Router: How to configure OpenVPN for TomatoUSB

Please note the following requirements: 

• Router with alternative TomatoUSB firmware and support of OpenVPN. Older versions need to be updated.
  Info: Official Tomato website
• A CyberGhost account
  Info: Here's how to create a CyberGhost account online
  Info: How to manage your CyberGhost account
• A Premium or Premium Plus subscription
  Info: How to purchase or upgrade a subscription
  Info: How to purchase special offers by newsletter, banner, etc.
  Info (only prepaid subscribers): Enter activation key

When using a native VPN protocol please make sure that your VPN protocol software supports the Internet protocol IPv6 along with IPv4 or run an IPv4 Internet connection only. Many Internet Service Providers connect with the IPv6 protocol or offer both protocols, IPv4 and IPv6, at the same time and as long as a native VPN protocol doesn't support IPv6 you risk data leaks, since an IPv6 connection can bypass the tunneled IPv4 connection. While the CyberGhost client does support IPv6 and therefor prevents IPv6 leaks, users of native VPN protocols on a router need to deactivate the Internet protocol IPv6 manually in the respective router's Internet settings.

Disclaimer: Please keep in mind that, although the technical process is as thoroughly documented as possible, you need to have at least some technical understanding. There's always a chance for an overseen mistake and/or things have changed and the article is not updated yet. 

Some general notes on routers:

• Routers are usually not equipped with state of the art hardware, meaning you will have speed losses when using a VPN connection (due to low CPU power to process encryption). Direct connections from your PC, Laptop, Tablet, etc. to the VPN network (without the router providing the VPN software) will work better for you, if speed is among your favorite desires.
• If your flashed router doesn't provide DSL functionality, your Internet connection will still need to be managed by your DSL modem. In that case your device pool will hook on your router (via cable or wireless) and the router itself will be hooked to your DSL modem. So don’t forget to configure your WLAN devices to connect to the new router, so they won’t log in to the old WLAN. Alternatively you can deactivate your modem’s WLAN completely (only if you don’t need it for unencrypted traffic).
• If you flash your router with an alternative firmware you might lose your device’s guarantee; please consult your dealers’ policies regarding this matter. Furthermore it might happen that the flash process leaves your device unusable, e.g. after a power failure while flashing. CyberGhost is not to be held responsible for any damages, does not acknowledge any liabilities and will not adopt your manufacturer’s warranty.
• Also please note that not all routers with VPN client support will be able to connect to the CyberGhost network or might loose that ability with future firmware updates.

Step 1

Visit your CyberGhost VPN online account.

Click on the menu entry 'My Devices' and then on button 'Add Device'.

In the list of Operating Systems you can CyberGhost use with, please click on 'Other' to be able to setup all necessary options for the OpenVPN protocol. When done the screen extends and gives way to 'Create new credentials'. Do it by clicking on the respective button.

Scroll up the page. As you see, the placeholder for a new device is now replaced by 'Linux, Router, etc.'. Click on that button:

Type a name for your new device and activate the wanted extra features, provided with each Premium subscription:

Scroll down and generate the login and configuration data for the OpenVPN protocol: 

• Protocol: Choose the OpenVPN protocol you want to use:
  OpenVPN (UDP): UDP allows higher speed than the TCP version, but can result in broken downloads in some cases. This is the default setting.
  OpenVPN (TCP): TCP allows more stable connections than the UDP version, but is a bit slower. Choose this version, if you have recurrent connection issues such as sudden disconnections.
  
• Country: Since native protocol connections may only be used with exactly one server you now have to choose the country you want to surf from; the server to be used in this country will be chosen by CyberGhost automatically. (If you want or need different PPTP, L2TP or OpenVPN connections in different countries, repeat all steps for every country.)
• Server group: Depending on the chosen country as well as the availability of different server types as an attribute of your current plan you can also define a server group to use:
  Standard Server: This is the group of all paid service servers (Special Edition, Premium, Premium Plus)
  Premium Server: This is the smaller group of all exclusive servers for Premium subscribers (Premium, Premium Plus)
  NoSpy Server: This is the group of all exclusive NoSpy servers for Premium subscribers with special extensions.

