Tomato VPN Setup

Disclaimer: Installation and use of any software made by third party developers is at your own discretion and liability. We share our best practices with third party software but do not provide customer support for them.

FlashRouters offers plug and play DD-WRT Routers preconfigured Private Internet Access Routers for this setup.

Note: If you are using TomatoUSB, or the steps below do not match your installation of the Tomato firmware, please refer to the following
alternate setup for Tomato.
  1. In the Tomato router Administrative Interface, Click Administration and then Scripts and enter the following in the init section:

    echo username > /tmp/password.txt
    echo password >> /tmp/password.txt
    chmod 600 /tmp/password.txt

    Note: Replace *username* and *password* with your actual PIA username and password.
    For example, if your PIA username was p1234567 and password was 12345678, the first couple of lines would look like this:
    echo p1234567 > /tmp/password.txt
    echo 12345678 >> /tmp/password.txt
    The chmod command may not be necessary, but can help with permissions on certain firmware versions.
  2. Click Save
  3. On the Left side menu, Click VPN Tunneling and then Client.
  4. Choose Client 1 and then choose Basic
  5. Check Start with WAN
  6. Set Interface Type to Tun
  7. Set Protocol to UDP
  8. For the Server Address/Port type [*] and port 1198
    Or if you prefer to use a specific location, You can find the full list of locations here:
  9. Set Firewall to Automatic
  10. Set Authorization Mode to TLS
  11. Set Extra HMAC authorization to Disabled
  12. Check Create NAT on tunnel
  13. Click Save
  14. Click on the Advanced tab
  15. Set Poll Interval to 0
  16. Uncheck Redirect Internet Traffic
  17. Set Accept DNS configuration to Enabled
  18. Set Encryption cipher to AES­-128­-CBC
  19. Set Compression to (Adaptive)
  20. For TLS Renegotiation Time, Type:
  21. For Connection Retry, Type:
  22. In the Custom Configuration, input the following:
    auth-user-pass /tmp/password.txt
    verb 1
    reneg-sec 0
  23. Click Save
  24. Click on the Keys tab and copy and paste the contents of ca.rsa.2048.crt into the Certificate Authority.
    The ca.rsa.2048.crt file can be found here:
  25. Click Save
  26. To connect Click on VPN Tunneling > Client > Status, and click on the Start Now button to connect.

EASY Setup Guides for Alternate Configurations (Advanced):


The PPTP/L2TP/SOCKS5 protocols are provided for devices lacking compatibility with the Private Internet Access application or OpenVPN protocol. PPTP/L2TP/SOCKS5 should be used for masking one's IP address, censorship circumvention, and geolocation.

If you need encryption, please use the Private Internet Application or OpenVPN protocol with our service.

    Although quite different from a VPN, we provide a SOCKS5 Proxy with all accounts in the event users require this feature.

    SOCKS5 Proxy Usage Guides port 1080
    Enable port forwarding in the application by entering the Advanced area, enabling port forwarding and selecting one of the following gateways:

    CA Toronto
    CA Montreal
    CA Vancouver
    Czech Republic

    After enabling port forwarding and re-connecting to one of the above gateways, please hover your mouse over the System Tray or Menu Bar icon to reveal the tooltip which will display the port number. You can then enter this port into your software.

    Port Forwarding reduces privacy. For maximum privacy, please keep port forwarding disabled.
IPv6 leak protection disables IPv6 traffic while on the VPN. This ensures that no IPv6 traffic leaks out over your normal internet connection when you are connected to the VPN. This includes 6to4 and Teredo tunneled IPv6 traffic.
    The dns leak protection feature activates VPN dns leak protection. This ensures that DNS requests are routed through the VPN. This enables the greatest level of privacy and security but may cause connectivity issues in non-standard network configurations.

    This can be enabled and disabled in the Windows application, while it is enabled by default on our macOS application.

    We use our own private DNS servers for your DNS queries while on the VPN. After connecting we set your operating system's DNS servers to and When using a DNS Leak testing site you should expect to see your DNS requests originate from the IP of the VPN gateway you are connected to.

    If you change your DNS servers manually or if for some other reason they are changed this does not necessarily mean your DNS is leaking. Even if you use different DNS servers the queries will still be routed through the VPN connection and will be anonymous.
    The internet kill switch activates VPN disconnect protection. If you disconnect from the VPN, your internet access will stop working. It will reactivate normal internet access when you deactivate the kill switch mode or exit the application.

    Users who may be connected to two connections simultaneously (ex.: wired and wireless) should not use this feature, as it will only stop 1 active connection type.

  • United States (US VPN)

  • United Kingdom (GB VPN)

  • Canada (CA VPN)

  • Australia (AU VPN)

  • New Zealand (NZ VPN)

  • Netherlands (NL VPN)

  • Sweden (SE VPN)

  • Norway (NO VPN)

  • Denmark (DK VPN)

  • Finland (FI VPN)

  • Switzerland (CH VPN)

  • France (FR VPN)

  • Germany (DE VPN)

  • Belgium (BE VPN)

  • Austria (AT VPN)

  • Czech Republic (CZ VPN)

  • Ireland (IE VPN)

  • Italy (IT VPN)

  • Spain (ES VPN)

  • Romania (RO VPN)

  • Turkey (TR VPN)

  • Hong Kong (HK VPN)

  • Singapore (SG VPN)

  • Japan (JP VPN)

  • Israel (IL VPN)

  • Mexico (MX VPN)

  • Brazil (BR VPN)

  • India (IN VPN)