Short for Virtual Private Network, a VPN encrypts all of a device’s internet traffic and routes it through an intermediary server in a location of the user’s choosing. By setting up a VPN on a home wifi router, the internet traffic from all the device’s connected to that router’s network will be routed through the VPN server. That includes devices that don’t support VPNs on their own, including game consoles like PS4 and Xbox One, smart TVs, and streaming media devices like Roku and Chromecast.
Connecting to a VPN has several benefits. The encryption makes everything you do online more secure. Your internet service provider and hackers cannot snoop on your activity, for example. By masking your default IP address with the one used by the VPN server, corporations and governments can’t easily trace activity back to your device. You can bypass firewalls meant to censor content from specific sites and apps. And you can unblock geographically restricted content, such as US Netflix or BBC iPlayer.
In this post, we get into detail on each of the VPNs that made our list, but here are our top picks in case you only have time for a summary:
- NordVPN Our #1 choice. Operates a huge network of high-speed servers. Strong security and you can get the OpenVPN configuration files directly from their website. Includes 30-day money-back guarantee.
- Surfshark Best budget pick. Doesn’t limit your internet connection and is great for unblocking. Very secure. Provides tutorials for router setup.
- ExpressVPN Fast, secure, and private network. Instructions on setting up with OpenVPN and Tomato routers available on their website. Unblocks most censored, restricted, and geo-blocked sites with ease.
- CyberGhost Some of the fastest servers we have tested make this a good value choice. User-selected Tomato configurations are a nice touch.
- IPVanish OpenVPN configuration and set up files are easy to use. Strong encryption and security.
- VyprVPN Choice of manual configuration or custom router app for Tomato. High-speed network but is a bit pricey.
The best VPNs for Tomato routers
Here is our list of the best VPNs for Tomato routers:
Money-back guarantee: 30 DAYS
NordVPN is our top recommendation. It operates over 5,500 servers in more than 59 countries. You can download the OpenVPN config files for any of these straight from the website. The site’s knowledge base also has setup instructions for Tomato router owners. Subscribers avail of unlimited bandwidth and no data caps. The company maintains a true zero-logs policy, meaning no information is recorded whatsoever related to your use of the VPN. 256-bit military-grade encryption keeps your data safe from prying eyes. Live chat support is available on the website.
Two pre-flashed routers that come with everything you need to connect to NordVPN’s servers with minimal setup can be purchased from Flashrouters.
NordVPN unblocks Netflix, Hulu, HBO Now, BBC iPlayer, and more.
- Fastest VPN we’ve tested
- Download OpenVPN config files directly from the website and setup with tutorial
- Unlimited bandwidth and no data caps
- Excellent security and encryption standards
- Top-notch support
- 30-day money-back guarantee
- Can’t select a specific server, just a location
BEST VPN FOR TOMATO ROUTERS:NordVPN is our top choice . A superfast VPN that works tirelessly with torrenting and P2P. Connects up to 6 devices simultaneously. Also works well with most popular streaming services and achieves consistently good speeds. A 30-day money-back guarantee makes it risk-free.
Read our full review NordVPN review.
Money-back guarantee: 30 DAYS
Surfshark is a great wallet-friendly VPN. It provides tutorials for Tomato router setup on its website and offers 24/7 live chat support should you run into issues. Surfshark is rapidly growing its server network and now operates more than 3,200 in over 65 countries. Speeds are ample for most tasks including downloading and HD streaming, although you may find geographically distant servers are a bit slow.
This service is great for unblocking and can provide access to Netflix, Hulu, Amazon Prime Video, BBC iPlayer, and lots more popular geo-restricted services.
- Easy-to-follow tutorials for router setup
- No connection limit
- Strong encryption and suite of other security features
- Refuses to keep logs of user data
- Prompt and knowledgeable support
- Some servers tend to be a bit slow
BEST BUDGET VPN:Surfshark is a good value all-rounder. It’s highly secure and excellent at unblocking. Plus it doesn’t impose any limits. Includes a 30-day money-back guarantee.
Read our full review of Surfshark.
Money-back guarantee: 30 DAYS
ExpressVPN is another great VPN service that goes above and beyond to deliver a quality experience. OpenVPN config files can be downloaded directly from the website, where you’ll also find instructions on how to get set up. Over 3,000 servers dot the globe in 94 countries. Each of them is optimized to provide a fast and reliable connection. Bandwidth is unlimited and there’s no data cap. 256-bit AES encryption combined with perfect forward secrecy make for strong security. The company keeps no identifying logs of user activity or real IP address. Live chat support is available 24/7 on the website.
ExpressVPN unblocks Netflix, Hulu, HBO Now, BBC iPlayer, and more.
