How-To Geek

Connect to Your Home Network From Anywhere with OpenVPN and Tomato

A few weeks ago we covered installing Tomato, an open-source router firmware, on your Linksys WRT54GL. Today we’ll be going over how to install OpenVPN alongside Tomato, and setting it up to access your home network from anywhere in the world!

What is OpenVPN?

A virtual private network (VPN) is a trusted, secure connection between one local area network (LAN) and another. Think of your router as the middle man between the networks that you’re connecting to. Both your computer and the OpenVPN server (your router in this case) “shake hands” using certificates that validate each other. Upon validation, both the client and server agree to trust each other and the client is then allowed access on the server’s network.

Typically, VPN software and hardware cost a lot of money to implement. If you haven’t guessed it already, OpenVPN is an open-source VPN solution that is (drum roll) free. Tomato, alongside OpenVPN, is a perfect solution for those who want a secured connection between two networks without having to open their wallet. Of course, OpenVPN won’t work right out of the box. It takes a little bit of tweaking and configuring to get it just right. Not to worry though; we’re here to make that process easier for you, so grab yourself a warm cup of coffee and let’s get started.

For more information about OpenVPN, visit the official What Is OpenVPN? page.


This guide assumes that you are currently running Windows 7 on your PC and that you’re using an administrative account. If you’re a Mac or Linux user, this guide will give you an idea of how things work, however, you may have to do a little more research on your own to get things perfect. Also, we will be installing a special version of Tomato called TomatoUSB VPN on a Linksys WRT54GL version 1.1 router. To find out if your router is compatible with TomatoUSB check out their Build Types page.

The beginning of this guide assumes you have either:

  1. the original Linksys firmware installed on your router or
  2. the Tomato firmware we described in our last article

Take note of the text above certain steps indicating whether it’s for Linksys firmware or Tomato firmware.

Installing TomatoUSB

In a previous article we discussed how to install the original Tomato v1.28 firmware from PolarCloud’s website. Unfortunately, that version of Tomato didn’t come with OpenVPN support, so we’ll be installing a newer version called TomatoUSB VPN.

The first thing you’ll want to do is head over to the TomatoUSB homepage and click the Download Tomato USB link.

Download VPN under the Kernel 2.4 (stable) section. Save the .rar file to your computer.

You’ll need a program to extract the .rar file. We suggest using WinRAR since it’s free to try and easy to use. You can download yourself a copy of the free version on their website. After installing WinRAR, right click on the file you downloaded and click Extract Here. You should then see two files called CHANGELOG and tomato-NDUSB-1.28.8754-vpn3.6.trx.

If you’re running Linksys firmware…

Open up your browser and enter in your router’s IP address (default is You’ll be prompted for a username and password. The defaults for a Linksys WRT54GL are “admin” and “admin”.

Click the Administration tab at the top. Next, click Firmware Upgrade as seen below.


Click the Browse button and navigate to the extracted TomatoUSB VPN files. Select the tomato-NDUSB-1.28.8754-vpn3.6.trx file, and click the Upgrade button in the web interface. Your router will start installing TomatoUSB VPN, and should take less than a minute to complete. After about a minute, open up a command prompt and type ipconfig –release to determine your router’s new IP address. Then type ipconfig –renew. The IP address to the right of Default Gateway… is your router’s IP address.


Note: After installing Tomato go to Administration > Configuration and select “Erase all NVRAM…”.

If you’re running Tomato firmware…

Open up your browser and enter in your router’s IP address. We assume that if you installed Tomato, you know the IP address of your router. If you’re not sure, then it’s probably set to the default of After, type in your username and password.

Although it’s not required, you may want to backup your current Tomato configuration before upgrading to TomatoUSB VPN, just in case. To save your configuration, navigate to Administration > Configuration and click the Backup button. This will prompt you to save the .cfg file to your computer.

Now it’s time to upgrade Tomato to TomatoUSB VPN. Click Upgrade in the left column and click the Choose File button. Navigate to the files we extracted earlier and choose the tomato-NDUSB-1.28.8754-vpn3.6.trx file. Then click the upgrade button.

You’ll be asked to confirm the upgrade; just click OK.

Your router will begin uploading the new firmware and will restart within a minute.

