In this tutorial, you will learn how to set up Surfshark on an OPNsense router.
In this guide, you will learn how to:
- Find your login details
- Choose a Surfshark server
- Configure the OpenVPN client
- Make sure that the connection is successful
In order to proceed, you will need an active Surfshark subscription. You can see the available plans on our order page.
Find your login details
Enter the my.surfshark.com page and generate your credentials for OpenVPN by following these steps: click on VPN > Manual Setup > Router > OpenVPN.
You may need to log in when you do enter this page. In that case, simply enter your email and password and press "Log in".
Once there, make sure that you are in the Credentials tab and click on Generate credentials. It is a good idea to keep this tab open for now, as we'll need it later.
Choose a Surfshark server
Go to the Locations tab(which is on the same page) and locate the server that you wish to connect to.
- Click on the download icon to the right of the server name and click on Download UDP.
Configure the OpenVPN client
Next up, open your browser and enter your OPNsense interface.
Navigate to System > Trust > Authorities and click on the +Add button. Once there, you should be greeted by this screen:
Fill the details in:
Descriptive name: Surfshark_VPN (you can name it however you like);
Method: Import an existing Certificate Authority;
Certificate data: input the contents below
Certificate Private Key: leave it blank;
Serial for next certificate: leave it as it is by default;
5. Next up, go to VPN > OpenVPN > Clients and press +Add.
Once there, fill in the fields as follows:
Disabled: leave unchecked.
Description: Any name you like - we will use Surfshark_VPN
Server mode: Peer to Peer (SSL/TLS);
Protocol: UDP4 (you can also use TCP4);
Device mode: tun;
Host or address: (change to the hostname of the server you are going to use);
Port: 1194 (use 443 if you use TCP);
Retry DNS resolution: check;
Proxy host or address: leave blank;
Proxy port: leave blank;
Proxy Authentication: None;
USER AUTHENTICATION SETTINGS
Username/Password: fill in the username and password you’ve gathered from Step 1.
TLS Authentication: Enabled - Authentication only
TLS Shared Key: Paste the contents below
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
Peer Certificate Authority: Surfshark_VPN;
Client Certificate: None (Username and Password required);
Encryption Algorithm: AES-256-CBC;
Auth Digest Algorithm: SHA512;
IPv4 tunnel network: leave blank;
IPv6 tunnel network: leave blank;
IPv4 remote network: leave blank;
IPv6 remote network: leave blank;
Limit outgoing bandwidth: leave blank;
Compression: Legacy - Disabled LZO algorithm (--comp-lzo no)
Type-of-service: leave unchecked;
Don’t pull routes: leave unchecked;
Don’t add/remove routes: check.
Advanced: paste the contents down below
Verbosity level: 3 (recommended);
Now, click on Save.
6. Navigate to Interfaces > Assignments and click on + near New Interface. By default it should be ovpnc1.
7. Click on OPT1 to edit the interface.
8. Click on the Enable Interface and do the following changes:
Description: SurfsharkVPN (or anything you want);
Block private networks: leave unchecked;
Block bogon networks: leave unchecked;
IPv4 Configuration Type: None;
IPv6 Configuration Type: None;
MAC address: leave blank;
MTU: leave blank;
MSS: leave blank;
No changes required on the DHCP client configuration so just click the Save button.
Click on the Apply changes button.
9. Navigate to Services -> Unbound DNS -> General.
Listen port: 53;
Network Interfaces: All;
DHCP Registration: check;
DHCP Domain Override: leave blank;
DHCP Static Mappings: check;
IPv6 Link-local: unchecked;
TXT Comment Support: leave unchecked;
DNS Query Forwarding: check;
Local Zone Type: Transparent;
Custom options: leave blank;
Outgoing Network Interfaces: SurfsharkVPN(or whatever you named your OpenVPN interface);
WPAD Records: leave unchecked;
Click Save and Apply changes.
10. Navigate to Services -> Unbound DNS -> Advanced and do the check the following options:
Hide Identity: check
Hide Version: check
Prefetch Support: check
Prefetch DNS Key Support: check
Leave anything else as it is by default, click Save, and Apply Settings.
11. Navigate to Firewall -> NAT -> Outbound, select Hybrid outbound NAT rule generation (automatically generated rules are applied after manual rules), click Save and Apply Changes.
12. Click on the +Add button on top, on the edit menu, select Interface as SurfsharkVPN. Leave anything else by as it is by default, click Save, and Apply Changes.
13. Navigate to Firewall -> Rules -> LAN and delete the IPv6 rule. After that, click on the edit button next to IPv4. Scroll down and under Advanced features, select Gateway as SurfsharkVPN (or similarly called). Click Save.
Next, click +Add, change Source to LAN net and Destination to LAN Address, don't change anything else, Save and Apply Changes.
14. Navigate to System -> Settings -> General and do the following changes:
Under Networking, check the Prefer IPv4 over IPv6;
184.108.40.206, Use Gateway: none;
220.127.116.11, Use Gateway: none.
On DNS server options, uncheck Allow DNS server list to be overridden by DHCP/PPP on WAN
Click Save and Apply Changes.
15. Navigate to System -> Gateways -> Single and do the following changes:
Edit SurfsharkVPN -> click Disabled
Save and Apply Changes.
16. Now you can navigate to VPN -> OpenVPN -> Connection Status and it should state that the service is “up”:
Make sure the connection is successful
And that is it - you’ve learned how to set up a VPN connection on your OPNsense router. It's always recommended to check whether your connection was successful after setting up a VPN for the first time. This can be easily done by doing an IP leak test and a DNS leak test, which is available on our website.
You may also be interested in:
- How to set up a router with Surfshark
- How to set up VPN on my Smart TV or console
- How to set up a VPN-protected Wi-Fi hotspot using Windows