Know-How: OpenVPN on a router with Shibby's TomatoUSB


Well-known Member
Note: This is a translation of the German how-to provided by Gerd and JackCarver in the German Forum.

This how-to is for experienced users only. You should have some basic experience with routers and computers to install and configure the TomatoUSB firmware. If something goes wrong when flashing the firmware you might brick your device – depending on your router this might be hard to impossible to fix.

Perfect Privacy offers pre-configured routers in cooperation with When ordering a router from Flashrouter you have the option to have it come with either DD-WRT or TomatoUSB.

Note that when ordering routers in the USA, it cannot be guaranteed that the hardware has not been tampered with, according to journalist Glenn Greenwald.

You can find the pre-configured routers for Perfect Privacy here.

An alternative to routers pre-flashed with DD-WRT or TomatoUSB is using Asus router with the original firmware. Hidemyass has tested vpn configurations on the following routers: Asus RT-N16, Asus RT-N66U, Asus RT-AC66U, Asus RT-AC68U and Asus RT-AC87U. These are easy to configure and all you need it to import the iOS configuration file "Servers grouped UDP" and add your Perfect Privacy user credentials and the DNS servers.

Additional Information:

For this howto we used a WRT54GL router. With the help of this howto it should not be problematic to adjust the configuration for similar routers. You can find a list of compatible and most popular routers further below.

1) Preparation

You will need a router that supports the TomatoUSB Mod (with VPN) from Shibby. List of Compatible routers.

I recommend using a router that supports firmware with kernel 26 or higher, because Shibby no longer supports Kernel 24. Not all of the compatible router that are listed with "K26" will be able to run Kernell 26 with VPN. You should make sure that the size of the firmware does not exceeed the memory size of the router. (Aslso, "Policy Based Routing" as listed under 6) will not work with K24, only K26 and above).

According to the TomatoAnon Database the most popular routers are:

1. Asus RT-N66U (CPU 600MHz)
2. Asus RT-N16 (CPU 480MHz)
3. Netgear WNR3500L V2 (CPU 480 MHz)
4. Asus RT-AC66U (CPU 600MHz)
5. Linksys WRT54G/GS/GL (GL-DE V1.1 CPU 200 MHz)

The VPN speed depends on the CPU in the router, the server location and your ISP. Theoretically, with a better CPU you should get faster VPN speeds. There are several routers that offer high performance CPUs:

Netgear R7000 (CPU 2x1000MHz)
Asus RT-AC68U (CPU 2x800MHz)
Asus RT-AC56U (CPU 2x800MHz)

(For further technical details, check the DD-WRT Wiki)

For comparison: With a Netgear R7000 speeds of 20 to 30Mbit/s should be possible if not limited by other means.

Table for WRT54/GL/GS Router

In the table you can see that the WRT54/GL/GS router supports both Kernel 24 and Kernel 26.

The current firmware for the WRT54GL with Kernel 26 is already over 4 MB. But the actual limit for firmware on this device is limited to 3.68 MB. The only firmware supporting VPN that fits is running on Kernel 24. Because of this we will be using the TomatoUSB firmware "tomato-ND-1.28.5x-110-VPN.trx" in the K24 directory, which is 3.47 MB in size.

Current list of firmwares.

For a firmware for the Asus RT-AC66U router I would recommend the following:


After downloading change the file extension of the .trx file to ".bin". In this example rename "tomato-ND-1.28.5X-110-VPN.trx" to "tomato-ND-1.28.5X-110-VPN.bin".

  • You will need a compatible DD-WRT Micro of Mini Genertic Firmware from the router database
  • Register with Perfect Privacy, if you don't have an active account
  • Download the OpenVPN configuration files
  • In the downloaded archive, copy the certificates of a server of your choice into a seperate directory
In this example we are using the server in Amsterdam and need the following files:

  • ca.crt (the same for all servers)
  • Amsterdam.ovpn
  • Amsterdam_cl.crt
  • Amsterdam_cl.key
  • Amsterdam_ta.key
2) Tomato Firmware Upgrade

2.1) General information about flashing the firmware:

To avoid errors during the flash process it is important to pay attention to each individual step. Before and after flashing the firmware a hard-reset ("30/30/30") should be issued (Detailed description)

With a hard-reset all settings in the NVRAM will be set to factory default. If there is no corresponding DD-WRT Micro firmware, you will need to flash the DD-WRT Mini firmware first. Depending on the router the flash process can take several minutes. Under NO circumstances interrupt this process.

