Tomato router and Mullvad VPN


Last updated: 30 September 2020

Tomato is a powerful and open source third-party router firmware which has excellent openvpn client integration, here is list of routers which are supported by tomato firmware.

After installing Tomato , open up your browser and enter the IP address of your tomato router.
Tomato's default IP address is

Configuring Tomato

Basic tab

Go to VPN Tunneling > OpenVPN Client

As shown in the screenshot, click to the Client1 > Basic tab and then set the following options

Note: This screenshot is currently outdated, we have since then changed to username and password authentication, so please make sure you enable the Username / Password authentication checkbox and then use your Mullvad account number as username (without any spaces) and m as your password.

  • Start with WAN: Checked (automatic connect to mullvad on boot)
  • Interface Type: Tun
  • Protocol: UDP
  • Server Address/Port: 1300  (in this case our server is sweden for other location click on server list )
  • Firewall: Automatic
  • Authorization Mode: TLS
  • Extra HMAC authorization (tls-auth): Disabled
  • Create NAT on tunnel: Checked

Advanced tab

Click on the Advanced tab and then set the following options

  • Redirect Internet Traffic: Checked
  • Accept DNS Configuration: Strict
  • Encryption cipher: AES-256-CBC
  • Compression: Enabled
  • TLS Renegotiation Time: -1
  • Connection Retry: 30
  • Custom Configuration:
  • persist-key
  • persist-tun
  • ping-restart 60
  • ping 10
  • tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA (or tls-cipher from the android configuration file )

Keys tab

On Mullvad's OpenVPN configuration download webpage, enter your Mullvad account number and log in.
Download the Linux configuration zip archive by selecting Linux as a platform from here: 
Unzip the file. where xx is the region you have selected.
In the unzipped folder, you will find another folder named mullvad_config_xx and inside there the file mullvad_ca.crt is located.

Open the mullvad_ca.crt file in a text editor. Copy and paste the mullvad_ca.crt contents into the Certificate Authority (CA Cert) field found under "OpenVPN Client Configuration -> Keys"

Routing Policy tab

On the Routing Policy tab, check the Redirect Through VPN option, and add the devices you want to redirect through the VPN in this case we added all devices


Save configuration

Click on Save

Status tab

Go to Status tab and press Start Now


Navigate to Administration -> Scripts -> Firewall and then add the following command to allow traffic forwarding only through the VPN network interface (kill switch)

iptables -I FORWARD -i br0 -o `nvram get wan_iface` -j DROP

Click Save and then reboot the router.

Test your IP address

Use  to see which IP address you are using. It should be one of Mullvad's and not your own.