App Support.

We're here to help.



Setting up an OpenVPN server with Tomato router and Viscosity

Virtual Private Networks (VPNs) can be utilized for a number of very useful applications. You can securely connect to any public WiFi hotspot. You can overcome geo-blocking restrictions on your favourite websites. And you can even connect to your home or office network from anywhere in the world, as if you were sitting right at your desk. This guide will walk you through the process of setting up your own OpenVPN server, and connecting to it with your copy of Viscosity.

Running your own OpenVPN server will allow you to encrypt everything you do on the internet, so that you can safely do your online banking on the free WiFi at your favourite cafe. Anything you send over the VPN connection will be encrypted from your device until it reaches your OpenVPN server at home. Setting up your OpenVPN server to access your home or office network gives you full access to all your files on your network.

This guide will walk you through the steps involved in setting up an OpenVPN server on a Tomato router that allows you to securely access your home/office network from a remote location and optionally send all of your network traffic through it so you can access the internet securely as well.

Because Tomato is primarily used on router hardware, we will assume that the Tomato flashed router has a direct connection to the internet and its own IP address. Therefore we will not be considering any issues related to having your Tomato router behind another router.

Preparation

For this guide, we assume:

  • You have already installed the Shibby Mod version of Tomato with VPN support for your router hardware
  • Tomato has been set up with at least a WAN interface and a LAN interface
  • You are connected with your client device to the Tomato router via its LAN interface during this guide
  • This installation of Toamto is a fresh install
  • You already have a copy of Viscosity installed on your client device

Tomato Firmware was probably best known or maintained as TomatoUSB. While the source code and releases of TomatoUSB are still available, it is extremely out of date and is not being maintainted. However, several 'Mods' exist and are actively maintained and up to date.

For this guide, we will use Tomato by Shibby as it is one of the more actively maintained versions of Tomato Firmware and has wide router support. Even if you are using a different Tomato Mod, this guide should still be accurate for you to follow.

More information about Tomato by Shibby can be found at http://tomato.groov.pl/. We won't be covering the details of setting up a Tomato router, many guides can be found online. If you are looking to setup an OpenVPN server on a different operating system, please check out our other guides.

Your client device needs to be connected to the Tomato router via the LAN interface. This is necessary so that you can access the control panel to modify the Tomato configuration. The specifics of how you can achieve this depend on your particular network configuration.

If you don't have a copy of Viscosity already installed on your client, then please check out this setup guide for installing Viscosity (Mac | Windows).

Unfortunately we cannot provide any direct support for setting up your own OpenVPN server. We provide this guide as a courtesy to help you get started with, and make the most of, your copy of Viscosity. We've thoroughly tested the steps in this guide to ensure that, if you follow the instructions detailed below, you should be well on your way to enjoying the benefits of running your own OpenVPN server.

Creating Certificates and Keys

You can use the scripts provided by Easy-RSA to generate the required certificates and keys on your client device. Please follow the steps in our Creating Certificates and Keys.

Creating the OpenVPN Server

Now we can use the web-based control panel to setup the OpenVPN server on our Tomato router. You need to log in to the control panel from your client device connected to the LAN interface of the Tomato router.

  1. Open a browser on your client and navigate to the IP address of the LAN interface of your Tomato router (by default http://192.168.1.1).
  2. Click on the VPN Tunneling on the left, and then OpenVPN Server on the left in the list that appears underneath.
  3. On the new page that appears, you should have the Server 1 tab selected for the remainder of this tutorial.
  4. Click the Keys tab, here we can add our server certificates and key. You can get the contents of each of the below files by opening them in a text editor of your choice.
    1. Paste the contents of your ca.crt file into the Certificate Authority field.
    2. Paste the contents of your server.crt file into the Server Certificate field.
    3. Paste the contents of your server.key file into the Server Key field.
    4. Paste the contents of your dh2048.pem file into the Diffie Hellman parameters field.
  5. Click Save at the bottom of the screen and wait for the yellow 'Settings Saved' Box to appear before continuing.

  6. Click the Advanced tab.
    1. Set the Encryption cipher option to AES-256-CBC
    2. Tick Respond to DNS, and then Advertise DNS to clients
    3. If you would like to add an extra authentication step, you can tick 'Allow User/Pass Auth' and add a user (be sure to tick enable), but this is not required.
  7. Click Save at the bottom and await the settings to be saved.