After setting up your connection wishes please note down the following data sets. You will need them to configure your device:

• Server: This is the address of the country (server) you want to be connected with, e.g. '1-ro.cg-dialup.net'. Note: This address changes with every country you have chosen in the step before. The actual single server to be used will be chosen automatically by CyberGhost.
• User name: A solely for protocol usage generated user name. This is NOT your regular CyberGhost account user name.
• Password: A solely for protocol usage generated password. This is NOT your regular CyberGhost account password.
  

Once done, please download the configuration file. For that please click on 'Download Configuration' and save the file on your computer. It's a ZIP file, which contains the following single configuration files:

• ca.crt: This is the certificate of the certification authority
  
• client.crt: This is the user certification file 
• client.key: This is your private key file
• openvpn.ovpn: This is your OpenVPN configuration file

If you need to change the country to surf from, you must re-configure the location to use in your account management and download the new config file.

Step 2

Open your TomatoUSB router’s configuration page and click on the left side on ‚VPN Tunneling‘ and right after that on ‚OpenVPN Client‘

Basic

Activate the main tab ‚Client 1‘ and the sub tab ‚Basic‘. Check all of the following options and change those which show different:

• Start with WAN: Please deactivate
• Interface Type: TUN
• Protocol: UDP or TCP (depending on what type you decided to use in step 1)
• Server Address/Port: Address: 4-ro.cg-dialup.net / Port: 443. Depending on the country to connect with, the second block of each address will be exchanged, e.g. instead '4-de.cg-dialup.net‘ (for Germany with Standard Server Group) '4-ro.cg-dialup.net‘ (for Romania with Standard Server Group). When configuring location and server group, the complete and proper address will be generated automatically for you. It includes encrypted information about your plan, the country, the server group chosen and the domain name; the protocol to be used will be detected automatically when connecting to CyberGhost.
• Firewall: Automatic
• Authorization Mode: TLS
• Username/Password Authentication: Please activate
• Username: The user name created in step 1. DO NOT user your regular user name!
• Password: The password created in step 1. DO NOT user your regular password!
• Username Authentication only: Please deactivate
• Extra HMAC authorization: Disabled
• Create NAT on tunnel: Please activate

Opening 'Basic > Network' you can also configure the DNS server to be used. If you want to, please exchange the first DNS IP address with a censorship-free CyberGhost name server:

• Primary: 38.132.106.139 (located in USA)
• Secondary: 194.187.251.67 (located in UK)

Also take care of the correct configuration of time zone and server in the tab 'Basic > Time'. 

Advanced

After activating the tab ‚Advanced‘ please check the following options:

• Poll Interval: 0 (deactivated)
• Redirect Internet traffic: Please activate
• Accept DNS configuration: Relaxed
• Encryption cypher: AES-256-CBC
• Compression: Enabled
• TLS Renegotiation Time: -1
• Connection retry: 30
• Verify server certificate: Please deactivate
• Custom Configuration: Here you mark all lines, delete the content and exchange it with the text content of your downloaded 'openvpn.ovpn' configuration file. For that you open the file with an editor, mark the text with 'Control-A', copy the text with 'Control-C' and insert the text here with 'Control-V'. This is a sample for the content of an 'openvpn.ovpn' file:

resolv-retry infinite
redirect-gateway def1
persist-key
persist-tun
nobind
cipher AES-256-CBC
auth MD5
ping 5
ping-exit 60
ping-timer-rem
explicit-exit-notify 2 [Note: Some routers don't understand this command. In cases of doubt or if the configuration doesn't work, please remove this entry.]
script-security 2
remote-cert-tls server
route-delay 5
tun-mtu 1500
fragment 1300
mssfix
verb 4
comp-lzo

Please don’t copy this example for a server configuration might change after publishing this article.

Keys

Now switch to the tab ‚Keys‘. There you find three fields, which have to be filled with the corresponding content of the other three files you downloaded from your CyberGhost account management. For that you also open the respective file with a simple editor and copy the respective text passages:

• Certificate Authority: Copy all text of the file 'ca.crt' in here.
• Client Certificate: Copy all text of the file 'client.crt' in here.
• Client Key: Copy all text of the file 'client.key' in here.

At last click on 'Start now' to initiate the VPN.