How to set up PIA on Advanced Tomato - October 2017

Hi All,

After doing my block trying to get my VPN connected, I thought I would share my settings that I managed to finally get working after lots of swearing. I am using AdvancedTomato on a Netgear R7000.

I am offering a slight modification to the settings posted here which did not work for me.

You may change your port and certificate key depending on the encryption you wish to use, based off the table found here

The below guide is for AES-128-CBC encryption

  • Login to your router (usually by entering in your browser)
  • Default username/password are both "admin" if you are logging in for the first time
  • Click VPN from the menu on the left, then OpenVPN Client submenu
  • Choose the Client 1 tab and then Basic tab below
  • Check Start with WAN if you want to auto-connect whenever your router is online/starts up
  • Set Interface Type to TUN
  • Set Protocol to UDP
  • Set the Server Address/Port to (or whichever server you prefer) and port to 1198
  • There is a tiny chance that entering (or whichever server you prefer) might not work. You can replace that web address with the actual IP address of that server. To find the IP address, open the "terminal" application in Linux/OSX or "command prompt" in Windows and type "ping " followed by the address of the server ( in this example)This will return an IP address that you can enter in the Server Address/Port section DON'T DO THIS, eventually the servers may change addresses and your true IP will be exposed
  • Set the Firewall to Automatic
  • Set Authorization Mode to TLS
  • Check Username/Password Authentication
  • Enter Your Username/Password in the boxes that newly appear below the check box (use your actual username starting with "p", not the proxy username that starts with "x")
  • Ensure that the Username Authen. Only box is unchecked
  • Set Extra HMAC authorization to disabled
  • Check Create NAT on tunnel
  • Click on the Advanced tab
  • Set Poll Interval to 0
  • Check Ignore Redirect Gateway (route-nopull)
  • Set Accept DNS configuration to Exclusive
  • Set Encryption cipher to AES-128-CBC
  • Set Compression to Adaptive
  • Set TLS Renegotiation Time to -1
  • Leave Connection retry as 30
  • Uncheck Verify server certificate (tls-remote)
  • In the Custom Configuration textbox, input the following:
  • remote-cert-tls server
  • persist-key
  • persist-tun
  • tls-client
  • comp-lzo
  • verb 1
  • reneg-sec 0
  • Click on the Keys tab
  • Paste the contents of ca.crt found in OpenVPN Config Files, into the Certificate Authority text area (Open ca.rsa.2048.crt with notepad to find this)
  • Paste all of the characters found in that file, including "-----BEGIN CERTIFICATE-----" at the beginning and the "-----END CERTIFICATE-----" at the end
  • Press the Save button before the Start Now button
From here you can now start setting policies under the "Routing Policy" tab. You can test functionality by adding and seeing if you are connected to your VPN by visiting said site.

You will notice that this is only very slightly different to the original post from 2016, but to me it made the difference between not only not starting the VPN, but killing my internet altogether, and working beautifully. I hope this helps somebody because it took me AGES to figure out - Good luck!


  • edited November 2017 Posts: 0
    Thanks for this! I haven't had a chance to try it myself but it's good to see more people using Tomato! :)
    Post edited by [Deleted User] on
  • im using netgear r8000 as my wifi with tomato on that router, thats is connected to my(router thats connected to internet) tplink modem routers wan port (model ac1600) i have followed your instructions, rechecked several times, no connection to web via 2nd router and no time on clock?click on overview says time= not available, i dont know if i have ip address clash because when pc is ethernet connected to 2nd router (netgear) i input and i can connect to netgear router (tomato page) but when i remove ethernet cable and type in via wireless i connect to homepage of tp link router. have i got a ip address clash? this is all new area but have a bit of pc savvy.
  • I am using a netgear r7000, VPN is working, but I would like to route some of my internal LAN IPs through the VPN, but that does not seem to be working.  I am using the routing policy tab, enable, and I use the IP address of the client I would like to route through the VPN.
  • edited December 2017 Posts: 7
    I'm having trouble with this... I'm on an R700 router and I've followed all the steps for configuration. After starting the VPN, it says "running" but there's nothing showing up under general statistics and going to shows my IP is exposed.

    It took a bit of configuration to get it working. I had to change the port from 1198 to 502 for some reason before it would connect as "running" (on port 1198 it just wouldn't start).

    I tried adding to the routing policy as a domain -- still showed my IP.

    I tried adding my computer's IP to the routing policy as a source -- still showed my IP.

    I'm at a loss. I want all traffic routed through the VPN; it says "running", but it isn't working. 

    The current log file says: 
    <date> <time> unknown user.notice root: vpnrouting: searching gateway for tun11
    over and over and over... with an occasional
    <date> <time> unknown daemon.err openvpn[8856]: TLS Error: TLS handshake failed
    Which looks bad.
    Post edited by PIA_user_425 on
Sign In or Register to comment.