If flashing your router with Tomato firmware seems intimidating, or you’re in the market for a whole new router, you may consider ExpressVPN’s pre-configured routers which come with the provider’s own custom firmware for routers.
- Supports OpenVPN with pre-configured routers and firmware for compatible routers
- Operates over 3,000 servers in 94 countries
- High-grade security features and no logs policy protects your privacy
- Great capabilities for unblocking geo-locked content
- 24/7 chat support are well trained to handle complex situations
- Slightly more expensive than some of its competitors
ROUTER OPTIONS:ExpressVPN is another solid VPN. It has a vast server network that is optimized for fast connections. It has several options for router setup and works with all major streaming services. Plans include a 30-day money-back guarantee.
Read our full ExpressVPN review.
Money-back guarantee: 45 DAYS
CyberGhost allows subscribers to create and download custom configuration files for the servers they want to connect to through their Tomato routers. These include the protocol (UDP or TCP), country, server group, type of server, ad blocker, force HTTPS, and data compression. The site has useful tutorials for a couple of different versions of TomatoUSB routers.
The company operates over 6,500 servers in 90 countries. It scored well in our speed tests and connections were quite reliable. Strong encryption and a no-logs policy ensure that your privacy and security are airtight. Live chat is available during European working hours.
- Supports and offers config files for Tomato routers
- Budget provider that doesn’t compromise on security and privacy
- Testing revealed impressive server speeds
- Beginners find their apps easy to set up and use
- Live chat is only available during European working hours
GREAT FOR STREAMING:CyberGhost provides access to lots of geo-restricted content and its easy-to-use apps are ideal for beginners. Plans come with a 45-day money-back guarantee.
Read our full CyberGhost review.
Money-back guarantee: 30 DAYS
If you want to purchase a pre-flashed router instead of changing the firmware yourself, you can get a Tomato router configured with all of IPVanish’s servers and router settings from Flashrouters.
IPVanish is particularly popular with Kodi users due to the fact that it works with all the add-ons we’ve tested.
- Website has the Tomato router config files along with setup guides
- Strong encryption and privacy protections
- Servers are fast for streaming and downloading
- No live customer support
- Doesn’t reliably unblock Netflix, Hulu
FAST AND RELIABLE:IPVanish has a large network of servers. Uncongested network achieves good speeds. Strong security and privacy features. Could do with live customer support. 7-day money-back guarantee.
Read our full IPVanish review.
Money-back guarantee: 30 DAYS
VyprVPN operates more than 700 servers in over 60 countries, all of which the companies owns rather than rents. 256-bit AES encryption ensures all your traffic is protected, but the company does record users’ source IP addresses, so torrenters might want to look elsewhere. Live customers support is available via the website.
VyprVPN has a couple of different ways for subscribers with Tomato routers to get connected. You can of course manually set up OpenVPN like you would with any other VPN using config files from the website. Or you can opt to use VyprVPN’s custom router app that runs on top of Tomato by Shibby. This will modify the Tomato interface and automatically configure all of VyprVPN’s servers into the router. You can even use VyprVPN’s proprietary Chameleon protocol, which helps prevent VPN connections from being detected by your ISP, with VyprVPN’s Tomato app.
VyprVPN unblocks US Netflix and Hulu.
- Has a custom app for Tomato routers, can also manually configure with OpenVPN
- Fast speeds are perfect for streaming
- Military-grade encryption and logs no identifiable information
- Power users would prefer more configuration options
- Not the cheapest option on this list
- No cryptocurrency payment method
EASY TO USE:VyprVPN is user friendly. A solid choice. Stores no logs, offers great security and unblocks most streaming services. More pricey than some. 30-day money-back guarantee.
Read our full VyprVPN review.
VPN testing methodology
Because you’ll be using Tomato firmware instead of a VPN app, router VPNs have to be evaluated on a slightly different, narrower set of criteria. Generally speaking, a VPN configured on a router will not benefit from all of the same convenience and security features of a VPN installed as an app on a laptop or phone.
We evaluate each and every VPN we recommend using real-world experience, expert analysis, and several tests. When it comes to router VPNs, we specifically consider:
- Router support: To support Tomato routers, the VPN should provide configuration files and/or credentials to set up a manual connection, plus documentation on how to do it.
- Speed: Our speed tests measure download bandwidth to VPN servers located around the world.
- Streaming: We use real-world tests to find out which VPNs can unblock popular streaming services from abroad, including several international Netflix libraries, Hulu, Amazon Prime Video, HBO Max, Disney+, and BBC iPlayer.
- Security: Security can deviate from a VPN’s advertised encryption levels and protocols when you set it up on a router as opposed to using an app. We only recommend providers that support secure and up-to-date VPN protocols for manual configuration.