  8. Click the Basic tab.
  9. Tick Start with WAN, if you would like the server to start automatically in the future, and then Save. The rest of these options can be left as default.

  10. Click Start Now.

That's it. Our OpenVPN server is setup on our Tomato router!

Time Server

It's a good idea to set up the clock correctly on your Tomato router.

  1. Click Basic on the left, then in the new list that appears click Time.
  2. Set your Time Zone and change the NTP Time Server to the region closest to you.
  3. Click Save and wait for the router to reload the page.

Firewall Settings

The firewall settings needed for a basic server are added automatically by Tomato when you setup a server.

Setting Up Viscosity

The interface provided by the Mac and Windows versions of Viscosity are intentionally very similar. As such, we will focus our guide on the Mac version, pointing out any differences with the Windows version as they arise.

If you do not have Viscosity already running, start Viscosity now. In the Mac version you will see the Viscosity icon appear in the menu bar. In the Windows version you will see the Viscosity icon appear in the system tray.

Click the Viscosity icon in the menu bar (Windows: system tray) and select 'Preferences...':

Mac

Windows

This shows you the list of available VPN connections. We assume you recently installed Viscosity, so this list is empty. Click on the '+' button and select 'New Connection':

Configuring the Connection

You will now need to set the connection parameters as outlined below:

  1. In the General tab, replace the connection name with your desired name for the connection, for example "DemoConnection".
  2. Replace the "Address" field with the IP address needed to connect to the server. If your Tomato router is directly reachable from the internet this will be its IP address. If the server is behind a router and port-forwarding has been set up this should be the external IP address of your router (please see the section above).


  3. Click the Authentication tab.
  4. Click the Select ... button next to the CA option. Select the ca.crt file you created earlier (Mac: ~/Documents/Viscosity/client/keys/, Windows: C:\Users\your-account-name\Documents\Viscosity\client\keys\)
  5. Click the Select ... button next to the Cert option. Select the client1.crt file you created earlier
  6. Click the Select ... button next to the Key option. Select the client1.key file you created earlier


  7. If you ticked 'Allow User/Pass Auth' on the server and added a user, also tick 'Use Username/Password authentication'.
  8. Click on the Options tab and set the Compression drop down to LZO.


  9. Click on the Advanced tab and on a new line add "cipher AES-256-CBC".


  10. Click the Save button to save your changes.

(Optional) Allowing Access to the Internet

By default the VPN connection will allow access to the file server and other computers on the home/office (LAN) network. However if you also wish to have all internet traffic sent through the VPN connection it's necessary to make a final edit to the connection:

  1. Double-click on your connection in the Viscosity Preferences window to open the connection editor
  2. Click on the Networking tab.
  3. Click the "All Traffic" drop down and select the "Send all traffic over VPN connection" option. It is not necessary to enter a Default Gateway.
  4. Click the Save button.

Connecting and Using Your VPN Connection

You are now ready to connect. Click on the Viscosity icon in the menu bar (Windows: system tray) and select 'Connect DemoConnection'. That's it, you should see a notification that you're now connected!

To check that the VPN is up and running, you can use the Viscosity details window. Click the Viscosity menu bar (Windows: system tray) icon and select 'Details...'. This will bring up the details window.



This window will show you the traffic passing through the VPN connection.

Accessing Network Resources

Once connected to your VPN, you can access your files or other services by using the LAN IP address you would use if you were connected to them via your home/office local network.

Connect via Mac

To connect to a shared network directory from your Mac connected to the VPN:

  1. Open a Finder window
  2. Click Go on the menu bar and select "Connect to Server..."


  3. In the Server Address, type the LAN IP address of your network resource (something like 192.168.0.x) and click Connect.
  4. Enter the username and password for the network resource
  5. Select the shared volume you want to access and click OK

Network resources you would normally find appearing in the Finder sidebar will not appear when connected to via the VPN. You can find connected network resources in the Computer directory. In a Finder window, press + shift + c to jump to the Computer directory.

Connect via Windows

To connect to a shared network directory from your PC connected to the VPN:

  1. Type the \\lan-ip-address into the Search the web and Windows box in the taskbar and press Enter (something like \\192.168.0.x)


  2. Enter the username and password for the network resource
  3. You will then see the folders shared by this host


That's it, you've set up your very own OpenVPN server. Congratulations, you are now free to enjoy the benefits of operating your own OpenVPN server!