How to set up Surfshark on an OPNsense router

In this tutorial, you will learn how to set up Surfshark on an OPNsense router.

In this guide, you will learn how to:

In order to proceed, you will need an active Surfshark subscription. You can see the available plans on our order page. 

 

 

Find your login details

 

  1. Enter the my.surfshark.com page and generate your credentials for OpenVPN by following these steps: click on VPN > Manual Setup > Router > OpenVPN.

    You may need to log in when you do enter this page. In that case, simply enter your email and password and press "Log in".


  2. Once there, make sure that you are in the Credentials tab and click on Generate credentials. It is a good idea to keep this tab open for now, as we'll need it later.

 

 

Choose a Surfshark server

 

  1. Go to the Locations tab(which is on the same page) and locate the server that you wish to connect to.


  2. Click on the download icon to the right of the server name and click on Download UDP. 

 

 

Configure the OpenVPN client

 

Next up, open your browser and enter your OPNsense interface.

Navigate to System > Trust > Authorities and click on the +Add button. Once there, you should be greeted by this screen:



Fill the details in:

Descriptive name: Surfshark_VPN (you can name it however you like);
Method: Import an existing Certificate Authority;
Certificate data: input the contents below

-----BEGIN CERTIFICATE-----

MIIFCjCCAvKgAwIBAgIBATANBgkqhkiG9w0BAQ0FADA5MQswCQYDVQQGEwJQQTEQ

MA4GA1UEChMHTm9yZFZQTjEYMBYGA1UEAxMPTm9yZFZQTiBSb290IENBMB4XDTE2

MDEwMTAwMDAwMFoXDTM1MTIzMTIzNTk1OVowOTELMAkGA1UEBhMCUEExEDAOBgNV

BAoTB05vcmRWUE4xGDAWBgNVBAMTD05vcmRWUE4gUm9vdCBDQTCCAiIwDQYJKoZI

hvcNAQEBBQADggIPADCCAgoCggIBAMkr/BYhyo0F2upsIMXwC6QvkZps3NN2/eQF

kfQIS1gql0aejsKsEnmY0Kaon8uZCTXPsRH1gQNgg5D2gixdd1mJUvV3dE3y9FJr

XMoDkXdCGBodvKJyU6lcfEVF6/UxHcbBguZK9UtRHS9eJYm3rpL/5huQMCppX7kU

eQ8dpCwd3iKITqwd1ZudDqsWaU0vqzC2H55IyaZ/5/TnCk31Q1UP6BksbbuRcwOV

skEDsm6YoWDnn/IIzGOYnFJRzQH5jTz3j1QBvRIuQuBuvUkfhx1FEwhwZigrcxXu

MP+QgM54kezgziJUaZcOM2zF3lvrwMvXDMfNeIoJABv9ljw969xQ8czQCU5lMVmA

37ltv5Ec9U5hZuwk/9QO1Z+d/r6Jx0mlurS8gnCAKJgwa3kyZw6e4FZ8mYL4vpRR

hPdvRTWCMJkeB4yBHyhxUmTRgJHm6YR3D6hcFAc9cQcTEl/I60tMdz33G6m0O42s

Qt/+AR3YCY/RusWVBJB/qNS94EtNtj8iaebCQW1jHAhvGmFILVR9lzD0EzWKHkvy

WEjmUVRgCDd6Ne3eFRNS73gdv/C3l5boYySeu4exkEYVxVRn8DhCxs0MnkMHWFK6

MyzXCCn+JnWFDYPfDKHvpff/kLDobtPBf+Lbch5wQy9quY27xaj0XwLyjOltpiST

LWae/Q4vAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqG

SIb3DQEBDQUAA4ICAQC9fUL2sZPxIN2mD32VeNySTgZlCEdVmlq471o/bDMP4B8g

nQesFRtXY2ZCjs50Jm73B2LViL9qlREmI6vE5IC8IsRBJSV4ce1WYxyXro5rmVg/

k6a10rlsbK/eg//GHoJxDdXDOokLUSnxt7gk3QKpX6eCdh67p0PuWm/7WUJQxH2S

DxsT9vB/iZriTIEe/ILoOQF0Aqp7AgNCcLcLAmbxXQkXYCCSB35Vp06u+eTWjG0/

pyS5V14stGtw+fA0DJp5ZJV4eqJ5LqxMlYvEZ/qKTEdoCeaXv2QEmN6dVqjDoTAo

k0t5u4YRXzEVCfXAC3ocplNdtCA72wjFJcSbfif4BSC8bDACTXtnPC7nD0VndZLp

+RiNLeiENhk0oTC+UVdSc+n2nJOzkCK0vYu0Ads4JGIB7g8IB3z2t9ICmsWrgnhd

NdcOe15BincrGA8avQ1cWXsfIKEjbrnEuEk9b5jel6NfHtPKoHc9mDpRdNPISeVa

wDBM1mJChneHt59Nh8Gah74+TM1jBsw4fhJPvoc7Atcg740JErb904mZfkIEmojC

VPhBHVQ9LHBAdM8qFI2kRK0IynOmAZhexlP/aT/kpEsEPyaZQlnBn3An1CRz8h0S

PApL8PytggYKeQmRhl499+6jLxcZ2IegLfqq41dzIjwHwTMplg+1pKIOVojpWA==

-----END CERTIFICATE-----


Certificate Private Key: leave it blank;
Serial for next certificate: leave it as it is by default;

5. Next up, go to VPN > OpenVPN > Clients and press +Add.

Once there, fill in the fields as follows:

GENERAL INFORMATION

Disabled: leave unchecked.

Description: Any name you like - we will use Surfshark_VPN

Server mode: Peer to Peer (SSL/TLS);

Protocol: UDP4 (you can also use TCP4);

Device mode: tun;

Interface: any;

Remote server:

 

Host or address:  (change to the hostname of the server you are going to use);

Port: 1194 (use 443 if you use TCP);

 

Retry DNS resolution: check;

Proxy host or address: leave blank;

Proxy port: leave blank;

Proxy Authentication: None;



USER AUTHENTICATION SETTINGS

Username/Password: fill in the username and password you’ve gathered from Step 1.



CRYPTOGRAPHIC SETTINGS:

TLS Authentication: Enabled - Authentication only

TLS Shared Key: Paste the contents below


-----BEGIN OpenVPN Static key V1-----


b02cb1d7c6fee5d4f89b8de72b51a8d0

c7b282631d6fc19be1df6ebae9e2779e

6d9f097058a31c97f57f0c35526a44ae

09a01d1284b50b954d9246725a1ead1f

f224a102ed9ab3da0152a15525643b2e

ee226c37041dc55539d475183b889a10

e18bb94f079a4a49888da566b9978346

0ece01daaf93548beea6c827d9674897

e7279ff1a19cb092659e8c1860fbad0d

b4ad0ad5732f1af4655dbd66214e552f

04ed8fd0104e1d4bf99c249ac229ce16

9d9ba22068c6c0ab742424760911d463

6aafb4b85f0c952a9ce4275bc821391a

a65fcd0d2394f006e3fba0fd34c4bc4a

b260f4b45dec3285875589c97d3087c9

134d3a3aa2f904512e85aa2dc2202498

-----END OpenVPN Static key V1-----


Peer Certificate Authority: Surfshark_VPN;

Client Certificate: None (Username and Password required);

Encryption Algorithm: AES-256-CBC;

Auth Digest Algorithm: SHA512;



TUNNEL SETTINGS:

IPv4 tunnel network: leave blank;

IPv6 tunnel network: leave blank;

IPv4 remote network: leave blank;

IPv6 remote network: leave blank;

Limit outgoing bandwidth: leave blank;

Compression: Legacy - Disabled LZO algorithm (--comp-lzo no)

Type-of-service: leave unchecked;

Don’t pull routes: leave unchecked;

Don’t add/remove routes: check.



ADVANCED CONFIGURATION:

Advanced: paste the contents down below

remote-random;

tun-mtu 1500;

tun-mtu-extra 32;

mssfix 1450;

persist-key;

persist-tun;

reneg-sec 0;

remote-cert-tls server;

Verbosity level: 3 (recommended);



Now, click on Save.

6. Navigate to Interfaces > Assignments and click on + near New Interface. By default it should be ovpnc1.



7. Click on OPT1 to edit the interface.



8. Click on the Enable Interface and do the following changes:

 

Description: SurfsharkVPN (or anything you want);

Block private networks: leave unchecked;

Block bogon networks: leave unchecked;

IPv4 Configuration Type: None;

IPv6 Configuration Type: None;

MAC address: leave blank;

MTU: leave blank;

MSS: leave blank;

No changes required on the DHCP client configuration so just click the Save button.



Click on the Apply changes button.

9. Navigate to Services -> Unbound DNS -> General.

 

Enable: check;

Listen port: 53;

Network Interfaces: All;

DNSSEC: uncheck;

DHCP Registration: check;

DHCP Domain Override: leave blank;

DHCP Static Mappings: check;

IPv6 Link-local: unchecked;

TXT Comment Support: leave unchecked;

DNS Query Forwarding: check;

Local Zone Type: Transparent;

Custom options: leave blank;

Outgoing Network Interfaces: SurfsharkVPN(or whatever you named your OpenVPN interface);

WPAD Records: leave unchecked;



Click Save and Apply changes.

10. Navigate to Services -> Unbound DNS -> Advanced and do the check the following options:

 

Hide Identity: check

Hide Version: check

Prefetch Support: check

Prefetch DNS Key Support: check

 

Leave anything else as it is by default, click Save, and Apply Settings.

11. Navigate to Firewall -> NAT -> Outbound, select Hybrid outbound NAT rule generation (automatically generated rules are applied after manual rules), click Save and Apply Changes.

12. Click on the +Add button on top, on the edit menu, select Interface as SurfsharkVPN. Leave anything else by as it is by default, click Save, and Apply Changes.

13. Navigate to Firewall -> Rules -> LAN and delete the IPv6 rule. After that, click on the edit button next to IPv4. Scroll down and under Advanced features, select Gateway as SurfsharkVPN (or similarly called). Click Save.

 

Next, click +Add, change Source to LAN net and Destination to LAN Address, don't change anything else, Save and Apply Changes.



14. Navigate to System -> Settings -> General and do the following changes:

 

Under Networking, check the Prefer IPv4 over IPv6;

DNS servers:

162.252.172.57, Use Gateway: none;

149.154.159.92, Use Gateway: none.

 

On DNS server options, uncheck Allow DNS server list to be overridden by DHCP/PPP on WAN

 

Click Save and Apply Changes.



15. Navigate to System -> Gateways -> Single and do the following changes:

 

Edit SurfsharkVPN -> click Disabled

 

Save and Apply Changes.

16. Now you can navigate to VPN -> OpenVPN -> Connection Status and it should state that the service is “up”:



 

 

Make sure the connection is successful

 

And that is it - you’ve learned how to set up a VPN connection on your OPNsense router. It's always recommended to check whether your connection was successful after setting up a VPN for the first time. This can be easily done by doing an IP leak test and a DNS leak test, which is available on our website


You may also be interested in:

  1. How to set up a router with Surfshark
  2. How to set up VPN on my Smart TV or console
  3. How to set up a VPN-protected Wi-Fi hotspot using Windows

 

 

Was this article helpful?
Thank you for your feedback!