- Server selection: We favor VPNs that have more geographic locations to choose from.
- Value for money: We weigh prices, discounts, guarantees, trials, and billing practices against the performance, security, and features of each VPN.
- Customer service: Setting up a router VPN is more complicated than using a VPN app, especially if it’s your first time. We recommend providers that have responsive and competent customer support. Our reviewers contact each provider’s customer support as secret shoppers to measure response times and gauge response quality.
Can I use a free VPN with Tomato?
There’s no shortage of free VPNs out there, but we recommend avoiding the vast majority of them. Free VPNs typically don’t hand out the config files necessary for a Tomato router to connect to their servers. Instead, they prefer you use their desktop or mobile apps, which often contain tracking cookies, inject advertisements, and occasionally even infect your device with malware.
Even the most trustworthy options have hard limits on which servers, how much data, and how much bandwidth you can use. That makes them pretty much useless for anything bandwidth-intensive like streaming video or gaming online.
Free VPNs often slack on privacy and security protections. They can’t offer advanced features such as split-tunneling or military-grade encryption. Many will even mine your internet traffic for data that can be sold to third-party advertisers.
Which version of Tomato should you use?
When searching for Tomato online, you’ll likely come across several different mods, or forks, of the original Tomato firmware. These include:
Figuring out which is best suited to your router and needs might not be immediately clear, so we’ll attempt to narrow down your options.
Plain-old Tomato is the original firmware first introduced in 2008. The last release was in June 2010, and its compatibility is limited to a relatively short list of routers from around that time. It doesn’t include OpenVPN client nor server support, so this probably isn’t what you want.
TomatoUSB is a fork of the original Tomato created shortly after the original creator ceased development. It added a far wider range of routers as well as other useful features, such as support for USB ports and wireless-N mode. The official branch of TomatoUSB hasn’t been updated since November 2010. While it may work for your router, there are likely better options.
Shibby, Toastman, Victek, and most other current mods are forks of TomatoUSB, meaning they share much of the same basic code but add their own features and functionality to the mix. All three offer OpenVPN client and server support, so any of them would make a good choice. Shibby (short for “Tomato by Shibby”) seems to be the most popular option, so you should have no problem finding help and resources on forums if necessary.
AdvancedTomato is a fork of Shibby Tomato that adds a slick web-based dashboard, which many users will find more user-friendly than Tomato’s default interface. Whenever Shibby Tomato is updated, Advanced Tomato is updated shortly thereafter. All other factors are equal and assuming your router is compatible, AdvancedTomato is our top recommendation for novice Tomato users.
If performance is a concern, as a general rule, you will want to flash the smallest build available that offers all of the features you need (OpenVPN client support, in this case).
Once you’ve found a version of Tomato that checks off all your requirements, make sure it’s compatible with your router. Simply Googling “Shibby Tomato router list” or something similar should bring up a list of compatible router models for your build.
How to set up OpenVPN on a Tomato router
We’ll cover Tomato by Shibby 1.28 in this tutorial, and it should be similar enough to other builds that you can figure out any discrepancies. These tutorials assume you already have your preferred version of Tomato installed. Follow the instructions to set up an OpenVPN client on your router.
Here’s how to set up OpenVPN on a Tomato router:
- While connected to your router’s wifi or LAN, open a web browser and navigate to your router dashboard. This is 192.168.1.1 by default. Enter the credentials that you created when first installing Tomato.
- Once logged in, click on VPN Tunneling in the left sidebar, then OpenVPN client.
- On the next page, you’ll need to get the necessary information from your VPN provider. Fill out each of the fields as necessary.
- If your version of Tomato doesn’t have username and password fields, you’ll need to go to Administration > Scripts and enter the following commands, replacing username and password with your VPN credentials:echo username > /tmp/password.txtecho password >> /tmp/password.txtchmod 600 /tmp/password.txt
- Click the Advanced tab and enter any further information necessary from your provider. This includes several lines you’ll need to copy/paste into the Custom configuration field from your provider’s OpenVPN config file. Again, consult your provider on what to put here.
- Next up is the Keys tab. Here you’ll enter more information that is more often than not found in the OpenVPN config file from your provider. If not, they may be stored in separate files that you can also download and open in a plain text editor such as Notepad. Static key should contain everything inside the <tls-auth> tag. Certificate authority should contain everything inside the tag.
- Hit the Save button at the bottom of the page, then Start now.
- To check whether your connection is successful, go to the Status tab.
Finally, if your VPN provider operates its own DNS servers (all of the ones we recommend do), you’ll want to add those as well:
- In the left sidebar, click Basic > Network
- Under WAN Settings, set DNS Server to Manual and enter the primary and secondary DNS server addresses from your VPN provider in the following two fields.
- Click Save, and you should be good to go!
