Back to Guides

Tomato router and Mullvad VPN

Tomato is a powerful and open source third-party router firmware which has excellent openvpn client integration, here is list of routers which are supported by tomato firmware.


After installing Tomato , open up your browser and enter the IP address of your tomato router.
Tomato's default IP address is


Go to VPN Tunneling -> OpenVPN Client 



As shown in the screenshot, click to the Client1 > Basic tab and then set the following options


  • Start with WAN: Checked (automatic connect to mullvad on boot)
  • Interface Type: Tun
  • Protocol: UDP
  • Server Address/Port: 1300  (in this case our server is sweden for other location click on server list )
  • Firewall: Automatic
  • Authorization Mode: TLS
  • Extra HMAC authorization (tls-auth): Disabled
  • Create NAT on tunnel: Checked


Click on the Advanced tab and then set the following options

  • Redirect Internet Traffic: Checked
  • Accept DNS Configuration: Strict
  • Encryption cipher: AES-256-CBC
  • Compression: Enabled
  • TLS Renegotiation Time: -1
  • Connection Retry: 30
  • Custom Configuration:
  • persist-key
  • persist-tun
  • ping-restart 60
  • ping 10
  • tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA (or tls-cipher from the android configuration file )


Copy and paste the certificate into the fields as you can see below


On Mullvad's OpenVPN configuration download webpage, enter your Mullvad account number and log in.
Download and unzip the file. In the unzipped folder, you will find another folder named with your Mullvad account number and containing the files ca.crt, mullvad.crt, and mullvad.key.

Certificate Authority
Open the ca.crt file in a text editor. At the end of the file, find the two long text strings that both begin with "-----BEGIN CERTIFICATE-----" and end with "-----END CERTIFICATE-----".
Copy the second one, starting from and including "----- BEGIN" all the way through and including" END CERTIFICATE-----". Paste this text string into the CA Cert field.

Client Certificate
Open the mullvad.crt file in a text editor. Copy the text string from and including "----- BEGIN CERTIFICATE" all the way through and including " END CERTIFICATE-----". Paste this into the Public Client Cert field.

Client Key
Open the mullvad.key file in a text editor. Copy the entire contents and paste it into the Private Client Key field.


On the Routing Policy tab, check the Redirect Through VPN option, and add the devices you want to redirect through the VPN in this case we added all devices



Save configuration

Click on Save



Go to Status tab and press Start Now


Navigate to Administration -> Scripts -> Firewall and then add the following command to allow traffic forwarding only through the VPN network interface (killswitch)

iptables -I FORWARD -i br0 -o `nvram get wan_iface` -j DROP


Click Save and then reboot the router