It may have the same or a different IP address after it restarts. In our case, the router configuration was still the same therefore our IP address was still the same. To determine your router’s new IP address, open up a command prompt and type ipconfig –release. Then type ipconfig –renew. The IP address to the right of Default Gateway… is your router’s address. If your configuration is set back to the defaults, go back to the Configuration page (Administration > Configuration) and click the Choose File button under Restore Configuration. Browse for the .cfg file you saved to your computer earlier and click the Restore button.

Configuring OpenVPN

Whether you had Linksys firmware or Tomato firmware installed, you should now have the new TomatoUSB VPN installed on your router. You’ll notice a few new menus in the left column including Web Usage, USB and NAS, and VPN Tunneling. For this guide, we’re only concerned with the VPN Tunneling menu so go ahead and click VPN Tunneling. Keep this browser window open; We’ll be coming back to it shortly.

Now let’s head over to OpenVPN’s Downloads page and download the OpenVPN Windows Installer. In this guide, we’ll be using the second latest version of OpenVPN called 2.1.4. The latest version (2.2.0) has a bug in it that would make this process even more complicated. The file we’re downloading will install the OpenVPN program that allows you to connect to your VPN network, so be sure to install this program on any other computers that you want to act as clients (as we’ll be seeing how to do that later). Save the openvpn-2.1.4-install .exe file to your computer.


Navigate to the OpenVPN file we just downloaded and double click it. This will begin the installation of OpenVPN on your computer. Run through the installer with all the defaults checked. During the installation, a dialog box will pop up asking to install a new virtual network adapter called TAP-Win32. Click the Install button.


Now that you have OpenVPN installed on your computer, we have to start creating the certificates and keys to authenticate devices.

Creating the Certificates and Keys

Click the Windows Start button and navigate under Accessories. You’ll see the Command Prompt program. Right click on it and click Run as administrator.


In the command prompt, type cd c:\Program Files (x86)\OpenVPN\easy-rsa if you’re running 64-bit Windows 7 as seen below. Type cd c:\Program Files\OpenVPN\easy-rsa if you’re running 32-bit Windows 7. Then hit Enter.tomatoovpn13

Now type init-config and hit Enter to copy two files called vars.bat and openssl.cnf into the easy-rsa folder. Keep your command prompt up as we’ll be coming back to it shortly.


Navigate to C:\Program Files (x86)\OpenVPN\easy-rsa (or C:\Program Files\OpenVPN\easy-rsa on 32-bit Windows 7) and right click on the file called vars.bat. Click Edit to open it up in Notepad. Alternatively, we recommend opening this file with Notepad++ as it formats the text in the file much better. You can download Notepad++ from their homepage.


The bottom portion of the file is what we are concerned with. Starting at line 31, change the KEY_COUNTRY value, KEY_PROVINCE value, etc. to your country, province, etc. For example, we changed our province to “IL”, city to “Chicago”, org to “HowToGeek”, and email to our own email address. Also, if you’re running Windows 7 64-bit, change the HOME value in line 6 to %ProgramFiles (x86)%\OpenVPN\easy-rsa. Do not change this value if you’re running 32-bit Windows 7. Your file should look similar to ours below (with your respective values, of course). Save the file by overwriting it once you’re done editing.


Go back to your command prompt and type vars and hit Enter. Then type clean-all and hit Enter. Finally, type build-ca and hit Enter.


After executing the build-ca command, you will be prompted to enter in your Country Name, State, Locality, etc. Since we already set up these parameters in our vars.bat file, we can skip past these options by hitting Enter, but! Before you start slamming away at the Enter key, watch out for the Common Name parameter. You can enter anything in this parameter (i.e. your name). Just make sure you enter something. This command will output two files (a Root CA certificate and a Root CA key) in the easy-rsa/keys folder.


Now we’re going to build a key for a client. In the same command prompt type build-key client1. You can change “client1” to anything you’d like (i.e. Acer-Laptop). Just be sure to enter the same name as the Common Name when prompted. For example, when you run the command build-key Acer-Laptop, your Common Name should be “Acer-Laptop”. Run through all the defaults like the last step we did (except for Common Name, of course). However, at the end you will be asked to sign the certificate and to commit. Type “y” for both and click Enter.

