Setting Up a VPN Server on a Tomato Router, Part 1

by Eric Geier

Building a VPN? Tomato Router is one way to bypass expensive equipment to give users secure remote access or connect offices.

Looking to set up a virtual private network (VPN)? You don't have to buy expensive equipment to set up a VPN to give users secure remote access or connect offices together. Small and midisze businesses especially can take advantage of lower-cost alternatives.

Microsoft gives you VPN server and client functionality right in Windows; however, the feature-set is limited, and only Vista versions and later offer good security. One alternative we're going to discuss is installing aftermarket firmware on a wireless router loaded with the free OpenVPN server and client. We already covered this with the DD-WRT firmware. Now, we'll look at the Tomato firmware, using the TomatoVPN variant.

Get a Compatible Router

You can't use the Tomato firmware on just any wireless router. Make sure you have (or get) one that's compatible. Vendors with supported routers include Linksys, Buffalo, and Asus. To check your specific model and version, refer to the Tomato FAQ.

Once you've verified your router is compatible, download and install the firmware.

This tutorial is written using the 1.27vpn3.6 release of TomatoVPN, which uses the OpenVPN 2.1.1 server and client. Then on a PC, I'll use OpenVPN 2.1.4 for creating SSL certificates and for VPN client functionality on PCs.

Initial Login

Start by connecting to the TomatoVPN router and logging into the web-based control panel. Open your browser and enter the default IP address of Then, login with the default username and password, which are both "admin".

Before playing with the VPN features, be sure to configure the basics so you're secure: wireless settings (including WPA or WPA2 security) and the router's password for the control panel.

Change the Router's Subnet and IP

Since VPN connections link networks together, you must be careful with the subnet and IP addressing so there aren't any conflicts. The TomatoVPN default IP of is one of the most common among all routers, and it and will likely cause a problem. Use something that's not a common default, such as If you have multiple offices, assign each to a different IP/subnet, such as and

To change the TomatoVPN router, connect and bring up the web-based control panel by entering the IP address ( into a web browser. Then click Basic > Network (see Figure 1). Change the Router IP Address, such as and adjust the IP Address Range accordingly, such as - Then click Save.

Tomato VPN Router
Figure 1
The Tomato VPN Router

Now you must use the new IP to login to the TomatoVPN control panel.

Signup and Configure a Dynamic DNS Service

If the Internet connection where you want to set up the VPN server uses a dynamic or changing IP address rather than a static one, you should use a dynamic DNS service. Otherwise, you'll have to manually keep track of the Internet connection's IP and update it on clients when it changes.

Sign up for a dynamic DNS service, such as from No-IP. Then, on the TomatoVPN router, click Basic > DDNS, and input the details for the service. Your router will automatically update your hostname to point to your current IP address. You'll input your hostname on the client VPN configuration rather than the IP address.

Create Server and Client Certificates

Since OpenVPN uses SSL encryption, you must create and install SSL certificates on the server and clients. Choose a secure PC on which to create and manage your PKI (public key infrastructure), and then download and install OpenVPN using the Windows Installer. Remember, you may need to come back to this PC to create additional client certificates in the future.

Once OpenVPN is installed, you can get started:

  1. Open a Command Prompt: Click Start, type cmd, and hit Enter.
  2. Move to the easy-rsa directory: cd C:Program FilesOpenVPNeasy-rsa.
  3. Run the batch file to create the configuration files: init-config (see Figure 2)
  4. Keep this Command Prompt window open for later use.

Next, go to the following directory in Windows: C:Program FilesOpenVPNeasy-rsa. Then right-click the vars.bat file and click Edit. You must change the default values of all the following settings:


Tomato VPN Configuration Files
Tomato VPN Router Configuration Files

If the file opens in Notepad, there probably will not be any line returns, and everything will be run together, which is fine. Be sure edit only the setting values between the equals sign and the word "set". For a better visual, you can download and use an editor like VIM.

Now go back to the Command Prompt window and initialize the PKI by entering the following commands one at a time:


You'll be prompted (see Figure 3) for the parameters you just set in the vars.bat file; hit Enter to accept them. You can leave the Organizational Unit Name blank. However, you must enter a Common Name. This will be the name of the CA certificate that will be installed onto the server and all the clients. You might pick something like "ABC_Corp-VPN-CA"

Alt text
Figure 3
Tomato VPN Router Parameters

Now you can create a certificate and private key for the server with this command:

build-key-server server

You'll be prompted for parameters again. Accept the defaults for the ones you set in vars.bat. For the Common Name, enter something like "ABC_Corp-VPN-Server". Be sure to enter a secure password you'll remember or store somewhere safe. When prompted to sign and commit the certificate, confirm the details and then enter "y".

Next, you can create the client certificates for the computers or routers that will be remotely connecting to your VPN server. You must create a separate certificate for each client. Enter "build-key" into the Command Prompt, followed by a space and a name for the certificate. For example, for three clients:

build-key client1

build-key client2

build-key client3

You might want to be more descriptive with the name, specifying the person or router that will be using it.

You'll be prompted for the parameters once again. Choose a unique Common Name for each, which you might want to be the same as the certificate name. You can optionally create a password.

Note: If you must generate additional client certificates in the future, return to the easy-rsa directory in a Command Prompt, type "vars", and then go ahead with the build-key command, such as build-key client2.

Now you must generate the Diffie Hellman parameters by entering:


Finally, you should see all your certificates in the following directory: C:Program FilesOpenVPNeasy-rsakeys

Keep in mind; the CA, server, and all client keys should be kept private and secure.

Stay tuned--in the next part, we'll configure the VPN server and clients.

Eric Geier is the founder and CEO of NoWiresSecurity, which helps businesses easily protect their Wi-Fi with enterprise-level encryption by offering an outsourced RADIUS/802.1X authentication service. He is also the author of many networking and computing books, for brands such as For Dummies and Cisco Press.

This article was originally published on Tuesday Feb 1st 2011
Mobile Site | Full Site