How to set up OpenVPN on an OpenWRT router

In this tutorial, you will learn how to configure the Surfshark VPN tunnel on your OpenWRT router. 

NOTE: if you'd prefer to set up OpenVPN on your OpenWRT router via the router's web interface instead, check out this guide.

 

Please note that this tutorial was written by one of our amazing users.
Thanks to ulmwind for creating these instructions!

 

You will learn how to:

 

To proceed, you need to have a router running OpenWRT firmware and an active Surfshark subscription, which you can purchase on our pricing page.

 

 

Find your login details

Surfshark service credentials are different from your Surfshark account credentials, namely your email address and your password. You’ll need Surfshark service credentials to connect to the VPN using the manual OpenVPN configuration method explained below.

Here is how you can get your Surfshark service credentials:

  1. Go to this page, where you will find all of the details required for a manual connection.

    You may need to log in before proceeding to this page. In that case, enter your email address and your password, then click Log in.

  2. Click on the Credentials tab at the top. You will find the Surfshark service credentials here.



    It's a good idea to keep this page open for now. You will need these credentials a bit later.

 

 

Choose a Surfshark server

Every server (location) has a configuration file that you will need to connect to the VPN. You can download all of the configuration files from our website.

  1. Go to this page. It’s the same page where the Surfshark service credentials are stored.

  2. Select the Locations tab, where you will see all of the Surfshark servers. 



  3. You will need an OpenVPN configuration file for the location of your choice. For example, if you wish to connect to Germany, download Germany - Berlin or Germany - Nuernberg server by clicking on the location and then on UDP to download the configuration file. 


 

 

Configure Surfshark VPN

 

  1. Firstly, you need to access your router by accessing one of the following websites on your browser:
    http://openwrt.org
    http://lede-project.org

    Routers flashed with OpenWRT firmware image initially accept connections only through the telnet protocol, so you should connect to telnet with the following IP address: 192.168.1.1 and change the root password with the command "passwd".

    After this command, the router will accept the connection via SSH. By default, OpenVPN is not included in the firmware image, so you should install the client using opkg:

    opkg update
    opkg install openvpn-openssl

    You can also install the luci-component of OpenVPN configuration, but this is optional:

    opkg install luci-app-openvpn

    You can also build a firmware image with OpenVPN. This one will not require the installation of the Client. You will find an informative manual for the OpenVPN client configuration below: https://github.com/StreisandEffect/streisand/wiki/Setting-an-OpenWrt-Based-Router-as-OpenVPN-Client
    We will follow it with modifications, specific for Surfshark.

    After installing OpenVPN you can set it to start automatically when the router starts:
    /etc/init.d/openvpn enable

  2. Now you will need the Surfshark server configuration files downloaded in the Choose a Surfshark server part. Copy the file you downloaded with PSCP or WinSCP programs on Windows, scp command on Linux to /etc/openvpn/ folder of router filesystem. In case of copy problems, you should force it using exactly scp protocol (you can also use sftp).

    In the file line locate auth-user-pass, and append to it "cred.txt": "auth-user-pass cred.txt".
    Now you will need to enter the credentials which you collected in the Find your login details part. To connect with this connection method, you will have to use the service username and password.
    Create a file called cred.txt in the /etc/openvpn/ folder and insert your service username in the first line, and service password in the second line:

    Surfshark service username
    Surfshark service password

  3. Time to implement your preferred OpenVPN configuration file. This could be done in two ways:
    1. Change the extension of the file "ovpn" to "conf". In this case OpenVPN will find it automatically by the extension.

    2. Specify the file name in /etc/config/openvpn using uci:

    uci set openvpn.surfshark=openvpn
    uci set openvpn.surfshark.enabled='1'
    uci set openvpn.surfshark.config='/etc/openvpn/ae-dub.prod.surfshark.com_tcp.ovpn'
    uci commit openvpn

    The file /etc/config/openvpn should contain the following appended strings:

    config openvpn 'surfshark'
            option enabled '1'   
            option config '/etc/openvpn/ae-dub.prod.surfshark.com_tcp.ovpn'

  4. Now create a new network interface. Note that there are two ways to do this, and we do not recommend doing them both at the same time.

    uci set network.surfsharktun=interface
    uci set network.surfsharktun.proto='none'
    uci set network.surfsharktun.ifname='tun0'
    uci commit network

    The file /etc/config/network should contain the following appended strings:


    config interface 'surfsharktun'
            option proto 'none'  
            option ifname 'tun0'