Also, don’t worry if you received the “unable to write ‘random state’” error. I’ve noticed that your certificates still get made without a problem. This command will output two files (a Client1 Key and a Client1 Certificate) in the easy-rsa/keys folder. If you want to create another key for another client, repeat the previous step, but be sure to change the Common Name.


The last certificate we’ll be generating is the server key. In the same command prompt, type build-key-server server. You can replace “server” at the end of the command with anything you’d like (i.e. HowToGeek-Server). As always, be sure to enter the same name as the Common Name when prompted. For example, when you run the command build-key-server HowToGeek-Server, your Common Name should be “HowToGeek-Server”. Hit Enter and run through all the defaults except Common Name. At the end, type “y” to sign the certificate and commit. This command will output two files (a Server Key and a Server Certificate) in the easy-rsa/keys folder.


Now we have to generate the Diffie Hellman parameters. The Diffie Hellman protocol “allows two users to exchange a secret key over an insecure medium without any prior secrets”. You can read more about Diffie Hellman on RSA’s website.

In the same command prompt type build-dh. This command will output one file (dh1024.pem) in the easy-rsa/keys folder.


Creating the Configuration Files for the Client

Before we edit any configuration files, we should set up a dynamic DNS service. Use this service if your ISP issues you a dynamic external IP address every so often. If you have a static external IP address, skip down to the next step.

We suggest using, a service that allows you to point a hostname (i.e. to a dynamic IP address. It’s important for OpenVPN to always know your network’s public IP address, and by using DynDNS, OpenVPN will always know how to locate your network no matter what your public IP address is. Sign up for a hostname and point it to your public IP address. Once you’ve signed up for the service, don’t forget to set up the auto-update service in Tomato under Basic > DDNS.

Now back to configuring OpenVPN. In Windows Explorer, navigate to C:\Program Files (x86)\OpenVPN\sample-config if you’re running 64-bit Windows 7 or C:\Program Files\OpenVPN\sample-config if you’re running 32-bit Windows 7. In this folder you will find three sample configuration files; we’re only concerned with the client.ovpn file.


Right click on client.ovpn and open it with Notepad or Notepad++. You’ll notice your file will look like the picture below:


However, we want our client.ovpn file to look similar to this picture below. Be sure to change the DynDNS hostname to your hostname in line 4 (or change it to your public IP address if you have a static one). Leave the port number to 1194 as it is the standard OpenVPN port. Also, be sure to change lines 11 and 12 to reflect the name of your client’s certificate file and key file. Save this as new file .ovpn file in the OpenVPN/config folder.


Configuring Tomato’s VPN Tunneling

The basic idea now is to copy the server certificates and keys we made earlier and paste them into the Tomato VPN server menus. Then we will check a few settings in Tomato, test the VPN connection, and then we’ll be able to wash our hands and call it a day!

Open up a browser and navigate to your router. Click the VPN Tunneling menu in the left sidebar. Make sure Server1 and Basic are selected, too. Set up your settings exactly as they appear below. Click Save.

Update: The default mode is TUN, or tunnel, but you probably want to change it to TAP, which bridges the network instead.  The tunnel mode will put your external clients on a different network than the internal network. So definitely change Interface Type to TAP instead.


Next, click the Advanced tab next to Basic. Just like before, make sure your settings are exactly as they appear below. Click Save.


Our last step is pasting the keys and certificates we originally created. Open up the Keys tab next to Advanced. In Windows Explorer, navigate to C:\Program Files (x86)\OpenVPN\easy-rsa\keys on 64-bit Windows 7 (or C:\Program Files\OpenVPN\easy-rsa\keys on 32-bit Windows 7). Open each corresponding file below (ca.crt, server.crt, server.key, and dh1024.pem) with Notepad or Notepad++ and copy the contents. Paste the contents in the corresponding boxes as seen below. I should note that you only need to paste everything below —–BEGIN CERTIFICATE—– in the server.crt. OpenVPN will still work properly if you paste the entire file, but it’s more “clean” only pasting the actual certificate info. Click Save and then click Start Now.


