Skip to main content

Tomato (OpenVPN Setup)


Disclaimer: Installation and use of any software made by third party developers is at your own discretion and liability. We share our best practices with third party software but do not provide customer support for them.

FlashRouters offers plug and play DD-WRT Routers preconfigured Private Internet Access Routers for this setup.

Note: If you are using TomatoUSB, or the steps below do not match your installation of the Tomato firmware, please refer to the following alternate setup for Tomato.

Step 1: In the Tomato router Administrative Interface, Click Administration and then Scripts and enter the following in the init section:

  • echo username > /tmp/password.txt
  • echo password >> /tmp/password.txt
  • chmod 600 /tmp/password.txt

Note: Replace *username* and *password* with your actual PIA username and password.

For example, if your PIA username was p1234567 and password was 12345678, the first couple of lines would look like this:

echo p1234567 > /tmp/password.txt
echo 12345678 >> /tmp/password.txt

The chmod command may not be necessary, but can help with permissions on certain firmware versions.

Step 2: Click Save


Step 3: On the Left side menu, Click VPN Tunneling and then Client.

Step 4: Choose Client 1 and then choose Basic

Step 5: Check Start with WAN

Step 6: Set Interface Type to Tun

Step 7: Set Protocol to UDP

Step 8: For the Server Address/Port type  and port 1198 Or if you prefer to use a specific location, You can find the full list of locations here:

Step 9: Set Firewall to Automatic

Step 10: Set Authorization Mode to TLS

Step 11: Set Extra HMAC authorization to Disabled

Step 12: Check Create NAT on tunnel

Step 13: Click Save


Step 14: Click on the Advanced tab

Step 15: Set Poll Interval to 0

Step 16: Uncheck Redirect Internet Traffic

Step 17: Set Accept DNS configuration to Enabled

Step 18: Set Encryption cipher to AES­-128­-CBC

Step 19: Set Compression to (Adaptive)

Step 20: For TLS Renegotiation Time, Type: -1

Step 21: For Connection Retry, Type:  30

Step 22: In the Custom Configuration, input the following:

  • persist-key
  • persist-tun
  • tls-client
  • auth-user-pass /tmp/password.txt
  • comp-lzo
  • verb 1
  • reneg-sec 0

Step 23: Click Save


Step 24: Click on the Keys tab and copy and paste the contents of ca.rsa.2048.crt into the Certificate Authority.  The ca.rsa.2048.crt file can be found here:

Step 25: Click Save


Step 26: To connect Click on VPN Tunneling > Client > Status, and click on the Start Now button to connect.


Authors list

First published: 14/03/2018

Last updated: Aug 24, 2020 by Joseph C