Updated Tomato Setup For Newer Branches, Including Tomatousb

edited October 2014 in VPN Setup Support Posts: 34
I'm running Tomato Firmware v1.28.7498 MIPSR2-Toastman-VLAN-RT K26 USB VPN-NOCAT, so YMMV, but I believe all currently-maintained versions of Tomato (particularly TomatoUSB) will match my interface so long as they have VPN support at all.

  • Click VPN Tunneling menu, then OpenVPN Client submenu
  • Choose the Client 1 tab and then Basic tab below
  • Check Start with WAN if you want to auto-connect whenever your router is online/starts up
  • Set Interface Type to TUN
  • Set Protocol to UDP
  • Set the Server Address/Port to us-east.privateinternetaccess.com (or whichever server you prefer) and port to 1194
  • Set the Firewall to Automatic
  • Set Authorization Mode to TLS
  • Check Username/Password Authentication
  • Enter Your Username/Password in the boxes that newly appear below the check box
  • Ensure that the Username Authen. Only box is unchecked
  • Uncheck Extra HMAC authorization
  • Check Create NAT on tunnel
  • Click on the Advanced tab
  • Set Poll Interval to 0
  • Uncheck Redirect Internet Traffic
  • Set Accept DNS configuration to Strict
  • Set Encryption cipher to Use Default
  • Set Compression to Adaptive
  • Set TLS Renegotiation Time to 0
  • Leave Connection retry as 30
  • Uncheck Verify server certificate (tls-remote)
  • In the Custom Configuration textbox, input the following:
  • persist-key
  • persist-tun
  • tls-client
  • comp-lzo
  • verb 1
  • Click on the Keys tab
  • Paste the contents of ca.crt found in OpenVPN Config Files, into the Certificate Authority text area
  • Press the Save button before the Start Now button


Enjoy!
Post edited by Support on
«1

Comments

  • Posts: 10
    Have Asus Rt-N66u with Asuswrt Merlin firmware try the above instruction but it's not working.
    Can you please let me have instruction for it

    have use uk-london.privateinternetaccess.com instead of us-east.privateinternetaccess.com
    port 1194 and everything as per instruction

    Many thanks


  • Posts: 10
    Have try importing ovpn file as well (UK London.ovpn)


  • VPNVPN
    Posts: 795
    @rcbarnes: You really should verify the server's cert.
  • Posts: 10
    How do i verify the server certificate???

    I have open up 
    Content modification of Keys & Certificates. and paste CA.crt ontent in Certificate Authority text area.


  • Posts: 10
    Do i have to install Ca.crt???

    store it as a local machine??


  • VPNVPN
    Posts: 795
    @johnsmith: Do you realize this thread is a guide for the Tomato firmware? Is has nothing to do with your issues. Please find a thread for Merlin/your device or make your own.
  • Posts: 2
    This worked perfect!! 
    At first I didn't have some of those options. Then realized I didn't have the vpn bin flashed, once that was installed it all worked perfect on the first try! 
    Thanks!!!
  • hello rcbarnes and zemaj800 - I just got a WRT54GS and I installed the latest version of Tomato.  Where could I find the VPN bin to flash if you could please direct me?
  • Posts: 4,013
    hello rcbarnes and zemaj800 - I just got a WRT54GS and I installed the latest version of Tomato.  Where could I find the VPN bin to flash if you could please direct me?
    I suggest waiting or changing your plans. I have a WRT54GL and the best speed it can manage via OpenVPN is ~260 KiloBytes per second. (Just over 2 megabits per second. The routers have a 200 Mhz CPU that is simply overburdened by the mathematics of the encryption.)

    And the latest Shibby firmware is still using a Heartbleed susceptible version of OpenSSL in the OpenVPN client and server. The latest stable compile of the Shibby firmware for the WRT54G* series routers uses OpenSSL 1.01c and needs 1.01g to be secure from the heartbleed bug. Until they release new firmware, we are stuck with useless routers.

    Here is a link to the thread where this is discussed.
    https://www.privateinternetaccess.com/forum/index.php?p=/discussion/2882/how-to-test-your-router-for-the-heartbleed-bug#Item_1

    If you want to get a router that is newer and can handle the mathematics, I suggest either the Asus RT-AC68U or the Netgear Nighthawk AC1900. But each is currently around $200 and I am unsure if they have firmware with the fixed OpenSSL available.
  • Posts: 68
    Shibby released his tomato firmware for R7000 yesterday.  He even has a video on how to flash.  I think it also works for AC68.
  • Just saw a nice little guide on using two VPNs with Tomato:
    http://www.flashrouters.com/blog/tag/two-vpn-clients-on-tomato/


  • Anyone know how to set this up so that only specific devices use the VPN?  For instance, I have 3 Apple TV's that I want to go through the VPN, but I want all other devices to use my ISP.  I've tried multiple setups that I found on Google, none of them have worked.  
  • Posts: 1
    hello,

    I installed shibby's AIO and try to config the VPN using this post.
    The vpn router is ethernet bridged after another router that is ethernet bridged.