2.2) Firmware Upgrade

First issue a hard-reset and loginw ith the default credentials. In most cases this is:

user: root
password: admin

Then upgrade the firmware to DD-WRT Micro or Mini Generic.

If the firmware has already been upgraded you can continue at step 2.3

Configuration menu for the WRT54GL router with the original firmware:

Click on "Durchsuchen"/Choose File.." (marked as 3 in the screenshot below) and select the file "dd-wrt.v24_micro_generic.bin" that you renamed before.

2.3) After the DD-WRT upgrade has finished, issue another 30/30/30 hard-reset.

Issue the following command via the menu Adminstration -> Commandes -> Command Window" to determine the maximum possible size for the TomatoUSB Mod firwmware:

echo "$((0x`cat /proc/mtd | grep linux | awk '{ print $2 }'`)) bytes available for firmware"

Next proceed with the upgrade to a suitable TomatoUSB Mod firmware:

For this example with the WRT54GL router we click on "Choose File" (marked as 4 in the screenshot above) and select the file "tomato-ND-1.28.5X-110-VPN.bin". Once the upgrade has finished, issue another 30/30/30 hard-reset.
Last edited by a moderator:


Well-known Member
3) Tomato Configuration

First, change the default password via "Administatration -> Admin Access". Next, I recommend to deactivate the TomatoAnon script. According to Shibby, the script with standard settings will send some information for statistical purposes:

  • router model
  • Tomato version
  • build type

But looking at the project website, there is more than that displayed. While the source code of this script is public, I still recommend to deactivate the script via "Administration -> TomatoAnon":

  • "Yes, I do and want to make a choice"
  • "No, I definitely won't enable it"

Now configure the router and make sure that you have internet connectivity. You can find detailed help for the configuration in Wikibooks.

3.1) WLAN

Some information about Geolocation in combination with an active WLAN adapter on a computer. If you allow a website to access your geolocation information, your system will submit the following information to Google:

  • IP Address
  • WLAN access points in vicinity, including their MAC adresses, SSIDs, signal strength and distance to the next cell tower.
  • cell towers and gps transmitters in vicinity
  • a random identification number generated by your system (assigned by Google and deleted after two weeks)

The more of this data is availabel, the more precise the location of a VPN user can be determined. But note that the VPN connection as such remains secured.

Geolocation Test:

(Click here for a geolocation test)

How to deactivate the geolocation in the browser:
  • Firefox: type about:config into the url bar, then disable "geo.enable and "geo.WLAN.url".
  • Chrome: In Settings -> Show Advanced Settings -> Privacy -> Content Settings... -> Location
  • Opera: In Settings _> Settings... -> Advanced -> Network -> Deactivate Geolocation
Be aware that if your system gets infected with malware, it can re-activate deactivated WLAN adapters and interecept the received WLAN signals.

The geolocatione example shows that VPN in connection with WLAN cannot guarantee 100% anonymity. One possibility is to use OpenVPN only on secure devices and WLAN on insecure devices. You can find an example configuration at step 6 and 7.

3.2) DNS Configuration

About Perfect Privacy Nameservers: If you use Perfect Privacy DNS servers, you would have no working DNS without an active VPN connection. To connect to a Perfect Privacy VPN server initially you will need an open DNS server.

Under "Basic -> Network" enter the DNS servers that you want to use to prevent a DNS leak.

At the OpenNIC Project you can check for free DNS servers close to you. You should take the following into account when choosing a DNS server:
  • Choose at least two different nameservers from the list
  • The chosen nameservers should ideally be in different countries
You can check your DNS servers here. If everything was set up correctly you should not be seeing any nameservers from your ISP.

If a VPN connection cannot be established again after it was interrupted, the problem often lies in a non-functional DNS server, but this is rarely the case with DNS servers from OpenNIC. Alternatively you can use DNS servers from these:

3.3) JFFS Configuration

1. Menu: Administration
2. Menu: JFFS
3. Activate the checkbox "Enable"
4. Click on "Format/Erase"
5. Click on Save

3.4) SSH Configuration

1. Menu: Administration
2. Menu: Admin Access
3. Activate the checkbox "Remote Access"
4. Activate the checkbox "Allow Password Login"
5. Click on Save

3.5) Copy Perfect Privacy Configuration files with SCP

Before copying the files make sure that there is still free space on the device (Menu JFFS -> "Free Size").

- Transfer Protocol: SCP
- Hostname:
- Port: 22
- Username:
- Password:
- Click on "Login"

When connected with WinSCP, in the "jffs" folder, create the two folders "\openvpn\config\" and copy the Perfect Privacy configuration files into "jffs\openvpn\config\". When finished, you can deactivate SSH again.

