomatoUSB powered NAS storage device by browsing network locations.

NAS Server

Enjoy file sharing

Click on the hostname of your router to access the files and folders on the USB drive. If you selected the option ‘Yes, Authentication Required’, you will be prompted to enter the username and password prior to gaining access to your files.

Browse Files and Folders


Simple Tomato Firmware Install On Asus RT-N16 Router

The Asus RT-N16 router is one of the most powerful routers currently available. The RT-N16 has 802.11n, gigabit network ports, a fast processor, lots of memory and flash, and two USB ports for running a printer and external hard drive at the same time.

The stock Asus firmware is not that great, people have reported a lot of problems with it. So a great way to improve this router is to install a third party firmware. The two most popular are Tomato and DD-WRT. Tomato seems to have all the advanced features plus it is easier to use than DD-WRT so I decided to install Tomato. The standard version of Tomato does not support USB. Luckily there is another project called TomatoUSB that allows the use of the USB ports on the RT-N16.

The only problem with the alternate firmwares is that the documentation is severely lacking. There doesn’t seem to be a single, easy to follow guide on how to install the firmware. You have to spend many hours reading forum posts that are sometimes contradictory.

In reality installing Tomato is actually pretty simple once you figure it out. There is a lot of confusing information online, but if you follow the steps below you will have a working Tomato install:

  1. Download the latest version of TomatoUSB from here: http://tomatousb.org/download.  For the Asus RT-N16 you need to use the “Ext” build for Kernel 2.6 MIPSR2. The Ext build has the most features and it will fit in the RT-N16’s flash space. I used Build 47, but use whatever the latest version is.
  2. Install the Firmware Restoration Utility from the CD that came with the router. Run \Utility\setup.exe from the CD to install it. If you no longer have the CD you can also download it from the Asus website.
  3. Disable the firewall on your computer. This is required, the Restoration Utility refuses to run unless it is disabled. To disable it on Vista or Windows 7, hit the Start key then type firewall to get to the firewall control panel. On XP you should be able to go to the Control Panel and find the Firewall icon.
  4. Using an ethernet cable plug your computer into one of the 4 LAN ports on the router.
  5. Open a web browser and go to Verify that the router login page loads. If nothing loads then your computer is not able to reach the router. You’ll need to fix this problem before continuing.
  6. Run the Asus Firmware Restoration Utility from the Start menu. If it gives you an error about the firewall then your firewall isn’t disabled. You need to disable it before continuing.
  7. Click the Browse button and select the file that you downloaded in step #1. Don’t click the upload button yet.
  8. Put the router in recovery mode: Unplug the router. Hold down the Reset button. Plug the router back in. Once the power light starts slowly flashing release the reset button. The power light should continue to flash. The flashing light means the router is ready to accept the new firmware.
  9. Click the upload button in the Restoration utility. The firmware will now start uploading into the router. Don’t touch anything while the firmware is being uploaded. After the upload is complete wait five minutes or so just to be sure everything is done.
  10. Now reset the settings to default: Unplug the router. Hold the WPS button on the back of the router. Plug the router back in. Hold the button for about 30 seconds and release it.
  11. Open a browser and go to Login with user “admin” and password “admin”. You should be logged into Tomato. Now you can configure your router using the Tomato GUI.

I’ve used the above steps to successfully install Tomato on my Rt-N16. If you have any suggestions or improvements to this guide let me know by leaving a comment.

This page is ad free as a service for RT-N16 users. The only thing I ask is that if you found this page useful and happen to be ordering something from Amazon.com, that you click on this link before placing your order: Amazon Link. It doesn’t cost you anything, it is completely anonymous, and I get a small referral fee that pays for the hosting of this site. If you never order anything from Amazon then don’t worry about it, enjoy the site for free.


How to setup OpenVPN on Tomato

These instructions were made for routers that have Tomato firmware installed. Tomato version 1.28 was used to prepare this tutorial.

1. On your browser, open router settings page by entering its address in the address bar (the address is by default).

2. On menu located on the left side of the screen click on the VPN Tunneling tab and then click on OpenVPN Client tab.

3. As shown in the screenshot, set the following options:Start with WAN – Check the box.Interface Type – TUN.Protocol – Choose either UDP or TCP.Server Address/Port – Enter server address in the first field and port in the second one – 1194 if you set Protocol to UDP or 443 if you chose TCP.Please visit our server list to find out address of the server you wish to connect to (You need to be logged in to see server address field).Firewall – Automatic.Authorization Mode – TLS.Username/Password Authentication – Checked. Enter your NordVPN credentials in the newly appeared fields.Username Authen. Only – Unchecked (default).Extra HMAC authorization (tls-auth) – Choose Outgoing (1) from the drop down list.Create NAT on tunnel – Checked.

3.1. Some Tomato routers could not have any fields for entering OpenVPN credentials. If this is your case – please go to Administration -> Scripts and enter these lines into the Init field where you should change ​username​ and password​ to your NordVPN credentials:

echo username > /tmp/password.txt echo password >> /tmp/password.txt chmod 600 /tmp/password.txt

4. Click on Advanced tab and set the following options, as shown in the screenshot:

Poll Interval: 0Redirect Internet traffic: CheckedAccept DNS configuration: StrictEncryption cipher: AES-256-CBCCompression: AdaptiveTLS Renegotiation Time: -1Connection retry: -1Verify server certificate: UncheckedCustom Configuration:

remote-cert-tls server remote-random nobind tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 persist-key persist-tun ping-timer-rem reneg-sec 0 #log /tmp/vpn.log #Delete `#` in the line below if your router does not have credentials fields: #auth-user-pass /tmp/password.txt #Delete `#` in the line below when connecting to our newest servers: #auth sha512

5. Proceed by clicking on Keys tab. Download OpenVPN configuration pack and extract it. Find a configuration file for the server you were setting up and open it (in this case at1.nordvpn.com.udp1194.ovpn).Static key – in this field copy and paste text from <tls-auth> to </tls-auth> block.Certificate Authority – in this field copy and paste text from <ca> to </ca> block.

It should look like this:

6. Confirm and save all changes by clicking on Save button at the bottom of settings page. To establish a connection, click on Start Now button. In order to check if you have connected successfully please visit Status page.

7. You should also configure the router to use NordVPN DNS servers to prevent DNS leaks. Here’s an image on how the setting looks:

8. In order to setup a killswitch on Tomato router please do the following:

Navigate to Administration -> Scripts and under Firewall please type in:

WAN_IF=`nvram get wan_iface` iptables -I FORWARD -i br0 -o $WAN_IF -j REJECT --reject-with icmp-host-prohibited iptables -I FORWARD -i br0 -p tcp -o $WAN_IF -j REJECT --reject-with tcp-reset iptables -I FORWARD -i br0 -p udp -o $WAN_IF -j REJECT --reject-with udp-reset

(Every client in LAN will loose internet connection in case of VPN drop.)

WAN_IF=`nvram get wan_iface` iptables -I FORWARD -i br0 -s `ip address` -o $WAN_IF -j REJECT --reject-with icmp-host-prohibited iptables -I FORWARD -i br0 -s `ip address` -p tcp -o $WAN_IF -j REJECT --reject-with tcp-reset iptables -I FORWARD -i br0 -s `ip address` -p udp -o $WAN_IF -j REJECT --reject-with udp-reset

(Only specified IP address will loose internet access in case of VPN drop.)


Смотрите также