Please note the following requirements:
- Router with alternative Tomato firmware and support of OpenVPN. Older versions need to be updated.
Info: Official Tomato website
- A CyberGhost account
Info: Here's how to create a CyberGhost account online
Info: How to manage your CyberGhost account
- A CyberGhost subscription
Info: How to purchase or upgrade a subscription
Info (only prepaid subscribers): Enter activation key
Disclaimer: Please keep in mind that, although the technical process is as thoroughly documented as possible, you need to have at least some technical understanding. There's always a chance for an overseen mistake and/or things have changed and the article is not updated yet.
Tomato is a custom firmware for routers. It offers OpenVPN client support and is available on a variety of routers. To verify if your router supports Tomato firmware, you can check if your router supports Tomato firmware here. An article on how to install Tomato firmware on a router can be found here.
Some general notes on routers:
- Routers are usually not equipped with state of the art hardware, meaning you will have speed losses when using a VPN connection (due to low CPU power to process encryption). Direct connections from your PC, Laptop, Tablet, etc. to the VPN network (without the router providing the VPN software) will work better for you if speed is among your favorite desires.
- If your flashed router doesn't provide DSL functionality, your Internet connection will still need to be managed by your DSL modem. In that case, your device pool will hook on your router (via cable or wireless) and the router itself will be hooked to your DSL modem. So don’t forget to configure your WLAN devices to connect to the new router, so they won’t log in to the old WLAN. Alternatively, you can deactivate your modem’s WLAN completely (only if you don’t need it for unencrypted traffic).
- If you flash your router with an alternative firmware you might lose your device’s guarantee; please consult your dealers’ policies regarding this matter. Furthermore, it might happen that the flash process leaves your device unusable, e.g. after a power failure while flashing. CyberGhost is not to be held responsible for any damages, does not acknowledge any liabilities, and will not adopt your manufacturer’s warranty.
- Also please note that not all routers with VPN client support will be able to connect to the CyberGhost network or might lose that ability with future firmware updates.
Visit your CyberGhost VPN online account.
- Protocol : Open VPN
- Country : Since native protocol connections may only be used with exactly one server you now have to choose the country you want to surf from; the server to be used in this country will be chosen by CyberGhost automatically.
- Server group : Choose the server group and the OpenVPN protocol (UDP or TCP) you want to use
Important : please keep your username and password obtained during the configuration process at hand, you will need them later in the setup.
Now, the saved config is a ZIP file, which contains the following single files:
- ca.crt: This is the certificate of the certification authority
- client.crt: This is the user certification file
- client.key: This is your private key file
- openvpn.ovpn: This is your OpenVPN configuration file
If you need to change the country you connect to, you must re-configure the location to use in your account management and download the new zipped config file.
First things first, these changes are made in the web configuration panel of your router. You can access it by visiting the local IP of your router from your web browser. The two most common, the default local IPs that most routers have are 192.168.1.1 or 192.168.0.1 – you can access these by opening http://192.168.1.1 or http://192.168.0.1 in your browser. The default IP, username, and password are listed in your router’s User Manual.
- Open the router settings page on your browser by entering the router local address (192.168.1.1 by default).
- On the left side menu, click VPN Tunneling -> OpenVPN Client
Activate the main tab Client 1 and the sub-tab Basic. Check all of the following options and change those which show different:
- Start with WAN: Uncheck
- Interface Type: TUN
- Protocol: UDP or TCP (depending on what type you decided to use in step 1)
- Server Address/Port: Please enter the server address/group of Step 1, e. g. '12345-1-ca.cg-dialup.net'. Depending on the country to connect with, fist part of each address will be changed, e.g. instead of '12345-1-dialup.net‘ (CA meaning Canada and 12345-1 being the server group), when choosing a different country, the first part would be similar to '12345-1-gb.cg-dialup.net' (GB meaning Great Britain and 12345-1 the server group).
- Firewall: Automatic
- Authorization Mode: TLS
- Username/Password Authentication: Checked
- Username: The user name created in step 1. DO NOT use your regular user name!
- Password: The password created in step 1. DO NOT use your regular password!
- Username Authentication only: Unchecked
- Extra HMAC authorization: Disabled
- Create NAT on tunnel: Checked
Opening 'Basic > Network' you can also configure the DNS server to be used. If you want to, please exchange the first DNS IP address with a censorship-free CyberGhost name server:
- Primary: 10.101.0.243
- Secondary: 18.104.22.168
Also, take care of the correct configuration of the time zone and server in the tab 'Basic > Time'.
Click on Advanced tab and set the following options:
- Poll Interval: 0 (deactivated)
- Redirect Internet traffic: Checked
- Accept DNS configuration: Strict
- Encryption cypher: AES-256-CBC
- Compression: Disabled
- TLS Renegotiation Time: -1
- Connection retry: -1
- Verify server certificate: Unchecked
- Custom Configuration: Here you mark all existing lines, delete them and exchange them with some parts of your downloaded 'openvpn.ovpn' configuration file: For that, open the OpenVPN file with a simple text editor, mark the text beginning with 'resolve-retry infinete' and ending with 'verb 4' (including both lines), copy the text with 'Control-C' and insert it here with 'Control-V'. It should look like this:
# Note : < explicit-exit-notify 2 > Some routers don't understand this command. In cases of doubt or if the configuration doesn't work, please remove this entry.]
Please don’t copy this example for a server configuration might change after publishing this article.
Now switch to the tab ‚Keys‘. There you find three fields, which have to be filled with the corresponding content of the other three files you downloaded from your CyberGhost account management. For that you also open the respective file with a simple editor and copy the respective text passages:
- Certificate Authority: Copy all text of the file 'ca.crt' in here.
- Client Certificate: Copy all text of the file 'client.crt' in here.
- Client Key: Copy all text of the file 'client.key' in here.
At last click on Start Now to initiate the VPN.
Click on the “Status” tab to check if you’re now connected.
For any additional information or concerns - it is best to approach the Support Department:
via e-mail: firstname.lastname@example.org
via on-line request: https://support.cyberghostvpn.com/hc/en-us/requests/new
via 24/7 Live! Chat Sessions on our website