In this tutorial, you will learn how to configure the Surfshark VPN tunnel on your OpenWRT router.
Please note that this tutorial was written by one of our amazing users.
Thanks to ulmwind for creating these instructions!
You will learn how to:
To proceed, you need to have a router running OpenWRT firmware and an active Surfshark subscription.
If you don’t have the subscription yet, you can get one here.
Find your login details
Surfshark service credentials are different from your Surfshark account credentials, namely your email address and your password. You’ll need Surfshark service credentials to connect to the VPN using the manual OpenVPN configuration method explained below.
Here is how you can get your Surfshark service credentials:
- Go to this page, where you will find all of the details required for a manual connection.
You may need to log in before proceeding to this page. In that case, enter your email address and your password, then click Log in.
- Click on the Credentials tab at the top. You will find the Surfshark service credentials here.
It's a good idea to keep this page open for now. You will need these credentials a bit later.
Choose a Surfshark server
Every server (location) has a configuration file that you will need to connect to the VPN. You can download all of the configuration files from our website.
- Go to this page. It’s the same page where the Surfshark service credentials are stored.
- Select the Files tab, where you will see all of the Surfshark servers.
- You will need an OpenVPN configuration file for the location of your choice. For example, if you wish to connect to Germany, download the Germany - Berlin or Germany - Nuernberg server by clicking on the location and then on UDP to download the configuration file.
Configure Surfshark VPN
- Firstly, you need to access your router by accessing one of the following websites on your browser:
Routers flashed with OpenWRT firmware image initially accept connections only through the telnet protocol, so you should connect to telnet with the following IP address: 192.168.1.1 and change the root password with the command "passwd".
After this command, the router will accept the connection via SSH. By default, OpenVPN is not included in the firmware image, so you should install the client using opkg:
opkg install openvpn-openssl
You can also install the luci-component of OpenVPN configuration, but this is optional:
opkg install luci-app-openvpn
You can also build a firmware image with OpenVPN. This one will not require the installation of the Client. You will find an informative manual for the OpenVPN client configuration below: https://github.com/StreisandEffect/streisand/wiki/Setting-an-OpenWrt-Based-Router-as-OpenVPN-Client
We will follow it with modifications, specific for Surfshark.
After installing OpenVPN you can set it to start automatically when the router starts:
- Now you will need the Surfshark server configuration files downloaded in the Choose a Surfshark server part. Copy the file you downloaded with PSCP or WinSCP programs on Windows, scp command on Linux to /etc/openvpn/ folder of router filesystem. In case of copy problems, you should force it using exactly scp protocol (you can also use sftp).
In the file line locate auth-user-pass, and append to it "cred.txt": "auth-user-pass cred.txt".
Now you will need to enter the credentials which you collected in the Find your login details part. To connect with this connection method, you will have to use the service username and password.
Create a file called cred.txt in the /etc/openvpn/ folder and insert your service username in the first line, and service password in the second line:
Surfshark service username
Surfshark service password
- Time to implement your preferred OpenVPN configuration file. This could be done in two ways:
1. Change the extension of the file "ovpn" to "conf". In this case OpenVPN will find it automatically by the extension.
2. Specify the file name in /etc/config/openvpn using uci:
uci set openvpn.surfshark=openvpn
uci set openvpn.surfshark.enabled='1'
uci set openvpn.surfshark.config='/etc/openvpn/ae-dub.prod.surfshark.com_tcp.ovpn'
uci commit openvpn
The file /etc/config/openvpn should contain the following appended strings:
config openvpn 'surfshark'
option enabled '1'
option config '/etc/openvpn/ae-dub.prod.surfshark.com_tcp.ovpn'
- Now create a new network interface. Note that there are two ways to do this, and we do not recommend doing them both at the same time.
uci set network.surfsharktun=interface
uci set network.surfsharktun.proto='none'
uci set network.surfsharktun.ifname='tun0'
uci commit network
The file /etc/config/network should contain the following appended strings:
config interface 'surfsharktun'
option proto 'none'
option ifname 'tun0'
- Create a new firewall zone as show below and add the forwarding rule from LAN to VPN:
uci add firewall zone
uci set firewall.@zone[-1].name='vpnfirewall'
uci set firewall.@zone[-1].input='REJECT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].forward='REJECT'
uci set firewall.@zone[-1].masq='1'
uci set firewall.@zone[-1].mtu_fix='1'
uci add_list firewall.@zone[-1].network='surfsharktun'
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='lan'
uci set firewall.@forwarding[-1].dest='vpnfirewall'
uci commit firewall
The file /etc/config/firewall should contain the following appended strings:
option name 'vpnfirewall'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'surfsharktun'
option src 'lan'
option dest 'vpnfirewall'
- Now you need to configure the DNS servers. The easiest approach would be to use Surfshark DNS for the WAN interface of the router. You can add the Surfshark DNS as shown below:
uci set network.wan.peerdns='0'
uci del network.wan.dns
uci add_list network.wan.dns='22.214.171.124'
uci add_list network.wan.dns='126.96.36.199'
The file /etc/config/network should contain the section 'wan' with following strings (three bottom strings has been appended):
config interface 'wan'
option ifname 'eth0.2'
option force_link '1'
option proto 'dhcp'
option peerdns '0'
list dns '188.8.131.52'
list dns '184.108.40.206'
(Optional) To prevent traffic leakage outside the VPN-tunnel you need to remove the forwarding rule from LAN to WAN. In the default configuration, there is a single forwarding rule, and the command is:
uci del firewall.@forwarding
You can also set the "masquerading" option to '0' for wan zone, it goes after lan zone, so the command is:
uci set firewall.@zone.masq=0
After configuration you should commit changes:
uci commit firewall
You can also disable forwarding not to the specific interface by modifying the file /etc/firewall.user:
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
if (! iptables -C forwarding_lan_rule ! -o tun+ -j REJECT); then
iptables -I forwarding_lan_rule ! -o tun+ -j REJECT
Additionally, you could perform the following steps. Append the lines to the file /etc/firewall.user:
if (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
iptables -I forwarding_rule -j REJECT
Create the file 99-prevent-leak in the folder /etc/hotplug.d/iface/ with following content:
if [ "$ACTION" = ifup ] && (ip a s tun0 up) && (iptables -C forwarding_rule -j REJECT); then
iptables -D forwarding_rule -j REJECT
if [ "$ACTION" = ifdown ] && (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
iptables -I forwarding_rule -j REJECT
After configuration, reboot the router with the command:
Afterward, you can check if your connection was successful by checking out this guide.
In some cases, OpenVPN hangs with log messages like (couldn't resolve host ...). In this case, a tunnel stays up, but the connection is lost. It should be reconnected manually, with the following script /etc/openvpn/reconnect.sh, which is added to /etc/rc.local as:
The content of the script reconnect.sh is:
while sleep 50; do
t=$(ping -c $n 220.127.116.11 | grep -o -E '\d+ packets r' | grep -o -E '\d+')
if [ "$t" -eq 0 ]; then
Congratulations - you have successfully installed and configured Surfshark VPN on your OpenWRT router! As long as you’re connected, your location is private, and your sensitive data is secure.
You may also be interested in:
- How to make sure if my connection was successful?
- How to enable 2FA on your Surfshark account?
- How to set up a VPN-protected Wi-Fi hotspot using Windows?