Back to Guides

Tomato router and Mullvad VPN

Tomato is a powerful and open source third-party router firmware which has excellent openvpn client integration, here is list of routers which are supported by tomato firmware.

 

After installing Tomato , open up your browser and enter the IP address of your tomato router.
Tomato's default IP address is 192.168.1.1

 

Go to VPN Tunneling -> OpenVPN Client 

 

 

As shown in the screenshot, click to the Client1 > Basic tab and then set the following options

 

  • Start with WAN: Checked (automatic connect to mullvad on boot)
  • Interface Type: Tun
  • Protocol: UDP
  • Server Address/Port: se.mullvad.net 1300  (in this case our server is sweden for other location click on server list )
  • Firewall: Automatic
  • Authorization Mode: TLS
  • Extra HMAC authorization (tls-auth): Disabled
  • Create NAT on tunnel: Checked

 

Click on the Advanced tab and then set the following options

  • Redirect Internet Traffic: Checked
  • Accept DNS Configuration: Strict
  • Encryption cipher: AES-256-CBC
  • Compression: Enabled
  • TLS Renegotiation Time: -1
  • Connection Retry: 30
  • Custom Configuration:
  • persist-key
  • persist-tun
  • ping-restart 60
  • ping 10
  • tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA (or tls-cipher from the android configuration file )

 

Copy and paste the certificate into the fields as you can see below

 

On Mullvad's OpenVPN configuration download webpage, enter your Mullvad account number and log in.
Download and unzip the mullvadconfig.zip file. In the unzipped folder, you will find another folder named with your Mullvad account number and containing the files ca.crt, mullvad.crt, and mullvad.key.


Certificate Authority
Open the ca.crt file in a text editor. At the end of the file, find the two long text strings that both begin with "-----BEGIN CERTIFICATE-----" and end with "-----END CERTIFICATE-----".
Copy the second one, starting from and including "----- BEGIN" all the way through and including" END CERTIFICATE-----". Paste this text string into the CA Cert field.

Client Certificate
Open the mullvad.crt file in a text editor. Copy the text string from and including "----- BEGIN CERTIFICATE" all the way through and including " END CERTIFICATE-----". Paste this into the Public Client Cert field.

Client Key
Open the mullvad.key file in a text editor. Copy the entire contents and paste it into the Private Client Key field.

 

On the Routing Policy tab, check the Redirect Through VPN option, and add the devices you want to redirect through the VPN in this case we added all devices

 

 

Save configuration

Click on Save

 

 


Go to Status tab and press Start Now

 

Navigate to Administration -> Scripts -> Firewall and then add the following command to allow traffic forwarding only through the VPN network interface (killswitch)

iptables -I FORWARD -i br0 -o `nvram get wan_iface` -j DROP

 

Click Save and then reboot the router