Setting up an OpenVPN server with Tomato router and Viscosity
Virtual Private Networks (VPNs) can be utilized for a number of very useful applications. You can securely connect to any public WiFi hotspot. You can overcome geo-blocking restrictions on your favourite websites. And you can even connect to your home or office network from anywhere in the world, as if you were sitting right at your desk. This guide will walk you through the process of setting up your own OpenVPN server, and connecting to it with your copy of Viscosity.
Running your own OpenVPN server will allow you to encrypt everything you do on the internet, so that you can safely do your online banking on the free WiFi at your favourite cafe. Anything you send over the VPN connection will be encrypted from your device until it reaches your OpenVPN server at home. Setting up your OpenVPN server to access your home or office network gives you full access to all your files on your network.
This guide will walk you through the steps involved in setting up an OpenVPN server on a Tomato router that allows you to securely access your home/office network from a remote location and optionally send all of your network traffic through it so you can access the internet securely as well.
Because Tomato is primarily used on router hardware, we will assume that the Tomato flashed router has a direct connection to the internet and its own IP address. Therefore we will not be considering any issues related to having your Tomato router behind another router.
Preparation
For this guide, we assume:
- You have already installed the Shibby Mod version of Tomato with VPN support for your router hardware
- Tomato has been set up with at least a WAN interface and a LAN interface
- You are connected with your client device to the Tomato router via its LAN interface during this guide
- This installation of Tomato is a fresh install
- You already have a copy of Viscosity installed on your client device
Tomato Firmware was probably best known or maintained as TomatoUSB. While the source code and releases of TomatoUSB are still available, it is extremely out of date and is not being maintainted. However, several 'Mods' exist and are actively maintained and up to date.
For this guide, we will use Tomato by Shibby as it is one of the more actively maintained versions of Tomato Firmware and has wide router support. Even if you are using a different Tomato Mod, this guide should still be accurate for you to follow.
Your client device needs to be connected to the Tomato router via the LAN interface. This is necessary so that you can access the control panel to modify the Tomato configuration. The specifics of how you can achieve this depend on your particular network configuration.
If you don't have a copy of Viscosity already installed on your client, then please check out this setup guide for installing Viscosity (Mac | Windows).
Support
Unfortunately we cannot provide any direct support for setting up your own OpenVPN server. We provide this guide as a courtesy to help you get started with, and make the most of, your copy of Viscosity. We've thoroughly tested the steps in this guide to ensure that, if you follow the instructions detailed below, you should be well on your way to enjoying the benefits of running your own OpenVPN server.
More information about Tomato by Shibby can be found at http://tomato.groov.pl/. We won't be covering the details of setting up a Tomato router, many guides can be found online.
Generating Certificates and Keys
The next step is to generate your configurations for the server and your clients as well as certificates to go with them. You can do this easily by following the Creating Certificates and Keys Guide. Generate everything on your PC or Mac and then take a note of the path to your server folder that is created, we will be using the files here later on.
If you use the default DNS Server (10.8.0.1), you will need to setup a DNS server yourself, instructions are at the end of this article. We recommend instead using an existing DNS server, a publically available DNS server like Google's (8.8.8.8 and 8.8.4.4) is the easiest.
Creating the OpenVPN Server
Now we can use the web-based control panel to setup the OpenVPN server on our Tomato router. You need to log in to the control panel from your client device connected to the LAN interface of the Tomato router.
- Open a browser on your client and navigate to the IP address of the LAN interface of your Tomato router (by default http://192.168.1.1).
- Click on the
VPN Tunneling
on the left, and thenOpenVPN Server
on the left in the list that appears underneath. - On the new page that appears, you should have the Server 1 tab selected for the remainder of this tutorial.
- Click the Keys tab, here we can add our server certificates and key. You can get the contents of each of the below files by opening them in a text editor of your choice.
- Paste the contents of your ca.crt file into the Certificate Authority field.
- Paste the contents of your server.crt file into the Server Certificate field.
- Paste the contents of your server.key file into the Server Key field.
- Paste the contents of your dh.pem file into the Diffie Hellman parameters field.
- Click Save at the bottom of the screen and wait for the yellow 'Settings Saved' Box to appear before continuing.
- Click the Advanced tab.
- Set the Encryption cipher option to AES-256-CBC
- Tick Respond to DNS, and then Advertise DNS to clients
- If you would like to add an extra authentication step, you can tick 'Allow User/Pass Auth' and add a user (be sure to tick enable), but this is not required.
- We highly recommend you change Compression to 'Disabled' as well
- Click Save at the bottom and await the settings to be saved.
- Click the Basic tab.
- Tick Start with WAN, if you would like the server to start automatically in the future, and then Save. The rest of these options can be left as default.
- Click Start Now.
That's it. Our OpenVPN server is setup on our Tomato router!
Time Server
It's a good idea to set up the clock correctly on your Tomato router.
- Click
Basic
on the left, then in the new list that appears clickTime
. - Set your Time Zone and change the NTP Time Server to the region closest to you.
- Click Save and wait for the router to reload the page.
Firewall Settings
The firewall settings needed for a basic server are added automatically by Tomato when you setup a server.
Setting Up Viscosity
The final step is to setup Viscosity. Thanks to openvpn-generate, this is as easy as importing and connecting.
Importing
Copy your *.visz file you created with openvpn-generate to your Mac or Windows machine with Viscosity installed and double click the file. You should see a prompt that the config was imported successfully.
Next, edit the connection you just imported and go to the Advanced tab. On a new line add the following, and then click Save:
cipher AES-256-CBC
Connecting and Using Your VPN Connection
You are now ready to connect. Click on the Viscosity icon in the macOS menu bar or Windows system tray to open the Viscosity Menu, select the connection you imported, and Viscosity will connect.
To check that the VPN is up and running, you can open the Details window from the Viscosity Menu. This will allow you to view connection details, traffic and the OpenVPN log.
That's it, you've set up your very own OpenVPN server. Congratulations, you are now free to enjoy the benefits of operating your own OpenVPN server!