    I think i do something wrong with the CA.CERT.

    How do I copy this to the tab on shibby tomato?
    Now, i copy it manually with ctrl c - ctrl v and leave a blank line between each field

    i have the next text than, it looks exactly like this
    what am i doing wrong?

    V3

    00E00 eb 6a 32 44 76 25 25 eb

    sha1RSA

    sha1

    E = secure@privateinternetaccess.com
    CN = Private Internet Access CA
    O = Private Internet Access
    L = Columbus
    S = OH
    C = US

    00Ezaterdag  00E21  00Eaugustus  00E2010 20:25:54

    00Edinsdag  00E18  00Eaugustus  00E2020 20:25:54

    E = secure@privateinternetaccess.com
    CN = Private Internet Access CA
    O = Private Internet Access
    L = Columbus
    S = OH
    C = US30 81 89 02 81 81 00 e9 55 96 41 dc c5 f3 79 1c 0b 30 a6 bc 86 ec 03 7d 0a f7 2f 57 37

    17 bd 21 28 f7 5a 80 97 f2 04 f0 7d 24 9c a6 64 20 08 5e ff 3d e6 87 3d 2d f7 57 41 1e 1e 72 7e ac 2b 5e 51 a2 ca 29 69 95 50 7d b5 f6 68 86 f7 22 90 61 77 1b a1 45 0b d8 f8 d0 62 8f d3 f7 76 d8 97 d1 da f2 6d e3 fe 49 29 10 65 41 cf 70 96 5b 30 1d 91 a6 3d 58 9d 41 b5 34 62 0a 19 97 4d 1b 03 24 af 91 7f ee d7 4d 39 02 03 01 00 01
    97 ca b0 63 6b 7e 18 dd 29 6b fc 1f ab e6 0e 0e cc 60 55 09

    Sleutel-id=97 ca b0 63 6b 7e 18 dd 29 6b fc 1f ab e6 0e 0e cc 60 55 09
    Certificaatverlener:
         Mapadres:
              E=secure@privateinternetaccess.com
              CN=Private Internet Access CA
              O=Private Internet Access
              L=Columbus
              S=OH
              C=US
    Serienummer van certificaat=00 eb 6a 32 44 76 25 25 eb
    Subjecttype=CA
    Beperking voor padlengte=Geen

    sha1

    00Eb1 30 d3 6c 0f 51 74 bb 6e 81 23 77 50 1b 35 a8 f7 10 c8 bb





  • Posts: 2
    Is there a doc to setup PIA on the tomato router on a specific vlan?  I have a vlan created on port 3, now want to dedicate that port to PIA. Thanks.
  • I have a Cisco/Netgear e3000 router running Tomato Firmware v1.28.7506 MIPSR2Toastman-RT K26 USB VLAN-VPN

    I just set it up according to this guide, and it seems to have gotten entered correctly, since it Started fine, but as soon as it starts, I lose internet connectivity.

    I could understand if it just ran slower, but it breaks all connectivity.

    I double checked I had it all set according to the above.  Any suggestions on how to troubleshoot?
  • Posts: 861
    So, in the log do you see "initialization sequence completed"? Can you ping an ip address such as 8.8.8.8 when the router is connected?  Sometimes there are DNS problems, that's why I ask.
  • I'm not sure which log you refer to, so I can't answer.  I do see the router change from "start now" to "stop now", which tells me the service is started.  Plus, it changes from usable internet, to nothing working.

    Also, no, I cannot ping 8.8.8.8, the request times out.

    I changed the password I'm entering in tomato back to the original password provided to me by PIA, and after saving, then starting, I can browse the internet, but not thru their service.  whatsmyip shows my ISP provided IP address.

    I'd post pictures of my setup, but i don't seem to be able to add pictures here.
  • Hello, 

    I just flashed my Asus RT-N16 Router with EasyTomato Firmware. Everything seems good buy I just can't connect my VPN Client to any of the Private Internet Access Servers. 

    I got this router solely for the purpose of VPN, so any help would be greatly appreciated. Also I don't think I can bypass via UDP as it's blocked by my ISp but using my Mac's PIA VPN Client, TCP works great with port 443, so I was hoping I can configure my router also using TCP via Port 443 but no success so far. 

    Any suggestions or help?

    Thanks
  • original post worked perfectly on my Cisco Linksys E2500 with TomatoUSB the first time after days of frustration with the PIN website's instructions.  thank you so much!
  • edited December 2014 Posts: 1
    I'm getting the following error in my log after setting things up per your instructions.

    "Jan 1 06:08:27 unknown daemon.err openvpn[5023]: RESOLVE: Cannot resolve host address: us-east.privateinternetaccess.com: Name or service not known"

    My router is setup in switched mode; IE, my att gateway connects to one switch port instead of the internet port.