How to set up OpenVPN on AdvancedTomato
On AdvancedTomato, everything is pretty much the same as Shibby with a couple of exceptions. Instead of “VPN Tunneling”, the left sidebar tab is simply labeled VPN.
The main difference here is the Advanced tab, which will have a drop-down and toggles for many of the settings instead of having to copy/paste from the OpenVPN config file. You will still need to copy/paste your keys and certificates in the Keys section, though.
Tomato vs DD-WRT for VPN users
Whether you flash DD-WRT or Tomato will probably come down to whichever one your router is compatible with. But if you have a choice, a few factors are worth considering.
Advantages of Tomato over DD-WRT
- VPN support is more consistent in Tomato routers. Whereas pretty much all builds of TomatoUSB and its forks support OpenVPN, support is much more hit and miss with DD-WRT.
- Tomato is generally considered a bit more user-friendly. Flashrouters which sells pre-configured routers from several of the recommended VPNs above note a “higher rate of success with Tomato when setting up and connecting with OpenVPN.”
- Tomato has a wireless survey page that helps users find the best channel to use for a wireless network. You can get notifications when updates are available. Tor, BitTorrent, and USB compatibility are integrated into some builds.
- Tomato allows users to set up two OpenVPN connections and easily switch between them. So if one of your servers is down or overly congested, or you need a second location to connect to, this can be quite handy.
- Tomato includes both real-time and historical bandwidth monitoring.
- Policy-based routing allows you to split-tunnel your connection between the VPN and your default ISP by device.
Advantages of DD-WRT over Tomato
- DD-WRT supports more router models than Tomato.
- DD-WRT supports repeaters and alternate subnets
- DD-WRT tends to have more advanced built-in options for tech-savvy users
Don’t use PPTP
Point-to-point tunneling protocol, or PPTP, is one of the oldest VPN protocols around. It’s widely available with support built into many computers, smartphones, and routers. That includes Tomato. But PPTP contains known security vulnerabilities that anyone could hack with a bit of know-how and effort, so it’s best avoided. You can read more about VPN protocols and why you should avoid PPTP here.
While not secure, PPTP does have a couple advantages going for it. It’s an easier setup than OpenVPN and other protocols, and it’s a bit faster. Still, we strongly recommend OpenVPN over all other protocols.
Disadvantages of setting up a VPN on your router
We’ve gone over the many advantages of setting up a VPN on your router, but readers should be aware of the downsides as well. All your devices will be tunneled through a single VPN connection, which could get congested if you have a lot of devices connected to the router at once. This can be alleviated to some degree by using split tunneling (policy-based routing) for certain devices, but it’s not all that easy to set up.
If the server you’ve configured a connection to experiences downtime, switching isn’t that easy. Tomato variants that support two separate client VPN configurations can get around this by simply switching, but setting up a new server can be a tedious pain. Pre-configured routers or custom firmware, such as that offered by ExpressVPN, make these problems easier to deal with than stock Tomato.
Finally, using a VPN requires computing resources to encrypt outgoing traffic and decrypt incoming traffic. Computers and smartphones have plenty of power for this sort of thing and so their speeds aren’t affected much. But most routers pack much less of a punch. Depending on your router’s hardware, running a VPN client on it could make a substantial dent in your download and upload rates.
VPN for Tomato Routers VPN
How can I set up a dedicated VPN router with two routers?
The easiest way to do this would be to cascade your routers. The first router is connected to the modem and uses a direct, unencrypted connection. The second router is connected to the first via LAN cable and is configured to use the VPN.
Any device you connect to the first router will use the normal, direct connection. Any device connected to the second router will go through the VPN.
What are the best routers for running a Tomato VPN?
We don’t review routers, but here are a few of the top recommended routers for setting up a VPN on TomatoUSB, Shibby Tomato, and Advanced Tomato firmware:
- Asus RT-N66U
- Tenda W1801R/W1800R Wireless AC1750
- NETGEAR Nighthawk series*
- ASUS RT-AC3200
- Netgear R series*
- D-Link DIR-868L
- Linksys EA6900
- ASUS RT-AC66U
- NETGEAR WNR3500L
- D-Link DIR-868L
* indicates all or most models in this line support Tomato firmware and VPNs.
Are all routers VPN compatible?
No. Budget models in particular tend to lack a lot of features including VPN support. There’s simply no option to set up a VPN connection in the admin dashboard.
VPN support, if a router has it, is usually built into a router’s firmware. You can replace, or “flash”, VPN-compatible firmware like Tomato onto an existing router. However, this process requires some tech-savvy and can permanently brick your router if not done properly, so proceed with caution.
For more info, check out our list of the best VPNs for routers.
See also: Best VPNs for DD-WRT routers