Before we test our VPN connection, there’s one more thing we have to check inside of Tomato. Click Basic in the left hand column and then Time. Be sure that the Router Time is correct and Time Zone displays your current time zone. Set the NTP Time Server to your country.


Setting Up an OpenVPN Client

In this example we will be using a Windows 7 laptop as our client. The first thing you’ll want to do is install OpenVPN on your client like we did above in the first steps under Configuring OpenVPN. Then navigate to C:\Program Files\OpenVPN\config which is where we’ll be pasting our files.

Now we have to go back on our original computer and collect a total of four files to copy over to our client laptop. Navigate to C:\Program Files (x86)\OpenVPN\easy-rsa\keys again and copy ca.crt, client1.crt, and client1.key. Paste these files in the client’s config folder.


Finally, we need to copy one more file over. Navigate to C:\Program Files (x86)\OpenVPN\config and copy over the new client.ovpn file we created earlier. Paste this file in the client’s config folder also.

Testing the OpenVPN Client

On the client laptop, click the Windows Start button and navigate to All Programs > OpenVPN. Right click on the OpenVPN GUI file and click Run as administrator. Note that you must always run OpenVPN as an administrator in order for it to work properly. To permanently set the file to always run as administrator, right click the file and click Properties. Under the Compatibility tab check Run this program as an administrator.


The OpenVPN GUI icon will appear next to the clock in the taskbar. Right click the icon and click Connect. Since we only have one .ovpn file in our config folder, OpenVPN will connect to that network by default.


A dialog box will pop up displaying a connection log.


Once you’re connected to the VPN, the OpenVPN icon in the taskbar will turn green and will display your virtual IP address.


And that’s it! You now have a secured connection between your server and client’s network using OpenVPN and TomatoUSB. To further test the connection, try opening a browser on the client laptop and navigating to your Tomato router on the server’s network.

Image by The Ewan

On the south side of Chicago born and raised. On the computer is where I spent most of my days. Nerding out, haxing, maxing my CPU. And all writing some How-To's is now what I do.

  • Published 05/9/11

Comments (36)

  1. mepisz

    Nice article! Will try this later! Good job! I really love this website!

  2. NWW

    Awesome, I was looking into doing something like this.

    But somehow, I can’t help but wonder, wouldn’t it be easier if you used DDWRT and the built-in VPN functionnality of Windows? It seems way easier than this!

  3. Chris

    Wow this website just read my mind. Turning into the new lifehacker for me. Was looking for an updated guide on how to do this and boom!! You guys deliver. Thanks

  4. Xantes

    I would appreciate as well if you will write another tutorial with the DD-WRT. I have a D-Link DIR 600 that currently runs DD-WRT and it’s incompatible with TOMATO firmware. Awaiting for a similar tutorial for DD-WRT, please.

  5. _Ron

    This is a great article but what I have found is that the processor in these classes of routers can’t support say more than 2 to 3 VPN sessions. One thing that was really cool when I did this was I had a Tomato router in 3 locations and had the VPN setup to allow all 3 lans to interconnect without having ot have any PC’s install openVPN.

    Another option for VPN is Hamachi which I use today. If you only need access to one device at home such as a home server Hamachi may be simpler to setup.

  6. basit

    realy its great and very cooooooooooool article
    thnk u soooooo much

  7. Arnau

    So much better and easier with ipcop (but server needed)


  8. Josh B.

    Nice post!

  9. rick

    Sure, WinRAR is free to try, but unless you’re going to pay for it, why would you do that? 7-Zip.

    @NWW, yes, enabling PPTP server in DD-WRT and simply using the VPN client in XP/Vista/Win7 are probably an order of magnitude easier than what’s described in this article, but the knock on PPTP is that it’s not as secure as a certificate-based VPN. DD-WRT will even tell you that it’s “deprecated.” Still, it’s wonderfully convenient, and with strong passwords certainly adequate for many.

  10. dima

    Forgive my ignorance, but why would I do all that just to be able to access my router from the Internet? The article is very detailed, one might even say it’s written for complete noobs, but the author doesn’t do a very good job explaining why would you want to set up a VPN in the first place. If I just wanted to remotely access my computer, I’d just use TeamViewer, it’s about 1024 times simpler and faster to install.