    Any ideas?
    Post edited by ddonnie on
  • Posts: 861
    DNS problem on your tomato router.
  • Posts: 18
    Please use IP address of the VPN server you are connecting and instead of us-east.privateinternetaccess.com and then the issue would resolve. Check and let me know.
  • I've got this set up on my E3000 and my WAN connections work fine, but one LAN connection doesn't work at all.  Any suggestions?
  • When I've got the router VPN going my wired connection only works when I also use the Windows client.  My wireless connections don't have this issue..
  • Solved.  My windows DNS servers were manually set to my ISP's servers.  Changed them to the PIA servers and it works just fine.
  • Posts: 2
    i used the above to setup up the merlin on Asus RT-56.  Here is what I did:

    1.  Start with open VPN config file.  (US Midwest.ovpn)
    2.  Update the basic & advanced settings to match the above settings
    3.  Click "Content Modification & Keys" and copy & paste the ca.crt contents under the Certificate Authority area.
    4.  Copy / Paste the following in custom configuration:
    persist-key
    persist-tun
    tls-client
    comp-lzo
    verb 1

    Apply, then turn on the client by toggling the service state.

    Enjoy VPN on entire router!

    Now to figure out how to limit the VPN just to particular machines...
  • Thanks OP. Instructions worked perfect!

    Installed PIA on an Asus RT-N10P flashed with Shibby Tomato build no.  tomato-K26-1.28.RT-N5x-MIPSR2-121-Max.trx. (see instructions here: http://tech.surveypoint.com/posts/tomato-firmware-install-on-asus-rt-n10p-router/).

    Only issue was getting ca.crt to paste into Certificate Authority but a quick ticket to Support and they emailed me the the info which i simply had to copy and paste into the Certificate Authority box.
  • I've got a newer Shibby Tomato on my Asus N12 and I'm having trouble getting this working.  This is what my logs show:

    Jan  1 01:02:13 unknown daemon.warn openvpn[746]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
    Jan 1 01:02:13 unknown daemon.warn openvpn[746]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Jan 1 01:02:14 unknown daemon.err openvpn[746]: RESOLVE: Cannot resolve host address: us-east.privateinternetaccess.com: Name or service not known
    Jan 1 01:02:14 unknown daemon.err openvpn[750]: RESOLVE: Cannot resolve host address: us-east.privateinternetaccess.com: Name or service not known
  • Posts: 4,013
    What DNS settings are you using?
  • edited January 2015 Posts: 1
    SOLVED: I figured it out. Turns out the OpenVPN Client password field has a 50 character limit. So copy/pasting the password caused some of the characters to be truncated.

    1. I followed the steps above, but I seem to be stuck. I keep getting "WARNING: No server certificate verification method has been enabled." which I guess makes sense because "Verify server certificate (tls-remote)" is unchecked. How do I enable the service certificate verification?

    Jan 28 00:27:27 unknown
    daemon.notice openvpn[12364]: OpenVPN 2.3.6 arm-unknown-linux-gnu [SSL
    (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec 24 2014

    Jan 28 00:27:27 unknown
    daemon.notice openvpn[12364]: library versions: OpenSSL 1.0.1j 15 Oct 2014, LZO
    2.08

    Jan 28 00:27:27 unknown daemon.warn
    openvpn[12364]: WARNING: No server certificate verification method has been
    enabled.  See http://openvpn.net/howto.html#mitm
    for more info.

    Jan 28 00:27:27 unknown daemon.warn
    openvpn[12364]: NOTE: the current --script-security setting may allow this
    configuration to call user-defined scripts

    Jan 28 00:27:27 unknown
    daemon.notice openvpn[12369]: UDPv4 link local: [undef]

    Jan 28 00:27:27 unknown
    daemon.notice openvpn[12369]: UDPv4 link remote: [AF_INET]104.207.136.125:1194

    Jan 28 00:27:28 unknown daemon.warn
    openvpn[12369]: WARNING: this configuration may cache passwords in memory --
    use the auth-nocache option to prevent this

    Jan 28 00:27:28 unknown
    daemon.notice openvpn[12369]: [Private Internet Access] Peer Connection
    Initiated with [AF_INET]104.207.136.125:1194

    Jan 28 00:27:30 unknown
    daemon.notice openvpn[12369]: AUTH: Received control message: AUTH_FAILED



















    Jan 28 00:27:30 unknown
    daemon.notice openvpn[12369]: SIGTERM[soft,auth-failure] received, process
    exiting


    2. I've checked out the link provided in the log but it seems to indicate I need to create two more certificates? But I don't see any mention of that above.

    3. On the keys tab, I copy/pasted the contents of ca.crt into the Certificate Authority box starting from -----BEGIN CERTIFICATE----- ...all the way thru... -----END CERTIFICATE-----. The Client Certificate and Client Key boxes are blank. Should these have something in them? And if so, what?

    Anyone know what I am doing wrong here?

    Tomato Shibby
    Netgear AC1900 (R7000)
    tomato-R7000-ARM--124-AIO-64K.trx

    Post edited by hieroglyph on
Sign In or Register to comment.