Last updated:

router
Need a VPN for your router?
Get ExpressVPN Now
refer a friend
Love ExpressVPN? Want a free month?
Refer a Friend Now
ExpressVPN has released a new app and website interface. If the images you see below do not reflect the latest app or website interface, note that the instructions still apply unless otherwise specified.

This tutorial will show you how to set up ExpressVPN on your Tomato router, using the OpenVPN protocol.

Important: The OpenVPN manual configuration does not offer the same security and privacy benefits as the ExpressVPN app. If your router does not support AES-NI (e.g., Asus RT-AX88U and RT-AC86U), you may experience occasional speed issues while using the OpenVPN manual configuration.

Tomato is a custom firmware that offers advanced networking features and OpenVPN protocol support. The steps below were tested on AdvancedTomato Version 3.5-140. See a list of AdvancedTomato supported routers.

Before you proceed, make sure you have set up the Tomato firmware on your router.

Jump to…

1. Find your ExpressVPN account credentials
2. Configure your Tomato router
3. Connect to a VPN server location
Disconnect from a VPN server location

1. Find your ExpressVPN account credentials

On the ExpressVPN setup page, enter your ExpressVPN credentials. Click Sign In.

Enter your ExpressVPN credentials, then select “Sign In.”

Click Manual Configuration on the left side of the screen. Select OpenVPN on the right. You will first see your username and password and then a list of OpenVPN configuration files.
Copy the username and password.

Click the location(s) you want to connect to. The .ovpn file(s) will be downloaded to your device.

Keep this browser window open. You will need this information for the setup later.

Need help? Click here to contact the ExpressVPN Support Team via Live Chat

Back to top

2. Configure your Tomato router

In your browser’s address bar, enter your router’s IP address.

Enter the username and password. (By default, they are root and admin.) Click Sign In.

Once in the admin settings, in the left sidebar, click VPN > OpenVPN Client.

Click “OpenVPN Client.”

In the Basic tab, enter the following information:

  • Start with WAN: Check this box.
  • Interface Type: Select TUN.
  • Protocol: Select UDP.
  • Server Address/ Port: To get this information, right-click the .ovpn config file you downloaded earlier and open it with any text editor. For the first field, enter the server address listed between the word “remote” and the 4-digit number in the first field. For the second field, enter the 4-digit number at the end of this line.
    Enter the server address and the 4-digit number found in the OpenVPN configuration file.
  • Firewall: Select Automatic.
  • Authorization Mode: Select TLS.
  • Username/ Password Authentication: Check this box.
  • Username: Enter the OpenVPN username found earlier.
  • Password: Enter the OpenVPN password found earlier.
  • Username Authen. Only: Leave unchecked.
  • Extra HMAC authorization (tls-auth): Select Ongoing (1).
  • Create NAT on tunnel: Check this box.

Click Save.

Click “Save.”

Click the Advanced tab. Enter the following information:

  • Poll Interval: Leave this as is.
  • Redirect Internet traffic: Check this box.
  • Accept DNS configuration: Select Exclusive.
  • Encryption cipher: Select AES-256 CBC.
  • Compression: Select Adaptive.
  • TLS Renegotiation Time: Enter -1.
  • Connection retry: Enter -1.
  • Verify server certificate (tls-remote): Uncheck this box.

For Custom Configuration, in the same text editor that you opened earlier, find and paste the values for the following items into this field:

  • tun-mtu
  • fragment
  • mssfix
  • keysize
  • auth
  • sndbuf
  • rcvbuf

For example, if you are using the.ovpn configuration file for USA – New York, paste:

tun-mtu 1500
fragment 1300
mssfix 1200
keysize 256
auth SHA512
sndbuf 524288
rcvbuf 524288

Click Save.

Click “Save.”

At the top, click the Keys tab, copy and paste the text from the .ovpn configuration file into the following fields:

  • Static Key: Copy the text between <tls-auth> and </tls-auth> tags in the .ovpn file and paste it in this field.
    Enter text in the TLS Auth Key field.
  • Certificate Authority: Copy the text in between <ca> and </ca> tags in the .ovpn file and paste it in this field.
    Enter text in the CA Cert field.
  • Client Certificate: Copy the text between <cert> and </cert> tags in the .ovpn file and paste it in this field.
    Enter text in the Public Client Cert field.
  • Client Key: Copy the text between the <key> and </key> tags in the .ovpn file and paste it in this field.
    Enter text in the Private Client Cert field.

Click Save.

Click “Save.”

Need help? Click here to contact the ExpressVPN Support Team via Live Chat

Back to top

3. Connect to a VPN server location

At the top, click the Status tab. Then click the ► icon on the right.

Click the “play” icon.

Once you are successfully connected, you will see the word “Running.”

Once you are successfully connected, you will see the word “Running.”

To verify your connection, you can use ExpressVPN’s IP Address Checker to check your IP address. If you are connected properly, the IP address shown will correlate to the location you are connected to via the VPN.

Need help? Click here to contact the ExpressVPN Support Team via Live Chat

Back to top

Disconnect from a VPN server location

To disconnect, go to VPN > OpenVPN Client > Status. Click the ■ icon. You will be disconnected from the VPN.

Need help? Click here to contact the ExpressVPN Support Team via Live Chat

Back to top

Was this article helpful?Yes No
Got it. Could you tell us more?
Submit Feedback