LearnTomato

Tomato router firmware tutorials

  • Tutorials
  • Videos
  • Download Guide
LearnTomato » Tomato VPN » Setup Tomato VPN Server with OpenVPN TLS/SSL Certificate

Setup Tomato VPN Server with OpenVPN TLS/SSL Certificate

May 18, 2014 by LearnTomato

This may seem like a long post but it’s mostly screenshots, sprinkled with some ‘how-to’ stuff.  I know how you guys like pictures. 🙂

In this section, we’re going to setup a secure VPN tunnel using TLS (Transport Layer Security). Unlike the Static key method which uses the same pre-shared key, this type of VPN uses certificates to validate peers and then establish an encrypted connection between them. As a result, the connection between your Tomato Router, and the OpenVPN client will be secure –even if you are connected to an insecure public WiFi hotspot.

This post assumes that you:

  • Are running a version of Tomato that supports VPN.
  • You have setup Dynamic DNS on your router
  • You have downloaded and installed OpenVPN software onto your client computer.

Before we proceed, I want to touch base on something. Just because you use a VPN, doesn’t mean that everything you do online is secure. Yes, your VPN connection is secure. But your Internet browsing activities are not. After you setup your VPN, you might consider using a VPN proxy to shield your browsing activities too.

When we installed OpenVPN, it installed some programming scripts to help us out. These scripts were installed so that we can quickly and easily build the necessary certificates and keys directly from the command prompt. We’ll start by generating certificates. Then, we’ll configure the VPN server settings within the router, copy the certs and keys and ‘Start’ the VPN.

CMD menu run as administrator

Run as Admin

Click Start > Accessories > Command Prompt >

Right-click on ‘Run as Administrator’.

Use CMD init-config to copy the vars .bat file

CMD prompt

  1. Type: cd c:\Program Files\OpenVPN\easy-rsa and hit Enter.
  2. Type: ‘init-config’ and hit ‘Enter’

This will copy the vars.bat file to the \easy-rsa directory. The vars.bat file is a variable file that OpenVPN uses to build the certificates and keys. We must edit some of these variables using a text editor. You can use Microsoft NotePad, but I prefer Notepad++.

http://notepad-plus-plus.org/

Minimize your command prompt window but don’t close it because we’ll need it again after we edit the vars.bat file.

Now, open your notepad editor of choice and run it as administrator. If you do not select ‘Run as administrator’, you may not be able to save the file after editing it. Or, it will ask you to save it in a different location (which is inconvenient).

Run Notepad++ as administrator

Text Editor

Navigate to: c:\Program Files\OpenVPN\easy-rsa

Open the OpenVPN Easy RSA Folder

Easy RSA Folder

Using your text editor, open the vars.bat file.

Edit the OpenVPN vars .bat file

vars .bat file

Edit the following variables: Country, Province, City, Org, and Email. You can leave the rest of the variables alone. We’ll fill them in momentarily via the command prompt. When you’re finished, click ‘Save’.

Go back to your command prompt:

Use the Windows CMD to build-ca

CMD: build-ca

  1. Type vars and hit Enter.
  2. Type clean-all and hit Enter.
  3. Type build-ca and hit Enter.

The ‘build-ca’ command will output two very important files; a CA certificate and key. These files can be found in the following directory: c:\Program Files\OpenVPN\easy-rsa\keys.

Create the SSL certificate variables and enter a common name.

SSL Certificate

Upon running the ‘build-ca’ command, you’ll be prompted to enter some variables (Country, State, etc). These variables are pulled from the ‘vars.bat’ file we just edited so they should look familiar. Since we just edited some of them, simply hit ‘Enter’ for the majority of them. However, be absolutely certain to fill in the ‘Common Name’ parameter. I used ‘TomatoVPN’ for my Common Name. This can be anything, just don’t leave it blank!

Now we must build a key for our client device.

Enter a common Name for OpenVPN client. This must match the client key.

Client Key

Type: build-key client

You can replace ‘client’ with something more applicable such as Laptop1, Laptop2, etc. Whatever label you choose, you must also enter it for the Common Name parameter as well. Therefore, the command ‘build-key laptop1’ would require that you enter laptop1 for the Common Name. Just like the last command (with the exception of the common Name), fill out the variables or choose ‘Enter’ for the default parameters. This time, you’ll be asked two questions; (1) to sign the certificate and, (2) to commit. Select “y” for yes regarding both of them. Be sure to hit ‘Enter’. Repeat this process for each VPN client.

The last certificate we’ll be generating is the server key.

