Skip to main content

AdvancedTomato (OpenVPN Setup)


This tutorial will walk you through configuring a router using AdvancedTomato firmware version 3.5-140.

Before starting, decide what type of encryption you want to use, and what protocol you want to connect with. The stronger the encryption is the more secure the traffic will be, but it will trade some performance for that additional security. This guide will be using AES-128-CBC encryption with the UDP protocol. Here is a table containing the various options and their dependencies. If you want to configure a different level of encryption, you will need to alter your input to match based upon these specifics.

Dependencies Table

Auth Cipher Cert UDP Port TCP Port
SHA1 BF-CBC ca.crt 53, 8080, 9201 80, 110, 443
SHA1 AES-128-CBC ca.rsa.2048.crt 1198 502
SHA256 AES-256-CBC ca.rsa.4096.crt 1197 501

Step 1. Basic Settings — Network : to use the PIA DNS servers, which will prevent DNS logging and leaks, select Basic Settings. From the options on the left sidebar and in the expanded menu, click Basic Settings to access the general router settings where you can specify what DNS to use.

1. In WAN Settings set DNS Server to Manual.

2. Set DNS 1 to

3. Set DNS 2 to

4. Scroll to the bottom of the page and click Save.

Step 2. OpenVPN Client — Basic Settings : to access the VPN settings interface, select VPN from the options on the left sidebar and in the expanded menu click the OpenVPN Client. By default, the Basic tab will be selected. (All of these items are highlighted in red in the image below.)

1. If you want the VPN connection to start when your router gains internet access, check the box for Start with WAN.

2. Interface Type will need to be set to TUN.

3. Protocol will be set to UDP in this guide. In most cases UDP provides better speeds than TCP. If TCP is used, be sure to use the port shown in the table at the beginning of this guide.

4. Server Address — the first field will require you to input the server name you want to connect to, a full list of those options can be found here : (This guide has used

5. Input the Port number, which you can find in the dependencies table above.

6. Firewall will need to be set to Automatic.

7. Authorization Mode will need to be set to TLS.

8. The box for Username/Password Authentication will need to be checked.

9. In the Username field, input your PIA username — that is always in the format of p1234567 and cannot be replaced with any other information.

10. The Password field requires the input of the password for your PIA account, which is assigned to you, but you have the ability to customize in the client control panel.

11. Username Authen. Only will need to be unchecked.

12. Extra HMAC authorization (tls-auth) will need to be Disabled.

13. Create NAT on tunnel will need to be checked.

14. Click Save.

Step 3. OpenVPN Client — Advanced Settings : click on the Advanced tab, shown highlighted red in the image below.

1. Poll Interval should be set at 0.

2. Redirect Internet Traffic should remain unchecked.

3. Ignore Redirect Gateway (route-nopull) should remain unchecked.

4. Accept DNS configuration will need to be set to Strict.

5. For the Encryption cypher setting you will select the option specific to your preferences from the dependencies table at the top of the guide.

6. Set Compression to Adaptive.

7. TLS Renegotiation Time should be set to -1.

8. Connection retry will be set to 30.

9 Verify server certificate (tls-remote) should be unchecked.

10. The Custom Configuration section will require multiple specific lines of text; copy and paste the following into this field:

remote-cert-tls server
reneg-sec 0
auth-retry interact

11. Click Save.

Step 4. OpenVPN Client — Keys : click on the Keys tab, shown highlighted in red in the image below.

1. You will need to download the security certificate specific to the encryption you are using, links for each of the three certificates can be found in the dependencies table at the beginning of the guide.

2. Open the certificate in a text editor and copy the contents into the Certificate Authority field. (Note : The contents of this must include the begin and end certificate lines as well, be sure to copy the whole thing.)

3. Client Certificate and Client Key should both remain blank. Click Save.

Step 5. Connect!

1.  In the top right corner of all tabs in the OpenVPN Client, there is a button to start or stop the VPN connection. You are now ready to connect. Click the icon that looks like a play button.

2. Once the connection is established you will see (Running) listed next to the OpenVPN Client

Authors list

First published: 15/04/2020

Last updated: Apr 20, 2020 by Joseph Calhoon