3.6. Copy configuration files with scp under Linux

First create a directory via the TomatoUSB GUI configuration, "Tools -> System Commands":

mkdir /jffs/openvpn/config

And press "Execute".

Now you can transfer the files with scp into the directory.

4) VPN Configuration

1. Menu: VPN Tunneling
2. Menu: OpenVPN Client
4. Menu: Basic
5. Set checkmark for "Start with WAN"
6. Interface Type: TUN
7. Protocol: UDP
8. Server Address/Port:
(In this example we use the configuration "Amsterdam.ovpn")
9. Port: 1149 (from Amsterdam.ovpn)
10. Firewall: Automatic
11. Authorization mode: TLS
12. Set checkmark for "Username/Password"
13. Username & Password: Your Perfect Privacy user credentials
14. Extra HMAC auth...: Outgoing(1)
15. Set checkmark for "Create NAT on tunnel"

16. Menu: Advanced
17. Set checkmark in "Redirect Internet Traffic"
18. Accept DNS configuration: Strict
19. Encryption cipher: AES-256-CBC
20. Compression: Adaptive
21. TLS Renegotiation Time: -1
22. Connection retry: -1
23. Custom configuration:

script-security 2
ns-cert-type server
tun-mtu 1500
fragment 1300
reneg-sec 86400
resolv-retry 60
route-method exe
route-delay 2
ca /jffs/openvpn/config/ca.crt
cert /jffs/openvpn/config/Amsterdam_cl.crt
key /jffs/openvpn/config/Amsterdam_cl.key
tls-auth /jffs/openvpn/config/Amsterdam_ta.key 1
hand-window 120
auth SHA512
verb 4
inactive 604800
ping 5
ping-restart 120
replay-window 512 60

The Server name has to start with a capital letter.

Last edited by a moderator:


Well-known Member
5.) Firewall Configuration

29. Menu: Administration
30. Menu: Scripts
31: Menu: Firewall
32: Insert iptables rules:

iptables --flush FORWARD
iptables -P FORWARD DROP
iptables -I FORWARD -o tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -j ACCEPT
iptables -t nat -I POSTROUTING -o tun+ -j MASQUERADE

You can find some basic description about iptables here.

Restart your router after adding the iptables rules to make sure the rules are in effect.

Detailed description for the firewall rules:

5.1 iptables --flush FORWARD

Delets all rules in the FORWARD chain

5.2 iptables -P FORWARD DROP

Adds a policy for the FORWARD chain to close all ports. Ports that are open for traffic will need specific ALLOW rules.

5.3 iptables -I FORWARD -o tun+ -j ACCEPT

Outgoing traffic via tun+ is allowed for all ports

5.4 iptables -I FORWARD -i tun+ -j ACCEPT

Incoming traffic via tun+ is allowed for all ports

5.5. iptables -t nat -I POSTROUTING -o tun+ -j MASQUERADE

This rule replaces the LAN address (e.g. with a VPN address for the tun+ interface (e.g. This is necessary to reach the VPN servers.

Additional information:

The rules 5.1 to 5.5 protect against IP leaks on the router. This is done by setting the policy for the FORWARD chain to DROP. The FORWARD chain rules apply to all incoming and outgoing traffic over the router (i.e. when the router is relaying packets and not the destination). For example when a program on your computer wants to access the internet over the router. We now open the FORWARD chain only for OpenVPN – if the VPN connection is interrupted, no traffic will be sent or received. If a client behind the router establishes its own OpenVPN connection, it will be cascaded through the OpenVPN connection on the router. There is no need to open any ports since OpenVPN is already allowed in the FORWARD chain.

This concludes the howto to establish a VPN connection. If you want to setup Policy Based Routing, test that the VPN connection is working beforehand.

6) Policy Based Routing

The TomatoUSB MOD firmware with Kenel24 from Shibby does not work with advanced routing. The Policy Based Routing (PBR) rules only work with Kernel26 or higher. The WRT54GL router from this example would not support PBR routing.

About Policy Based Routing:

Policy Based routing or advanced routing was implemented for more complex routing setup. For instance, without PBR it is not possible to use multiple routing tables at the same time, instead you only had one main table to work with.

Policy Based routing supports multiple routing tables at the same time and you can set up rules to define which routing table is responsible for handling certain packets. For instance, you can define that packets with a specific source IP or that were flagged by iptables before, should be handled by an alternative routing table. The use of PBR on a VPN router is necessary to set up something like in the following scenario:

All devices that are accessing the router via LAN should use OpenVPN while devices that are coming from the WLAN should access the internet directly, without OpenVPN. With the standard routing this is not possible because OpenVPN is modifying the main routing table so that all traffic is being sent over VPN.