Enter a Common Name for the Tomato VPN Server

VPN Server Key

This command will output two files; a Server Certificate and key. Again, these files can be found in the following directory: c:\Program Files\OpenVPN\easy-rsa\keys.

Type: build-key-server server

Again, you can replace ‘server’ with a more suitable label. The important thing to remember is that you use the same label for the Common Name. Upon completing the variables, you must again choose “y” to sign and commit.

Now we must generate the Diffie Hellman parameters.

Use the CMD prompt to build Diffie Hellman parameters.

Build-dh

Type: build-dh

This process generates the Diffie Hellman parameters. Diffie Hellman is a protocol used to exchange cryptographic keys. Basically, it allows two devices with no prior relationship to establish trust by establishing a shared secret key over an unsecured connection.

We must now copy three of the files we created into the ‘config’ directory. Navigate to: C:\Program Files\OpenVPN\easy-rsa\keys

The OpenVPN RSA keys are located in the /keys directory

OpenVPN RSA Keys

Press the ‘Ctrl’ key on your keyboard while using your mouse to select and copy the following files:

  • ca.crt
  • client.crt
  • client.key

Navigate to: C:\Program Files\OpenVPN\config

Copy the RSA keys into the OpenVPN config directory

OpenVPN Config Directory

Paste the files into the ‘config’ directory

Now, we must create the client configuration profile. This is a simple text file used by OpenVPN to determine how and where to connect, encryption type, protocol type, etc.

Create Client Config File

Open your text editor. Be sure to select ‘Run as administrator’.

Notepad++ Run as administrator

Text Editor

With your text editor opened, choose File > Open and navigate to: C:\Program Files\OpenVPN\sample-config

Edit OpenVPN client file

OpenVPN client

The file you open will look similar to the image below.

Sample OpenVPN client file

Sample Config

Each line with a “#” mark is commented out of the file (ignored); therefore, it’s not necessary and makes it challenging to find the variables you need to modify. The easiest way to clear the file is to hit ‘Ctrl + A’ on your keyboard to select everything in the file. Then, hit ‘Delete’. Now, you can start from scratch, entering your variables as shown in the image below.

Edit and save the .ovpn file

Client config file

Enter the parameters exactly as seen in the image above.

Go to: File > Save As.

Save the OpenVPN config file

Save Config

  1. Select ‘All types’ next to ‘Save as type’.
  2. Name the file ‘Home VPN.ovpn’ and click ‘Save’.

Be sure to give the file the extension .ovpn and select ‘All types’ or the file will not save correctly. After saving this file, copy it to the ‘config’ directory: C:\Program Files\OpenVPN\config.

Configure the Tomato VPN Server

Navigate to: VPN Tunneling > OpenVPN Server

Tomato VPN server basic configuration

Tomato VPN Server Config (basic)

  1. Ensure that the ‘Server 1’, and ‘Basic’ tabs are selected.
  2. Set your settings as seen in the image above.
  3. Click ‘Save’.

Go to the ‘Advanced’ tab.

Tomato VPN server advanced configuration

Tomato VPN Server Config (advanced)

Configure your settings exactly as shown in the image above. Click ‘Save’ and navigate to the ‘Keys’ tab.

Tomato OpenVPN SSL keys

Tomato VPN (keys)

Navigate to: C:\Program Files\OpenVPN\easy-rsa\keys.

  1. Open each key file, copy and paste the key into the text area. Click ‘Save’ to save the key.
  2. Click ‘Start’ to start the OpenVPN server.

Start the OpenVPN client (Run as Admin).

Run the OpenVPN client software as administrator

Run OpenVPN Client

Navigate to: Start > All Programs > OpenVPN

  1. Right-click on ‘OpenVPN GUI’ and choose ‘Run as Administrator’.
  2. Connect to the VPN
If the OpenVPN connection is successful, you will see a green icon in the task bar.

OpenVPN Connection

Right-click the OpenVPN icon in your system tray. Choose connect. The status window will open and notify you that the Initialization Sequence has completed. Upon a successful connection, the icon in the task bar will run green.

Other Posts in Tomato VPN

  • What is a VPN? And What Can I Do With It?
  • How to Download, Install, and Setup OpenVPN with Tomato
  • How to Setup a VPN Server with Tomato VPN + OpenVPN
  • Setup a VPN Proxy To Secure Browsing Activity

Best VPN Routers


Looking for the most secure router for VPN service options? Look no further.
 
Check Out The Best Routers ⇥

BEST VPN PROVIDERS


#1

#2

#3

#4

#5

View Full VPN Comparison ⇥

Copyright © 2025 · LearnTomato.com - All rights reserved