FreshTomato is the only version of the Tomato community-developed custom firmware for routers still actively supported. If you are using an older version of Tomato, we recommend upgrading to FreshTomato. 

In this guide, we show you how to set up Proton VPN on a Tomato router running the FreshTomato firmware using the OpenVPN VPN protocol. 

A step-by-step guide to setting up Proton VPN on your Tomato router.

Proton VPN can be set up on your FreshTomato-powered router so that it will automatically connect to a Proton VPN server (available on your subscription) whenever an internet connection is established. 

Below is a step-by-step guide to set up a FreshTomato router to Proton VPN. These changes are made in the web configuration panel of your router, which you can access by visiting the local IP address of your router in your web browser. 

The default local IP address for most Tomato routers is 192.168.1.1.

Prerequisites for the FreshTomato VPN setup:

• A preconfigured and working FreshTomato router (ideally with the FreshTomato firmware freshly installed or factory reset)
• A computer on the LAN network to remotely access the FreshTomato configuration interface
• Any Proton VPN OpenVPN configuration file. You can download the configuration files from the Downloads section of your Proton VPN account.

OpenVPN basic router settings

1. Open your browser and enter 192.168.1.1 in your browser bar (or whatever your router’s local IP address is).

2. On the menu bar located to the left side of the screen, click VPN Tunneling -> OpenVPN Client. If more than one OpenVPN client is supported on your device, you can select which one to configure. 

3. As shown in the screenshot below, set the following options in the Basic setup tab:

• Start with WAN – check the box.
• Interface Type – TUN.
• Protocol – UDP.
• Server Address/Port – Enter the server address in the first field and the port number in the second field. To find the server address, open the OpenVPN configuration file you downloaded and look for a line that looks like remote 37.120.217.168 1194. The IP address in this case is 37.120.217.168, and the port number is 1194. Port 1194 is the default port used by UDP. 
• Firewall – Automatic.
• Create NAT on tunnel  – check.
• Inbound Firewall – check.
• Authorization Mode – TLS.
• TLS control channel security (tls-auth/tls-crypt) – Choose Outgoing (1) from the drop-down list.
• Username/Password Authentication – check. Enter your OpenVPN username and password in the newly shown fields (not your regular Proton VPN credentials). Note: to use our NetShield DNS filtering feature, append the suffix +f1 to your username to block malware, or +f2  to block malware, ads, and trackers (for example 123456789+f2).
• Username Authen. Only – do not check (default).
• Auth digest – Select SHA512 from dropdown list.

OpenVPN advanced router settings

Now click on the Advanced tab. As shown in the screenshot, set the following options:

• Poll interval – 0
• Redirect internet traffic – select All from dropdown list.
• Accept DNS configuration – select Exclusive from dropdown list.
• Data ciphers – the most secure setting is AES-256-GCM. For improved reliability you can input AES-256-GCM:AES-256-CBC.
• Compression – select None from dropdown list.
• TLS Renegotiation Time – 0
• Connection retry – -1
• Verify Certificate (remote-cert-tls server) – check
• Verify Server Certificate Name (verify-x509-name) – No
• Custom configuration – add the following lines to the text field:

tls-client
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping-timer-rem

OpenVPN key settings

Select the Keys tab and open the OpenVPN configuration file you are using in a text editor. Set the following options:

• Static key — copy and paste the text from the <tls-auth> to </tls-auth> block in your OpenVPN configuration file into the text field.
• Certificate Authority — copy and paste the text from the <ca> to </ca> block in your OpenVPN configuration file into the text field.

Starting the VPN connection (OpenVPN Client Configuration)

• Confirm and save all changes by clicking on the Save button at the bottom of the settings page.
• To establish a connection, click on the Start Now button. In order to check if you have connected successfully, please visit the Status page.

Note: if you are starting from a fresh installation or hard reset, it is possible that the connection will fail because the router does not have the time setup. A router reboot normally fixes the issue by updating the date and time from the internet, which allows the VPN connection to be successfully established.

How to set up up a kill switch on your Tomato router

To set up a kill switch, navigate to Administration -> Scripts -> Firewall. For a kill switch where every device on your LAN will lose its internet connection in the event of a VPN dropout, enter the following lines:

WAN_IF=`nvram get wan_iface`
iptables -I FORWARD -i br0 -o $WAN_IF -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD -i br0 -p tcp -o $WAN_IF -j REJECT --reject-with tcp-reset
iptables -I FORWARD -i br0 -p udp -o $WAN_IF -j REJECT --reject-with udp-reset

Or for a kill switch where only devices with the specified IP addresses on your LAN will lose their internet connection in the event of a VPN dropout, enter the following lines:

WAN_IF=`nvram get wan_iface`
iptables -I FORWARD -i br0 -s `ip address` -o $WAN_IF -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD -i br0 -s `ip address` -p tcp -o $WAN_IF -j REJECT --reject-with tcp-reset
iptables -I FORWARD -i br0 -s `ip address` -p udp -o $WAN_IF -j REJECT --reject-with udp-reset