Tomato is a custom firmware for routers. It offers OpenVPN client support and is available on a wide variety of routers. You can check if your router supports Tomato firmware here. An article on how to install Tomato firmware on a router can be found here.
First things first, these changes are made in the web configuration panel of your router. You can access it by visiting the local IP of your router from your web browser. The two most common, the default local IPs that most routers have are 192.168.1.1 or 192.168.0.1 – you can access these by opening http://192.168.1.1 or http://192.168.0.1 in your browser. The default IP, username and password are listed in your router’s User Manual.
Start with WAN – Check the box.
Interface Type – Select TUN.
Protocol – Choose either UDP or TCP and keep it in mind as this will be important later on.
In a first field, enter the hostname of the server you want to connect to. You can find it at https://nordvpn.com/servers/tools/ page. Additionally, download the server’s configuration file on the same page below a hostname.
For the second field, depending on the protocol chosen earlier, input 1194 for UDP or 443 for TCP.
Firewall – Automatic.
Authorization Mode – TLS.
Username/Password Authentication – Checked. Enter your NordVPN credentials in the fields below.
Username Authen. Only – Unchecked (default).
Extra HMAC authorization (tls-auth) – Choose Outgoing (1) from the drop-down list.
Create NAT on tunnel – Checked.
Some Tomato routers may not have any fields for entering OpenVPN credentials. In such a case, go to Administration > Scripts and the commands below into the Init field. Make sure to change the username and password to your NordVPN credentials:
echo username > /tmp/password.txt
echo password >> /tmp/password.txt
chmod 600 /tmp/password.txt
Poll Interval: 0
Redirect Internet traffic: Checked
Accept DNS configuration: Strict
Encryption cipher: AES-256-CBC
TLS Renegotiation Time: -1
Connection retry: -1
Verify server certificate: Unchecked
#Delete `#` in the line below if your router does not have credentials fields
Static key – paste text from <tls-auth> to </tls-auth> block.
Certificate Authority – paste text from <ca> to </ca> block.
It should look like this:
DNS Server: Manual
DNS 1: 126.96.36.199
DNS 2: 188.8.131.52
Optional Kill Switch set up (for advanced users):
Navigate to Administration > Scripts and under Firewall paste one of the following scripts.
WAN_IF=`nvram get wan_iface`
iptables -I FORWARD -i br0 -o $WAN_IF -j REJECT –reject-with icmp-host-prohibited
iptables -I FORWARD -i br0 -p tcp -o $WAN_IF -j REJECT –reject-with tcp-reset
iptables -I FORWARD -i br0 -p udp -o $WAN_IF -j REJECT –reject-with udp-reset
WAN_IF=`nvram get wan_iface`
iptables -I FORWARD -i br0 -s `ip address` -o $WAN_IF -j REJECT –reject-with icmp-host-prohibited
iptables -I FORWARD -i br0 -s `ip address` -p tcp -o $WAN_IF -j REJECT –reject-with tcp-reset
iptables -I FORWARD -i br0 -s `ip address` -p udp -o $WAN_IF -j REJECT –reject-with udp-reset