  5. Create a new firewall zone as show below and add the forwarding rule from LAN to VPN:


    uci add firewall zone
    uci set firewall.@zone[-1].name='vpnfirewall'
    uci set firewall.@zone[-1].input='REJECT'
    uci set firewall.@zone[-1].output='ACCEPT'
    uci set firewall.@zone[-1].forward='REJECT'
    uci set firewall.@zone[-1].masq='1'
    uci set firewall.@zone[-1].mtu_fix='1'
    uci add_list firewall.@zone[-1].network='surfsharktun'
    uci add firewall forwarding
    uci set firewall.@forwarding[-1].src='lan'
    uci set firewall.@forwarding[-1].dest='vpnfirewall'
    uci commit firewall

    The file /etc/config/firewall should contain the following appended strings:


    config zone
            option name 'vpnfirewall'
            option input 'REJECT'
            option output 'ACCEPT'
            option forward 'REJECT'
            option masq '1'       
            option mtu_fix '1' 
            list network 'surfsharktun'      
    config forwarding       
            option src 'lan'    
            option dest 'vpnfirewall'

  6. Now you need to configure the DNS servers. The easiest approach would be to use Surfshark DNS for the WAN interface of the router. You can add the Surfshark DNS as shown below:

    uci set network.wan.peerdns='0'
    uci del network.wan.dns
    uci add_list network.wan.dns='162.252.172.57'
    uci add_list network.wan.dns='149.154.159.92'
    uci commit

    The file /etc/config/network should contain the section 'wan' with following strings (three bottom strings has been appended):

    config interface 'wan'                        
            option ifname 'eth0.2'                
            option force_link '1'                 
            option proto 'dhcp'                    
            option peerdns '0'                    
            list dns '162.252.172.57'                    
            list dns '149.154.159.92' 

    (Optional) To prevent traffic leakage outside the VPN-tunnel you need to remove the forwarding rule from LAN to WAN. In the default configuration, there is a single forwarding rule, and the command is:
    uci del firewall.@forwarding[0]

    You can also set the "masquerading" option to '0' for wan zone, it goes after lan zone, so the command is:
    uci set firewall.@zone[1].masq=0

    After configuration you should commit changes:
    uci commit firewall

    You can also disable forwarding not to the specific interface by modifying the file /etc/firewall.user:

    # This file is interpreted as shell script.
    # Put your custom iptables rules here, they will
    # be executed with each firewall (re-)start.
    # Internal uci firewall chains are flushed and recreated on reload, so
    # put custom rules into the root chains e.g. INPUT or FORWARD or into the
    # special user chains, e.g. input_wan_rule or postrouting_lan_rule.

    if (! iptables -C forwarding_lan_rule ! -o tun+ -j REJECT); then
            iptables -I forwarding_lan_rule ! -o tun+ -j REJECT
    fi

    Additionally, you could perform the following steps. Append the lines to the file /etc/firewall.user:

    if (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
            iptables -I forwarding_rule -j REJECT
    fi

    Create the file 99-prevent-leak in the folder /etc/hotplug.d/iface/ with following content:

    #!/bin/sh
    if [ "$ACTION" = ifup ] && (ip a s tun0 up) && (iptables -C forwarding_rule -j REJECT); then
            iptables -D forwarding_rule -j REJECT
    fi
    if [ "$ACTION" = ifdown ] && (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
            iptables -I forwarding_rule -j REJECT
    fi

    After configuration, reboot the router with the command:
    #reboot

    Afterward, you can check if your connection was successful by checking out this guide.

    In some cases, OpenVPN hangs with log messages like (couldn't resolve host ...). In this case, a tunnel stays up, but the connection is lost. It should be reconnected manually, with the following script /etc/openvpn/reconnect.sh, which is added to /etc/rc.local as:

    /etc/openvpn/reconnect.sh &

    The content of the script reconnect.sh is:

    #!/bin/sh
    n=10
    while sleep 50; do
            t=$(ping -c $n 8.8.8.8 | grep -o -E '\d+ packets r' | grep -o -E '\d+')
            if [ "$t" -eq 0 ]; then
                    /etc/init.d/openvpn restart
            fi
    done

 

Congratulations - you have successfully installed and configured Surfshark VPN on your OpenWRT router! As long as you’re connected, your location is private, and your sensitive data is secure.

 

 

You may also be interested in:

  1. How to make sure if my connection was successful?
  2. How to enable 2FA on your Surfshark account?
  3. How to set up a VPN-protected Wi-Fi hotspot using Windows?

 

Was this article helpful?
Thank you for your feedback!