[Next sentence unverständlich: "Dies geschieht durch hinzufügen einer spezifischeren Route, in der Regel die Routen und, welche die default Route, die direkt über den Router geht überstimmen aber trotzdem den gesamten IPv4 Adressraum abdecken." - kann man weglassen?]

With Policy Based Routing you can set up an additional routing table in which the default rule defines that all traffic should go directly (without VPN) to the internet. You can set up rules to define for which packets the alternative routing table applies. You can find an example how to do this with iptabled under 6.1.

6.1) PBR Main Rules

First the Policy Based Routing main rules will be added via Menu "Administration -> SCripts -> WAN Up":

echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
iptables -t mangle -F PREROUTING
pppoe_gateway=`ifconfig ppp0 | awk '/P-t-P/ {split ($3,A,":"); print A[2]}'`
ip route add default via $pppoe_gateway table 200
ip rule add fwmark 1 table 200
ip route flush cache

The first rule deactivates the rp_filter
The second rule deletes the mangle table
The third rule saves the provider assigned Gateway IP in the variable $pppoe_gateway
The fourth rule adds a new default rule to the table 200. The default route uses the Gateway IP from the ISP
The fifth rule creates the actual policy: The table 200 should be used for alkl packets that are market with "1"
The sixth rule empties the routing cache

6.2.) Now we can add the following examples to the main rules:

Rule 6.2.1:

# This rule marks all packets incoming via br1 with "1"
iptables -t mangle -I PREROUTING -i br1 -j MARK --set-mark 1

Rule 6.2.2:

# This rule marks all packets with "1" that match the following criteria: the packets come from br1, they have TCP port 80 (HTTP) or 443 (HTTPS) as destination port, and they come from the IP address 192-168.2.5
iptables -t mangle -I PREROUTING -i br1 -p tcp -m multiport --dports 80,443 -s -j MARK --set-mark 1

Rule 6.2.3:

# This rule marks all packets with "1" if they come from br1 and from the IP
iptables -t mangle -I PREROUTING -i br1 -s -j MARK --set-mark 1

Rule 6.2.4:

# This rule marks all packets with "1" that come from br1 and have the destination IP
iptables -t mangle -I PREROUTING -i br1 -d -j MARK --set-mark 1

Rule 6.2.5:
# These rules mark all packets with "1" that come from br1 and have a destination port that uses UDP or ICMP protocol
iptables -t mangle -I PREROUTING -i br1 -p udp -j MARK --set-mark 1
iptables -t mangle -I PREROUTING -i br1 -p icmp -j MARK --set-mark 1

All packets marked with "1" by these rules will use the routing table 200 (as defined in rule 5 under 6.1) and thus will bypass OpenVPN and go directly to the internet.

6.3. Firewall Rules for Policy Based Routing

While the script in 6.1. creates a new routing table and rules (6.2.) that define which packet should use which table, we need firewall rules to either allow the packets with ACCEPT or block them with DROP.

As long as the rule "iptables -P FORWARD DROP" enforces the policy to DROP all packets, you need no further specific firewall rules to DROP packets.

Except for a minor change, the following firewall rules are almost identical to the examples in 6.2. For each of the examples in 6.2. we need a appropriate rule in the Menu "Administration -> Scripts -> Firewall":

6.3.1 for rule 6.2.1:

# All packets that are incoming or outgoing via br1 are allowed.
iptables -I FORWARD -i br1 -j ACCEPT
iptables -I FORWARD -o br1 -j ACCEPT

6.3.2. for rule 6.2.2.

# Allow all packets that meet the following criteria: They are incoming or outgoing via br1, the destination port is either TCP port 80 (HTTP) or 443 (HTTPS) and the source IP is
iptables -I FORWARD -i br1 -p tcp -m multiport --dports 80,443 -s -j ACCEPT

(A second iptables rule with "--sports" (source ports) is not needed because the first rule allows all packets. Packets in response to an outgoing request are also allowed.

