User Tools

Site Tools



Using https with your own CA

It seems, you first have to create the key/certificate pair with the desired subject configured in TomatoUSBs web gui. Otherwise it will be regenerated at next boot, overwriting your custom certificate.

One advantage of open source firmware is the ability to use https for accessing the web based configuration tools (aka Web GUI). However, with Tomato USB there is no obvious option to upload a signed certificate. If you're running your own Home-CA, eg. by using XCA you want to sign it, so none of the browsers in your household complains about the selfsigned certificate of you router. I assume you have ssh access to your router, so you can copy files from and to the router by scp. First of all, you need to have “store tor NVRAM” enabled for your https certificate in the Tomato USB configuration. Now go to your favourite computer running a decent shell and copy two files to your working directory:

mkdir etc
scp -p root@;/etc/cert.pem etc/
scp -p root@;/etc/key.pem etc/

Now import then into your CA, make a “similar” certificate possibly with the key key.pem as provided by Tomate USB and sign it with your CA. Now put it pack to your working directory and replace cert.pem. Now copy them back to your router (this can most probably skipped, as you need to reboot your router anyway);

scp -p etc/ root@

For storing this into the NVRAM, you have to create the right configuration by this:

tar -czf - etc/cert.pem etc/key.pem | base64 -w 0 

Use the resulting string as parameter for https_cert_file in Tomato USBs NVRAM setting, applying with (on your Router!):

nvram set https_crt_file="..."
nvram commit

where the dots … have to be replaced by the output gained above1).

Starting httpd on commandline

cd /www

Pretty easy, huh? :-D

Using TomatoUSB as NATting router

This was tried with TomatoUSB v1.282) on a Netgear N3003)

The need to have a natting router came from that damn O2 Homebox 6641 which apparently does not allow switches connected to its ethernetport. Every time I connect more then one device (i.e. Linux Laptop, Mac Laptop, Linux Raspberry Pi) by a simple 1GB home-use HUB/Switch made by TPLink, all connections were interrupted until I rebooted that silly thing.

  • Reset to factory
  • In Basic→Network configure WAN
    • I chose to have a static IP
    • Configure connection to DSL-Router, using its subnet.
    • I left “Route Modem IP” to 0,0,0,0
  • Same place (Basic→Network) configure LAN
    • Choose local (internal) IP of your NAT
    • Enable DHCP
    • Configure DHCP range
    • Leave lease time at 1440
    • Leave STP disabled
    • Choose your DSL-Routers' IP for first Static DNS
    • Port need not to be set, if default
  • Same place (Basic→Network) configure Wireless
    • I just disabled it for using it as cable NATting device only
  • Basic→IPv6
    • I set IPv6 Service Type to “disabled”
  • Basic→Identification
    • Set parameters for routers own label, host- and domainname
  • Advanced→DHCP/DNS
    • Enable Use internal DNS
    • Disable Use received DNS with user-entered DNS
    • Disable Announce IPv6 on LAN
  • Advanced→VLAN
    • Leave VLAN 1:
      • VID: 1
      • Ports: 1-4
      • Default
      • Bridge: LAN(br0)
    • Leave VLAN 2:
      • VID: 2
      • Ports: WAN
      • Bridge: WAN
    • Wireless
      • Leave Bridge eth1 to at “LAN(br0”
  • Adminsitration→Admin Access
    • Disable telnet
    • Enter your SSH public key
    • Disable SSH access by password
    • Set your own (non-default) password for web-access

Configure ports on command line

/usr/sbin/robocfg showports
/usr/sbin/robocfg port 4 media 100FD


Whenn assinging additional bridges, numbers must be consecutive4), otherwise5) bridges after a gap will not be started!
An other way would be to create the tar file, copy it to the router and use nvram setfb64 https_crt_file <file>.tgz.
Tomato Firmware 1.28.0000 MIPSR2-124 K26 USB AIO
i.e. br0,br1,br2
e.g. br0, br3
docs/tips_n_tricks/tomato.html.txt · Last modified: 03.05.2021 19:08 CEST by peter

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki