Setting up a Router running Advanced Tomato Firmware

Advanced Tomato is one of the most prominent and user-friendly forks of Tomato, an open-source firmware designed to expand the functionality of select routers. Advanced Tomato is the same firmware as Shibby Tomato with a more user-friendly GUI, so all instructions in this guide should apply to routers running Shibby Tomato as well.



Recommended Settings

Port 1198
Protocol UDP
Encryption AES-128-CBC
Root CA ca.rsa.2048.crt

To begin, click on VPN in the sidebar of the Advanced Tomato user interface. Then, select the OpenVPN Client option. Once you’ve opened this page, you should see 5 tabs at the top of your screen. First, select the Basic tab.


  • Start with WAN: Select this option if you would like the VPN to run whenever you boot up your router*.
  • Interface type: TUN
  • Protocol: From the drop-down menu, choose between UDP or TCP. We recommend UDP as it tends to provide better speeds.
  • Server Address/Port: Choose a server from our network page and enter its hostname in the field. Next to it, enter the port that corresponds to the encryption cipher you would like to use. We recommend port 1198 as a default. You can find all of our supported encryption/auth settings here.
  • Firewall: Automatic
  • Authorization Mode: TLS
  • Username/Password Authentication: Checked
  • Username: Enter your PIA account username
  • Password: Enter your PIA account password
  • Username Authen. Only: Unchecked
  • Extra HMAC authorization (tls-auth): Disabled
  • Create NAT on tunnel: Checked


Once you’ve entered these settings, please click Save, and then click into the Advanced tab.


  • Poll Interval: 0
  • Redirect Internet traffic: Unchecked
  • Ignore Redirect Gateway (route-nopull): Unchecked
  • Accept DNS configuration: Strict
  • Encryption cipher: Select the encryption cipher you would like to use. We recommend AES-128-CBC.
  • Compression: Adaptive
  • TLS Renegotiation Time: -1
  • Connection retry: 30
  • Verify server certificate (tls-remote): Unchecked

Custom Configuration:


Click Save again, and then click in to Keys


To enter the certificate into its place, you will need to download the certificate that corresponds to your desired settings. Once you’ve downloaded the certificate, right click on it and open it in a text editor (such as Notepad). Copy the entire text of the certificate and paste it into the Certificate Authority field.

Once you’ve pasted in the certificate, click Save once more.

Now, click into the Status tab at the top of the page. To connect to the VPN, click on the small play button on the top right of the screen.


The VPN status status should change from (Stopped) to (Running). You should now be able to view your router’s activity by refreshing the status page.


Finally, check your connection status by visiting What’s My IP. If you are successfully connected, you’ll see “You are protected by PIA”.

In addition to configuring an OpenVPN client connection, we recommend using PIA’s DNS in order to ensure quick DNS resolution and eliminate the possibility of DNS leaks. You can set this up this on your router by doing the following:


  • Go to Basic and select Network
  • Locate WAN Settings
  • DNS Server: Manual
  • Static DNS 1: ``
  • Static DNS 2: ``


Then, Save your settings.

*If you would like to configure multiple client profiles, leave this option unchecked as two profiles running at the same time will leave you without internet access.

Have more questions? Submit a request