🍅 About Tomato Firmware
Tomato is a powerful open-source firmware that transforms consumer routers into enterprise-grade networking devices. It offers advanced VPN features, real-time bandwidth monitoring, and extensive customization options.
Benefits: Better stability, advanced QoS, detailed statistics, and full OpenVPN support.
Router Compatibility
| Router Model | Tomato Version | VPN Performance | Recommended |
|---|---|---|---|
| ASUS RT-AC68U | FreshTomato 2024.x | ~40-50 Mbps | ⭐⭐⭐⭐⭐ |
| ASUS RT-AC3200 | AdvancedTomato | ~35-45 Mbps | ⭐⭐⭐⭐ |
| Netgear R7000 | FreshTomato ARM | ~45-55 Mbps | ⭐⭐⭐⭐⭐ |
| Netgear R8000 | FreshTomato ARM | ~50-60 Mbps | ⭐⭐⭐⭐⭐ |
| Linksys WRT54GL | Tomato 1.28 | ~5-8 Mbps | ⭐⭐ (Legacy) |
💡 Pre-Configured Routers Available
Save time with a pre-flashed router from the TorGuard store, already configured with your VPN account.
Prerequisites
- Router flashed with Tomato firmware (FreshTomato recommended)
- Active TorGuard VPN subscription
- Your TorGuard VPN username and password
- Access to router admin panel (usually 192.168.1.1)
- TLS-AUTH key and CA certificate from TorGuard certificates page
Step-by-Step Configuration
Step 1: Access Router Admin Panel
Open your web browser and navigate to your router's IP address:
http://192.168.1.1
Common alternative addresses: 192.168.0.1, 192.168.2.1, or 10.0.0.1
Step 2: Navigate to VPN Settings
Select "VPN Tunneling" under "USB and NAS"
Step 3: Configure Basic Settings
In the OpenVPN Client submenu, configure these basic settings:
Basic OpenVPN configuration
📍 Server Selection Tips
- Choose servers geographically close for better speed
- Use dedicated IPs for streaming services
- Find all servers at TorGuard Network page
Step 4: Configure Advanced Settings
Click the Advanced tab and configure:
Custom Configuration
Add these lines to the Custom Configuration box:
persist-key
persist-tun
auth SHA256
sndbuf 393216
rcvbuf 393216
# Optional performance tweaks
fast-io
# For better stability on wireless
mssfix 1400
# Kill switch (optional)
pull-filter ignore "redirect-gateway"
redirect-gateway def1
Advanced OpenVPN configuration
Step 5: Add Keys and Certificates
Click the Keys tab and add:
-
Static Key (TLS-AUTH)
Copy the TLS-AUTH key from TorGuard certificates page into the Static Key box.
-
Certificate Authority
Copy the OpenVPN CA certificate into the Certificate Authority box.
Keys and certificates configuration
Step 6: Save and Connect
- Click the Status tab
- Click Save at the bottom right
- Click Start Now to connect
Successfully connected VPN status
Configuration Options by Use Case
General Internet Use
- Protocol: UDP
- Port: 1912
- Cipher: AES-128-CBC
- Best for everyday browsing and downloads
Streaming Configuration
- Use dedicated streaming IPs
- Enable DNS leak protection
- Add to custom config:
block-outside-dns - Consider split tunneling for non-streaming traffic
Maximum Privacy
- Protocol: TCP
- Port: 443
- Cipher: AES-256-CBC
- Add to custom config:
cipher AES-256-CBC auth SHA512 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
Maximum Performance
- Protocol: UDP
- Cipher: AES-128-GCM (if supported)
- Add to custom config:
sndbuf 524288 rcvbuf 524288 push "sndbuf 524288" push "rcvbuf 524288" tun-mtu 1500 mssfix 1450 comp-lzo no
Performance Optimization
🚀 Speed Optimization Tips
-
CPU Overclocking (Advanced)
Some Tomato builds support CPU overclocking:
- Administration → Overclock CPU
- Start conservatively (10-15% increase)
- Monitor temperatures
-
Buffer Tuning
Adjust buffer sizes based on your connection:
- Fast connections (>100Mbps): Use 524288
- Medium (50-100Mbps): Use 393216
- Slower (<50Mbps): Use 262144
-
MTU Optimization
Find optimal MTU:
# Test from computer: ping -f -l 1472 google.com # Windows ping -D -s 1472 google.com # Mac/LinuxReduce size until no fragmentation, then add 28
Advanced Features
Policy-Based Routing
Route specific devices through VPN while others use regular internet:
- Go to VPN → OpenVPN Client → Routing Policy
- Add device IPs or MAC addresses
- Choose "Route via VPN" or "Route via WAN"
Kill Switch Implementation
Prevent internet access if VPN disconnects:
# Add to Firewall script (Administration → Scripts)
iptables -I FORWARD -i br0 -o $(nvram get wan_iface) -j DROP
DNS Over VPN Only
Force all DNS through VPN tunnel:
# Add to custom configuration
dhcp-option DNS 10.8.0.1
block-outside-dns
Troubleshooting
VPN Won't Connect
- Verify username/password are correct
- Check if account is active
- Try different server
- Switch between UDP/TCP
- Ensure correct time/date on router
- Clear NVRAM and reconfigure if needed
Slow Speeds
- Router CPU may be bottleneck - check usage
- Try AES-128 instead of AES-256
- Disable compression
- Use closer server
- Consider hardware upgrade for better performance
DNS Leaks
- Set DNS to "Strict" mode
- Add custom DNS servers in Advanced → DHCP/DNS
- Test at dnsleaktest.com
- Use TorGuard's DNS servers
Random Disconnections
- Increase keepalive interval:
keepalive 10 60 - Add to custom config:
resolv-retry infinite - Check router temperature
- Update to latest Tomato version
Security Best Practices
🔒 Security Recommendations
- Change default router password
- Disable WPS
- Use WPA3 if available (WPA2 minimum)
- Enable firewall logging
- Regularly update firmware
- Disable unnecessary services (SSH, Telnet if not used)
Alternative Configuration Methods
Import .ovpn File
Some Tomato versions support importing configuration files:
- Download .ovpn file from TorGuard
- In Tomato: VPN → OpenVPN Client → Import Configuration
- Browse and select file
- Add username/password
- Save and start
Multiple VPN Clients
FreshTomato supports up to 2 OpenVPN clients simultaneously:
- Use Client 1 for general traffic
- Use Client 2 for specific devices/purposes
- Configure routing policies to direct traffic
Need Help?
If you're experiencing issues with your Tomato router VPN setup:
Include your router model and Tomato version for faster assistance