Back to Guides

Tomato router and Mullvad VPN

Tomato is a powerful and open source third-party router firmware which has excellent openvpn client integration, here is list of routers which are supported by tomato firmware.

 

After installing Tomato , open up your browser and enter the IP address of your tomato router.
Tomato's default IP address is 192.168.1.1

 

Go to VPN Tunneling -> OpenVPN Client 

 

 

As shown in the screenshot, click to the Client1 > Basic tab and then set the following options

 

** This screenshot is currently outdated, we have since then changed to username and password authentication, so please make sure you enable the Username / Password authentication checkbox and then use your Mullvad account number as username and m as your password. **

 

  • Start with WAN: Checked (automatic connect to mullvad on boot)
  • Interface Type: Tun
  • Protocol: UDP
  • Server Address/Port: se.mullvad.net 1300  (in this case our server is sweden for other location click on server list )
  • Firewall: Automatic
  • Authorization Mode: TLS
  • Extra HMAC authorization (tls-auth): Disabled
  • Create NAT on tunnel: Checked

 

Click on the Advanced tab and then set the following options

  • Redirect Internet Traffic: Checked
  • Accept DNS Configuration: Strict
  • Encryption cipher: AES-256-CBC
  • Compression: Enabled
  • TLS Renegotiation Time: -1
  • Connection Retry: 30
  • Custom Configuration:
  • persist-key
  • persist-tun
  • ping-restart 60
  • ping 10
  • tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA (or tls-cipher from the android configuration file )

 

Copy and paste the mullvad_ca.crt certificate into the Certificate authority field found under "OpenVPN Client Configuration -> Keys"

 

On Mullvad's OpenVPN configuration download webpage, enter your Mullvad account number and log in.
Download the Linux configuration zip archive by selecting Linux as a platform from here: https://mullvad.net/download/config/ 
Unzip the mullvad_config_xx.zip file. where xx is the region you have selected.
In the unzipped folder, you will find another folder named mullvad_config_xx and inside there the file mullvad_ca.crt is located.


Certificate Authority
Open the mullvad_ca.crt file in a text editor. At the end of the file, find the two long text strings that both begin with "-----BEGIN CERTIFICATE-----" and end with "-----END CERTIFICATE-----".
Copy the second one, starting from and including "----- BEGIN" all the way through and including" END CERTIFICATE-----". Paste this text string into the CA Cert field.

 

On the Routing Policy tab, check the Redirect Through VPN option, and add the devices you want to redirect through the VPN in this case we added all devices

 

 

 

Save configuration

Click on Save

 

 


Go to Status tab and press Start Now

 

Navigate to Administration -> Scripts -> Firewall and then add the following command to allow traffic forwarding only through the VPN network interface (killswitch)

iptables -I FORWARD -i br0 -o `nvram get wan_iface` -j DROP

 

Click Save and then reboot the router