How to set up OpenVPN on an OpenWRT router

Thanks to ulmwind for creating these instructions!

In this tutorial, you will learn how to configure the OpenVPN tunnel on your OpenWRT router. 

NOTE: Learn how to set up OpenVPN on OpenWRT using the router’s interface if you prefer this way instead.


To proceed, you need to have a router running OpenWRT firmware and an active Surfshark subscription, which you can purchase on our pricing page.

 

You will learn how to:

  1. Get your credentials
  2. Choose a Surfshark server
  3. Configure the OpenVPN client
  4. Ensure your connection is successful 

 

Get your credentials


NOTE: These are not your regular credentials, such as your email and password.

  1. Enter the Surfshark login page and log in. Then, click on VPN > Manual Setup > Router > OpenVPN to generate your credentials.


  2. Once there, make sure that you are in the Credentials tab and click on Generate credentials.

    NOTE: Keep this tab open as we'll need it later.

 

Choose a Surfshark server

 

  1. Open the same page on another browser tab, go to the Locations tab, and locate the server that you wish to connect to.


  2. Click on the download icon to the right of the server name and click on Download UDP.

     

 

Configure the OpenVPN client

 

  1. Access your router by opening one of the following websites on your browser:
    http://openwrt.org
    http://lede-project.org

    Routers flashed with OpenWRT firmware image initially accept connections only through the telnet protocol. Try connecting to telnet with the following IP address: 192.168.1.1 and change the root password with the command "passwd".

  2. After this command, the router will accept the connection via SSH. By default, OpenVPN is not included in the firmware image, so you should install the client using opkg:
    opkg update
    opkg install openvpn-openssl

    You can also install the luci-component of OpenVPN configuration, but this is optional:
    opkg install luci-app-openvpn

  3. You can also build a firmware image with OpenVPN. This one will not require the installation of the Client. Check out how to set up an OpenWRT Based Router as OpenVPN Client.

    We will follow it with modifications, specific for Surfshark.

  4. After installing OpenVPN you can set it to start automatically when the router starts by entering the following:
    /etc/init.d/openvpn enable
  5. Now you will need the Surfshark server configuration files (refer to Choose a Sursfhark server section in this article). Copy the file you downloaded with PSCP or WinSCP programs on Windows, scp command on Linux to /etc/openvpn/ folder of router filesystem.

    In case of copy problems, you should force it using exactly scp protocol (you can also use sftp).

  6. In the file line locate auth-user-pass, and append to it "cred.txt": "auth-user-pass cred.txt".

  7. Now, you will need to enter the credentials (refer to Get your credentials section of this article).

    Create a file called cred.txt in the /etc/openvpn/ folder and insert your service username in the first line and service password in the second line:

    Surfshark service username
    Surfshark service password

  8. Time to implement your preferred OpenVPN configuration file. This could be done in two ways:

    1) Change the extension of the file "ovpn" to "conf". In this case OpenVPN will find it automatically by the extension.

    2) Specify the file name in /etc/config/openvpn using uci:
    uci set openvpn.surfshark=openvpn
    uci set openvpn.surfshark.enabled='1'
    uci set openvpn.surfshark.config='/etc/openvpn/ae-dub.prod.surfshark.com_tcp.ovpn'
    uci commit openvpn

    The file /etc/config/openvpn should contain the following appended strings:
    config openvpn 'surfshark'
            option enabled '1'   
            option config '/etc/openvpn/ae-dub.prod.surfshark.com_tcp.ovpn'

  9. Now, create a new network interface.

    NOTE: There are two ways to do this. We do not recommend doing them both at the same time.

    uci set network.surfsharktun=interface
    uci set network.surfsharktun.proto='none'
    uci set network.surfsharktun.ifname='tun0'
    uci commit network


    The file /etc/config/network should contain the following appended strings:

    config interface 'surfsharktun'
            option proto 'none'  
            option ifname 'tun0'

  10. Create a new firewall zone as shown below and add the forwarding rule from LAN to VPN:
    uci add firewall zone
    uci set firewall.@zone[-1].name='vpnfirewall'
    uci set firewall.@zone[-1].input='REJECT'
    uci set firewall.@zone[-1].output='ACCEPT'
    uci set firewall.@zone[-1].forward='REJECT'
    uci set firewall.@zone[-1].masq='1'
    uci set firewall.@zone[-1].mtu_fix='1'
    uci add_list firewall.@zone[-1].network='surfsharktun'
    uci add firewall forwarding
    uci set firewall.@forwarding[-1].src='lan'
    uci set firewall.@forwarding[-1].dest='vpnfirewall'
    uci commit firewall


    The file /etc/config/firewall should contain the following appended strings:

    config zone
            option name 'vpnfirewall'
            option input 'REJECT'
            option output 'ACCEPT'
            option forward 'REJECT'
            option masq '1'       
            option mtu_fix '1' 
            list network 'surfsharktun'      
    config forwarding       
            option src 'lan'    
            option dest 'vpnfirewall'

     

  11. Now, you need to configure the DNS servers. Use Surfshark DNS for the WAN interface of the router. You can add the Surfshark DNS as shown below:
    uci set network.wan.peerdns='0'
    uci del network.wan.dns
    uci add_list network.wan.dns='162.252.172.57'
    uci add_list network.wan.dns='149.154.159.92'
    uci commit


    The file /etc/config/network should contain the section 'wan' with the following strings (three bottom strings have been appended):

    config interface 'wan'                        
            option ifname 'eth0.2'                
            option force_link '1'                 
            option proto 'dhcp'                    
            option peerdns '0'                    
            list dns '162.252.172.57'                    
            list dns '149.154.159.92' 

     

  12. (OPTIONAL) To prevent traffic leakage outside the VPN-tunnel, you need to remove the forwarding rule from LAN to WAN. In the default configuration, there is a single forwarding rule, and the command is:

    uci del firewall.@forwarding[0]


    You can also set the "masquerading" option to '0' for the wan zone; it goes after the lan zone. The command is:

    uci set firewall.@zone[1].masq=0


    After configuration, you should commit changes:

    uci commit firewall

     

  13. You can also disable forwarding not to the specific interface by modifying the file /etc/firewall.user:

    # This file is interpreted as shell script.
    # Put your custom iptables rules here, they will
    # be executed with each firewall (re-)start.
    # Internal uci firewall chains are flushed and recreated on reload, so
    # put custom rules into the root chains e.g. INPUT or FORWARD or into the
    # special user chains, e.g. input_wan_rule or postrouting_lan_rule.

    if (! iptables -C forwarding_lan_rule ! -o tun+ -j REJECT); then
            iptables -I forwarding_lan_rule ! -o tun+ -j REJECT
    fi

     

  14. Additionally, you could perform the following steps. Append the lines to the file /etc/firewall.user:

    if (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
            iptables -I forwarding_rule -j REJECT
    fi

    Create the file 99-prevent-leak in the folder /etc/hotplug.d/iface/ with the following content:

    #!/bin/sh
    if [ "$ACTION" = ifup ] && (ip a s tun0 up) && (iptables -C forwarding_rule -j REJECT); then
            iptables -D forwarding_rule -j REJECT
    fi
    if [ "$ACTION" = ifdown ] && (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
            iptables -I forwarding_rule -j REJECT
    fi

     

  15. After configuration, reboot the router with the command:
    #reboot

  16. In some cases, OpenVPN hangs with log messages like (couldn't resolve host ...). In this case, a tunnel stays up, but the connection is lost. It should be reconnected manually with the following script /etc/openvpn/reconnect.sh, which is added to /etc/rc.local as:

    /etc/openvpn/reconnect.sh &

    The content of the script reconnect.sh is:

    #!/bin/sh
    n=10
    while sleep 50; do
            t=$(ping -c $n 8.8.8.8 | grep -o -E '\d+ packets r' | grep -o -E '\d+')
            if [ "$t" -eq 0 ]; then
                    /etc/init.d/openvpn restart
            fi
    done

     

Ensure the connection is successful

 

We always recommend checking if Surfshark VPN is working after setting it up for the first time. You can easily do it by performing Surfshark IP leak test and a DNS leak test. For your convenience, both are available on our website.

 



You may also be interested in:

 

Was this article helpful?
Thank you for your feedback!