OpenWRT is a custom firmware that can be installed on your router. In this guide, you will find out how to set up OpenVPN protocol which is supported by OpenWRT to connect to Surfshark.
Please note that this tutorial was written by one of our amazing users and was not tested by Surfshark.
Surfshark would like to thank ulmwind for creating these instructions.
1. Initially, you should have a router with LEDE or OpenWRT firmware with OpenVPN client enabled. The main page of the firmware is http://lede-project.org, http://openwrt.org
Router, flashed with OpenWRT firmware image, initially accepts connection only by telnet, so you should connect to it by telnet to the IP 192.168.1.1 and change root password with command "passwd".
After this command, it accepts connection via SSH. By default OpenVPN is not included in the firmware image, so you should install it by use of opkg:
opkg install openvpn-openssl
You can also install luci-component of OpenVPN configuration, but it is optional:
opkg install install luci-app-openvpn
You can also build a firmware image with OpenVPN. An informative manual on OpenVPN client configuration can be found here: https://github.com/StreisandEffect/streisand/wiki/Setting-an-OpenWrt-Based-Router-as-OpenVPN-Client
We will follow it with modifications, specific for Surfshark.
After installing OpenVPN you can set it to start automatically when the router starts:
2. Downloading Surfshark server configuration files. In order to do that, press here.
Once you pick a location that you prefer, download UDP or TCP version of it.
For example, consider file "ae-dub.prod.surfshark.com_tcp.ovpn" It corresponds to United Arab Emirates, protocol TCP. We will use this file, for example, other files are treated similarly.
Copy the file "ae-dub.prod.surfshark.com_tcp.ovpn" with pscp or WinSCP programs in Windows, scp command in Linux to /etc/openvpn/ folder of router filesystem. In case of copy problems, you should force using exactly scp protocol (it also can use sftp).
In the file line locate auth-user-pass, and append to it "cred.txt": "auth-user-pass cred.txt".
Obtain Surfshark service credentials here. To connect with this connection method, you will have to use the service username and password.
Create a file called cred.txt in /etc/openvpn/ folder and in the first line insert your service username, service password in the second:
Surfshark service username
Surfshark service password
3. A configuration of OpenVPN using the file "ae-dub.prod.surfshark.com_tcp.ovpn" could be implemented in two ways:
1) Change the extension of the file "ovpn" to "conf". In this case OpenVPN will find it automatically by extension.
2) Specify file name in /etc/config/openvpn You can use uci:
uci set openvpn.surfshark=openvpn
uci set openvpn.surfshark.enabled='1'
uci set openvpn.surfshark.config='/etc/openvpn/ae-dub.prod.surfshark.com_tcp.ovpn'
uci commit openvpn
The file /etc/config/openvpn should contain following appended strings:
config openvpn 'surfshark'
option enabled '1'
option config '/etc/openvpn/ae-dub.prod.surfshark.com_tcp.ovpn'
You can also change extension of the file "ovpn" to "conf", and specify it in the file /etc/config/openvpn, in this case, OpenVPN will start with this configuration file just once.
4. Create a new network interface. Please note that there are two ways to do it and we do not recommend doing them both at the same time.
uci set network.surfsharktun=interface
uci set network.surfsharktun.proto='none'
uci set network.surfsharktun.ifname='tun0'
uci commit network
The file /etc/config/network should contain following appended strings:
config interface 'surfsharktun'
option proto 'none'
option ifname 'tun0'
5. Create a new firewall zone and add forwarding rule from LAN to VPN:
uci add firewall zone
uci set firewall.@zone[-1].name='vpnfirewall'
uci set firewall.@zone[-1].input='REJECT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].forward='REJECT'
uci set firewall.@zone[-1].masq='1'
uci set firewall.@zone[-1].mtu_fix='1'
uci add_list firewall.@zone[-1].network='surfsharktun'
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='lan'
uci set firewall.@forwarding[-1].dest='vpnfirewall'
uci commit firewall
The file /etc/config/firewall should contain following appended strings:
option name 'vpnfirewall'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'surfsharktun'
option src 'lan'
option dest 'vpnfirewall'
6. Now we should configure DNS servers. The simplest approach is to use Surfshark DNS for the WAN interface of the router. You can add Surfshark DNS:
uci set network.wan.peerdns='0'
uci del network.wan.dns
uci add_list network.wan.dns='126.96.36.199'
uci add_list network.wan.dns='188.8.131.52'
The file /etc/config/network should contain section 'wan' with following strings (three bottom strings has been appended):
config interface 'wan'
option ifname 'eth0.2'
option force_link '1'
option proto 'dhcp'
option peerdns '0'
list dns '184.108.40.206'
list dns '220.127.116.11'
(Optional) To prevent traffic leakage outside the VPN-tunnel you should remove forwarding rule from LAN to WAN. In default configuration there is a single forwarding rule, so the command is:
uci del firewall.@forwarding
You can also set "masquerading" option to '0' for wan zone, it goes after lan zone, so the command is:
uci set firewall.@zone.masq=0
After configuration you should commit changes:
uci commit firewall
You can also disable forwarding not to the specific interface by modification the file /etc/firewall.user:
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
if (! iptables -C forwarding_lan_rule ! -o tun+ -j REJECT); then
iptables -I forwarding_lan_rule ! -o tun+ -j REJECT
Additionally you could perform following steps. Append the lines to the file /etc/firewall.user:
if (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
iptables -I forwarding_rule -j REJECT
Create the file 99-prevent-leak in the folder /etc/hotplug.d/iface/ with following content:
if [ "$ACTION" = ifup ] && (ip a s tun0 up) && (iptables -C forwarding_rule -j REJECT); then
iptables -D forwarding_rule -j REJECT
if [ "$ACTION" = ifdown ] && (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
iptables -I forwarding_rule -j REJECT
After configuration reboot router with a command:
Afterwards, you can check if your connection was successful by following this guide.
In some cases OpenVPN hangs with log message like (couldn't resolve host ...). In this case a tunnel stays up, but the connection is lost. It should be reconnected manually, with the following script /etc/openvpn/reconnect.sh, which is added to /etc/rc.local as:
The content of script reconnect.sh is like:
while sleep 50; do
t=$(ping -c $n 18.104.22.168 | grep -o -E '\d+ packets r' | grep -o -E '\d+')
if [ "$t" -eq 0 ]; then
And that's it, your OpenWRT router is now configured with Surfshark!
Good luck surfing the net!