  11. Johann

    _Ron might as well be me!!

    I too used to have my routers do the VPN between them so my clients were oblivious (my house and small office). Worked a treat (after getting it right, but that’s another matter) but struggled when I had to add more ‘nodes’.

    These days I’ also recommend people go Hamachi to be honest. It’s great to know about OpenVPN and how VPNs work in general but Hamachi ‘just works’ and is more scalable. Also starts up behind the scenes if you’re setting it up for friends. They needn’t know anything about how to connect.

    As well as sharing out data I run a proxy server on my Hamachi network so friends always have secure browsing no matter what dodgy wifi network they’re on (assuming Hamachi works over it). All works very well.

  12. Edwin alvarez

    I have a WNR2000v2 but the router wont recognize then file type , indid read the comp ability list and mynrouter was in the list…. What cam be the problem?????? Plz help thanks

  13. Mano

    I’ve been trying to set up a OpenVPN server plus a client, and I could connect them (with the server not being the router but an actual PC with ubuntu server), and the services would start just ok, but I have a problem. The client (Windows7) can ping the server through the VPN, no problem, but the server seems to not be that successful. I’ve been playing with static routes and iptables with not much success I must add.
    Since this is an OpenVPN thread, does anyone might have a clue about what’s going on?
    All help is appreciated :)
    By the way, nice article howtogeek staff hehe.

  14. techstorm

    Great article! This will help me so much. One thing I am very disappointed about is that Buffalo Technology has discontinued the WHR-HP-G54 router. This was, in my opinion, the best tomato router out there. When I first discovered the BLT (Buffalo, Linux, Tomato) I was amazed that open source firmware could out-do a multi-million dollar corporation. It looks like I’ll have to start buying another brand from our distributor.

  15. MarkL


    if you don’t know what VPN is for, then this article is obviously not for the likes of you. teamviewer and other similar applications initiate a remote session with a host COMPUTER. why would I want to do that? I’d like to use a browser, mail client, IM client, etc. on my OWN computer and not on the remote host machine. if I’m connecting to an insecure WiFi somewhere in a coffee shop, I want to encrypt all my traffic. Connecting to VPN is like connecting to the Internet from your home (or wherever the router is) — it’s secure and no one else has access to it (obviously, subject to your setup). Teamviewer is just one application. How about the rest of your traffic? What if you have some processes running in the background that may leak personal information? That’s why you NEED VPN.

  16. Mark

    Nice Work! love this website!

  17. Lola

    Addressing the “what would I use this for?” Well, imagine you’re at Starbucks with your laptop and decide to buy something from Amazon. Do you trust that open WiFi you’re on?? When you connect to your OpenVPN you’re as safe as if you were connected to your router at home.

  18. Dante

    Thanks for the tutorial!
    Now…if I change the vpn subnet/netmask settings to match my LAN settings (, I can no longer access the browser from within the LAN, only from the VPN connected machine.

    Isn’t -apart from building a secure tunnel – the idea of VPN to give access to the internal network?
    Sure – PPTP is an option, but not secure enough.
    Any idea how to accomplish that with a certificate?

  19. Supercazzola

    Some notes:
    (1) I was unable to generate multiple client keys if I ensured the same Common Name, as this guide indicates you should. You must use different values despite the label “common”
    (2) I’ve never tried it, but if my goal was to connect two sites, eg. A house in one state, and another in another, I assume I could:
    A) generate two server keys, and a client keys for each router.
    B) install serverA on router A. Install serverB on router B.
    C) install clientA on routerB and client B on router A.
    D) ensure the IP ranges don’t overlap. Eg. Make router A 192.168.1.* and router B 192.168.2.*

    Do I need two separate Diffie Hellman keys, or can I use the same on both?

  20. mossy

    Has anyone followed this guide and had success? I’ve got an E3000 that I just flashed with Tomato a best VPN firmware version. This guide is just what I was looking for. However, no posts back as to it actually working for them.

  21. mossy

    opps, meant to say Beta VPN version of tomato

  22. Patrick Bisch

    @mossy, I assure it works ;) If you run into problems, message me on Twitter.

  23. mossy

    Does this tutorial assume that you have a server PC continually running at one site? And the laptop is the client that connects the VPN network via that PC?

    Or is the router the server and the laptop connects to the router/server network?

    I would like to just connect to the router and access my network at home. You get to the end of this tutorial and is starts talking about transferring files to the client Laptop. So am I to assume you need to have a server PC?

  24. g725s

    Seems that I’ve gotten this to work testing it at the same location where the router is. Well need to now test at public wifi location. Says I’m connected with the same IP as in the last picture.

    Had to go through this a few times. Even uninstalled OpenVPN a few times. Used Notepad++. You need to follow intuitively. Common Name is not the same the whole way through. It is related to what he is talking about at the time. Don’t miss any steps, follow exactly. Copied setting exactly as in the pictures too that are not written about.

  25. g725s

    Have tested now in quite a few different places. Working perfectly. For some reason though can’t send email from Starbuck. Can receive it their but not send. But at a few of my friends houses I can. Must be something at the particular Starbucks I’ve tried.

    This tutorial has been a big help for me. Since I would never had had the time to research all that it would have taken to do this otherwise. This is the best OpenVPN setup guide out there that will pretty much lead you by the hand through the process. Thanks Patrick!

  26. g725s

    I’d like to say that for all those who read down this far before doing the setup. You can do the entire VPN setup process from your “Client” laptop. Near the end of the tutorial is the topic “Setting Up an OpenVPN Client” and it talks about transferring files to the Client laptop. Well it is not required to transfer files from computer to computer if you do the entire OpenVPN setup from your laptop you’re intending to be the client in the first place. Just put the files he is talking about in the appropriate folders on that laptop and your good to go.

  27. Anubis

    I’m a bit of a noob on this. I followed the tutorial verbatim and I am able to connect to my tomato router in the office. But I cannot see the other computers that are networked there. What bonehead maneuver am I doing?

    Can anyone help?

  28. g725s

    You probably want to seek advice at the OpenVPN fourms or some place like that. But, If your accessing your network via your VPN over a Public Wifi I’m not sure how to safely set that up to view your work network. If you setup a server router and client router type of OpenVPN then I’d imagine you’d be safe. But it sounds like your trying to access your network over a public wifi with your laptop is that right?
    I found an easy to follow guide that goes into setting up the OpenVPN server router / client router setup that you might need:

  29. Hand

    @Supercazzola :
    As answer to your (2) question:
    The best thing you can do is generate a static key. ( 1 key for both sides ) and use Statickey instead of TLS as Autorisation mode.
    1 Router will be Server the other Client.
    So Don’t let both routers be server and client at the same time.

  30. harryctg

    i have an windows open vpn server . and my office have 2 pc i used tomatousb to connect that vpn server and give them both pc an static ip like and 5
    both pc will be connected throw openvpn via tomotto

    but when ever i try to connect my router its show me
    in advance Authenticate/Decrypt packet error: cipher final failed

    plz help me regarding this

  31. Barry B

    Is there any way possible using some sort of app that you could get this working on a smartphone? I wouldn’t mind seeing if this would work on my Motorola Triumph but I’m not sure how I’d do that.

  32. Alice C

    i can’t get this working on my nexus one. this is so frustrating.

  33. anon

    If i wanted to add more clients would i have to generate new server keys and certificates?

  34. Rick

    I dont understand the benefit. I set this up and it connects but I cannot access anything on my home network. I do not understand the benefit of this.



  35. rascal

    The basic benefit of “this particular vpn setup” is so you can surf the web securely with your laptop on a public wifi network. If your just surfing at Starbucks someone could see everything you do. You’d not want to be buying online and such. But through a VPN you could, since your connecting to your home network. Others have used this as a jumping point to go further and connect multilple networks securely. You could access your home network via public wifi but this guide does not go into that. You’ll need to search it out elsewhere.

  36. struggled

    You have a syntax error in your vars.bat setup:
    set HOME=%ProgramFiles (x86)%\OpenVPN\easy-rsa
    (line 6) cannot have a space between “ProgramFiles” and “(x86)”.
    That is what throws up your errors: “The system cannot find the path specified.” and “unable to write ‘random state’ “.

More Articles You Might Like

Enter Your Email Here to Get Access for Free:

Go check your email!