tomato Using AirVPN with Tomato

[Staff 10407]

Edited by Staff on 2026-01-01

About Tomato Firmware
 


Tomato is a small, lean and simple replacement firmware for Linksys' WRT54G/GL/GS, Buffalo WHR-G54S/WHR-HP-G54 and other Broadcom-based routers. Currently FreshTomato appears to be the only project that has seen active development and new releases from the original Tomato and related forks. This message contains instructions for a legacy Tomato system. For instructions updated to reflect FreshTomato configuration please check the next message. Special thanks to @He who shall not be named and @Pit61

Official website: https://freshtomato.org/

---

Prerequisite

• Make sure you double-check that your version of Tomato supports OpenVPN and/or WireGuard. I strongly recommend Toastman's build of Tomato because of its widespread feature support and stability.

---

Steps

• Under Basic->Network, configure your 3 static DNS servers. If you wish to use the AirVPN DNS set 10.4.0.1 as first DNS IP address. The Air DNS will enable you to access internal Air services, geo-routing services and bypass ICE/ICANN USA censorship (more information here).
  About the others, I recommend picking ones from the OpenNIC Project because many of the servers don't keep any logs, which is consistent with the Air service, plus they would allow your internet service to continue functioning in the event of a government-ordered root DNS server shutdown- https://servers.opennic.org/
• Under Basic->Time, make sure that the correct time zone and server is configured.
• Download the OpenVPN (.ovpn) file of your choosing under "Client Area -> Config Generator" after you log in the AirVPN site. In the Configuration Generator make sure to tick "Advanced Mode" and "Separate certs/keys from .ovpn files".
  In order to determine the IP address of the server you wish to connect to, please resolve "servername.airservers.org". For example, for Acrux resolve "acrux.airservers.org". Find the server names by looking at Status page.
• For the actual configuration, please see the following two screenshots of the Basic and Advanced OpenVPN Client Configuration:

  

  

  Under Basic, sub in your own correct protocol, IP and port in place of what I have in my own config.
  In the Advanced Custom Configuration text box, the options are as follows:
   

  resolv-retry infinite
  remote-cert-tls server
  comp-lzo
  verb 3
  

• Under Keys, you'll need to again text edit your user.key, user.crt, ca.crt and ta.key files, copy the matching keys and certificates and paste them into the text boxes in your router config.
  - ta.key is the Static Key
  - ca.crt is the Certificate Authority certificate (in some older builds, "Server certificate")
  - user.crt is the Client Certificate
  - user.key is the Client Key
• About certificates files (user.crt and ca.crt) content, just copy and paste from "-----BEGIN CERTIFICATE-----" (included) up to "-----END CERTIFICATE-----" (included).
• Save all settings.
• Under Status, click Start Now and count for 30 seconds. Go to https://airvpn.org and at the bottom of the screen it should show you are connected or visit https://ipleak.net for check.

---

Tested with

• Toastman's build of Tomato [v1.28.7500 MIPSR2Toastman-RT K26 VPN] on Asus RT-N16 router.
• Tomato-ND-1.28.7633-Toastman-IPT-ND-SmallVPN on Buffalo WHR-G54S

---

Feedback
For any comment or feedback, you can find the discussion here.
Thanks to Baraka for this article.

[Staff 10407]

Original message by @Pit61 . It updates the setup for FreshTomato based routers.

Here is my working Open VPN config on a Netgear R7000 with Fresh Tomato: