These instructions were made for routers that have Tomato firmware installed. Tomato version 1.28 was used to prepare this tutorial.
1. On your browser, open router settings page by entering its address in the address bar (the address is 192.168.1.1 by default).
3. As shown in the screenshot, set the following options:
Start with WAN – Check the box.
Interface Type – TUN.
Protocol – Choose either UDP or TCP.
Server Address/Port – Enter server address in the first field and port in the second one – 1194 if you set Protocol to UDP or 443 if you chose TCP.
Please visit our server list to find out address of the server you wish to connect to (You need to be logged in to see server address field).
Firewall – Automatic.
Authorization Mode – TLS.
Username/Password Authentication – Checked. Enter your NordVPN credentials in the newly appeared fields.
Username Authen. Only – Unchecked (default).
Extra HMAC authorization (tls-auth) – Choose Outgoing (1) from the drop down list.
Create NAT on tunnel – Checked.
3.1. Some Tomato routers could not have any fields for entering OpenVPN credentials. If this is your case – please go to Administration -> Scripts and enter these lines into the Init field where you should change username and password to your NordVPN credentials:
echo username > /tmp/password.txt echo password >> /tmp/password.txt chmod 600 /tmp/password.txt
4. Click on Advanced tab and set the following options, as shown in the screenshot:
Poll Interval: 0
Redirect Internet traffic: Checked
Accept DNS configuration: Strict
Encryption cipher: AES-256-CBC
TLS Renegotiation Time: -1
Connection retry: -1
Verify server certificate: Unchecked
remote-cert-tls server remote-random nobind tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 persist-key persist-tun ping-timer-rem reneg-sec 0 #log /tmp/vpn.log #Delete `#` in the line below if your router does not have credentials fields: #auth-user-pass /tmp/password.txt #Delete `#` in the line below when connecting to our newest servers: #auth sha512
5. Proceed by clicking on Keys tab. Download OpenVPN configuration pack and extract it. Find a configuration file for the server you were setting up and open it (in this case at1.nordvpn.com.udp1194.ovpn).
Static key – in this field copy and paste text from <tls-auth> to </tls-auth> block.
Certificate Authority – in this field copy and paste text from <ca> to </ca> block.
It should look like this:
6. Confirm and save all changes by clicking on Save button at the bottom of settings page. To establish a connection, click on Start Now button. In order to check if you have connected successfully please visit Status page.
8. In order to setup a killswitch on Tomato router please do the following:
Navigate to Administration -> Scripts and under Firewall please type in:
WAN_IF=`nvram get wan_iface` iptables -I FORWARD -i br0 -o $WAN_IF -j REJECT --reject-with icmp-host-prohibited iptables -I FORWARD -i br0 -p tcp -o $WAN_IF -j REJECT --reject-with tcp-reset iptables -I FORWARD -i br0 -p udp -o $WAN_IF -j REJECT --reject-with udp-reset
(Every client in LAN will loose internet connection in case of VPN drop.)
WAN_IF=`nvram get wan_iface` iptables -I FORWARD -i br0 -s `ip address` -o $WAN_IF -j REJECT --reject-with icmp-host-prohibited iptables -I FORWARD -i br0 -s `ip address` -p tcp -o $WAN_IF -j REJECT --reject-with tcp-reset iptables -I FORWARD -i br0 -s `ip address` -p udp -o $WAN_IF -j REJECT --reject-with udp-reset
(Only specified IP address will loose internet access in case of VPN drop.)