Alternative to "-m multiport --dports 80,443" (destination ports)

If we only require one port, we can simply write

--dport 80

If several ports in succession are needed (for example 440,441,442,443), we can also use this format:

-m multiport --dports 440:443

6.3.3. for rule 6.2.3:

# Allow all packets that are incmoing via br1 and that have as source IP
iptables -I FORWARD -i br1 -s -j ACCEPT

6.3.4. for rule 6.2.4
# Allow all packets that are incoming via br1 and have as destination IP
iptables -I FORWARD -i br1 -d -j ACCEPT

6.3.5. for rule 6.2.5
# Allow all packets that are incomuing or outgoing via br1 and are using UDP or ICMP protocol. They are allowed for all ports, they are restricted only by protocol.
iptables -I FORWARD -i br1 -p udp -j ACCEPT
iptables -I FORWARD -o br1 -p udp -j ACCEPT
iptables -I FORWARD -i br1 -p icmp -j ACCEPT
iptables -I FORWARD -o br1 -p icmp -j ACCEPT
Last edited by a moderator:


Well-known Member
7) Example configuration with WLAN exception rules


All devices that are connected to the router on the ethnernet ports 1-4 should access the internet via OpenVPN. All devices that are connected via WLAN should not be using OpenVPN but accessing the internet directly via the ISP.


As soon as the WLAN is set up and activated, the interface "eth1" will be automatically bridged with the interface "br0". We need two interfaces for LAN and WLAN because with only one interface an IP based configuration would be necessary, which is rather difficult. Therfore, in the menu "Basic -> Network" we create a new DHCP server with the address and the IP Range with the bridge "br1"

Next we need to configure VLAN in the menu "Advanced -> VLAN". As displayed in the next picture VLAN0 runs thought the bridge LAN (br0). With the VLAN number being "0", the port configuration is rather difficult.

For this reason we change the VLAN and VID numbers and create under "Wireless" a bridge between "eth1" and "LAN1 (br1)". (Assuming a device is connected to the ethernet port and should be assigned its own interface, we would create another DHCP server with br2 and remove the Port1 from LAN (br0) and assign Port1 LAN2 (br2) instead).

A glance on "Current Routing Table" in the menu "Advanced -> Routing" shows that the traffic now only goes via br0 (LAN) and br1 (LAN1) and not over a VLAN interface. Therefore we don't need to add another VLAN configuration.

7.1. Police Based Routing Rules

First we need the policy based routing rules in menu "Administration -> Scripts -> Wan UP"

echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
iptables -t mangle -F PREROUTING
pppoe_gateway=`ifconfig ppp0 | awk '/P-t-P/ {split ($3,A,":"); print A[2]}'`
ip route add default via $pppoe_gateway table 200
ip rule add fwmark 1 table 200
ip route flush cache
iptables -t mangle -I PREROUTING -i br1 -j MARK --set-mark 1

(The meaning of these PBR rules is covered in 6.1 and 6.2)

7.2 Firewall Rules

Traffic for the interface "br1" (WLAN) needs to be allowed via menu "Administration -> Scripts -> Firewall". To do this we use the rules from the example in 6.2.1 above:

iptables -I FORWARD -o br1 -j ACCEPT
iptables -I FORWARD -i br1 -j ACCEPT

Traffic between br1 and br0 is blocked by the rule "iptables -P FORWARD DROP". Now you only can reach the router with the Gateway IPs from br1 and br0. To block WLAN traffic from the LAN IP of the router and vice versa we need to add the following rules:

iptables -I INPUT -i br1 -d -j DROP
iptables -I INPUT -i br0 -d -j DROP

The full ruleset should look like this:

iptables --flush FORWARD
iptables -P FORWARD DROP
iptables -I FORWARD -o tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -j ACCEPT
iptables -t nat -I POSTROUTING -o tun+ -j MASQUERADE
iptables -I FORWARD -o br1 -j ACCEPT
iptables -I FORWARD -i br1 -j ACCEPT
iptables -I INPUT -i br1 -d -j DROP
iptables -I INPUT -i br0 -d -j DROP

This concludes the configuration. The changes will take effect after you restarted the router.

Many thanks to JackCarver for the steps 5-7. And many thanks to all testers of the TomatoUSB Mod firmware and config who take the risk of potentially bricking their device. All those experiences help to make this how-to better.


Well-known Member
The main work of this tutorial was done by @Gerd, the translation of the german tutorial was done by @PP Stephan. So it's their effort that this tutorial is now available in the englisch section.

I did some assistance to @Gerd in policy based routing, a scenario if someone wants to bypass VPN connection for some reason.


New Member
If you get
Linux ifconfig inet6 failed: external program exited with error status: 1
Exiting due to fatal error

you will need to add
pull-filter ignore "route-ipv6"
pull-filter ignore "ifconfig-ipv6"

to the custom configuration.
Last edited: