< Back

How to set up a router with OpenWRT

OpenWRT is a custom firmware that can be installed on your router. In this guide, you will find out how to set up OpenVPN protocol which is supported by OpenWRT to connect to Surfshark.

Please note that this tutorial was written by one of our amazing users.
Thanks to ulmwind for creating these instructions!

Surfshark service credentials are different from your Surfshark account credentials, namely your email address and your password. You’ll need Surfshark service credentials to connect to the VPN using a manual OpenVPN configuration that is explained below.

Here is how you can get your Surfshark service credentials:

  1. Go to this page. This is the page where you can find all the details required for manual connection.

    You may need to log in before proceeding to this page. In that case, enter your email address and your password, then click Log in.

  2. Click on the Credentials tab on top. You will find Surfshark service credentials there.

    It is a good idea to keep this page open for now. You will need these credentials a bit later.


Choose Surfshark server

Every server location has a hostname that you need to use on the router to connect to a particular server.

  1. Switch to the Files section where you will find the list of all servers and their hostnames. Copy the hostname of your preferred location - you will use it a bit later. 

    You will need a hostname of the VPN server. You can find the hostname below the flag icon of each location. If you wish to connect to Poland, copy the hostname for Poland - Warsaw or Poland - Gdansk servers. If you prefer connecting to Finland, copy the hostname of Finland - Helsinki server.


Great, let's proceed to your OpenWRT router!

1. Initially, you should have a router with LEDE or OpenWRT firmware with OpenVPN client enabled. The main page of the firmware is http://lede-project.org, http://openwrt.org
Router, flashed with OpenWRT firmware image, initially accepts connection only by telnet, so you should connect to it by telnet to the IP and change root password with command "passwd".
After this command, it accepts connection via SSH. By default OpenVPN is not included in the firmware image, so you should install it by use of opkg:

opkg update
opkg install openvpn-openssl

You can also install luci-component of OpenVPN configuration, but it is optional:

opkg install install luci-app-openvpn

You can also build a firmware image with OpenVPN. An informative manual on OpenVPN client configuration can be found here: https://github.com/StreisandEffect/streisand/wiki/Setting-an-OpenWrt-Based-Router-as-OpenVPN-Client
We will follow it with modifications, specific for Surfshark.

After installing OpenVPN you can set it to start automatically when the router starts:
/etc/init.d/openvpn enable

2. Downloading Surfshark server configuration files. In order to do that, press here
Once you pick a location that you prefer, download UDP or TCP version of it.
For example, consider file "ae-dub.prod.surfshark.com_tcp.ovpn" It corresponds to United Arab Emirates, protocol TCP. We will use this file, for example, other files are treated similarly.

Copy the file "ae-dub.prod.surfshark.com_tcp.ovpn" with pscp or WinSCP programs in Windows, scp command in Linux to /etc/openvpn/ folder of router filesystem. In case of copy problems, you should force using exactly scp protocol (it also can use sftp).

In the file line locate auth-user-pass, and append to it "cred.txt": "auth-user-pass cred.txt".
Obtain Surfshark service credentials here. To connect with this connection method, you will have to use the service username and password.
Create a file called cred.txt in /etc/openvpn/ folder and in the first line insert your service username, service password in the second:

Surfshark service username
Surfshark service password

3. A configuration of OpenVPN using the file "ae-dub.prod.surfshark.com_tcp.ovpn" could be implemented in two ways:

1) Change the extension of the file "ovpn" to "conf". In this case OpenVPN will find it automatically by extension.
2) Specify file name in /etc/config/openvpn You can use uci:

uci set openvpn.surfshark=openvpn
uci set openvpn.surfshark.enabled='1'
uci set openvpn.surfshark.config='/etc/openvpn/ae-dub.prod.surfshark.com_tcp.ovpn'
uci commit openvpn

The file /etc/config/openvpn should contain following appended strings:

config openvpn 'surfshark'
        option enabled '1'   
        option config '/etc/openvpn/ae-dub.prod.surfshark.com_tcp.ovpn'

You can also change extension of the file "ovpn" to "conf", and specify it in the file /etc/config/openvpn, in this case, OpenVPN will start with this configuration file just once.

4. Create a new network interface. Please note that there are two ways to do it and we do not recommend doing them both at the same time.

uci set network.surfsharktun=interface
uci set network.surfsharktun.proto='none'
uci set network.surfsharktun.ifname='tun0'
uci commit network

The file /etc/config/network should contain following appended strings:

config interface 'surfsharktun'
        option proto 'none'  
        option ifname 'tun0'

5. Create a new firewall zone and add forwarding rule from LAN to VPN:

uci add firewall zone
uci set firewall.@zone[-1].name='vpnfirewall'
uci set firewall.@zone[-1].input='REJECT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].forward='REJECT'
uci set firewall.@zone[-1].masq='1'
uci set firewall.@zone[-1].mtu_fix='1'
uci add_list firewall.@zone[-1].network='surfsharktun'
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='lan'
uci set firewall.@forwarding[-1].dest='vpnfirewall'
uci commit firewall

The file /etc/config/firewall should contain following appended strings:

config zone
        option name 'vpnfirewall'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'       
        option mtu_fix '1' 
        list network 'surfsharktun'      
config forwarding       
        option src 'lan'    
        option dest 'vpnfirewall'

6. Now we should configure DNS servers. The simplest approach is to use Surfshark DNS for the WAN interface of the router. You can add Surfshark DNS:

uci set network.wan.peerdns='0'
uci del network.wan.dns
uci add_list network.wan.dns=''
uci add_list network.wan.dns=''
uci commit

The file /etc/config/network should contain section 'wan' with following strings (three bottom strings has been appended):

config interface 'wan'                        
        option ifname 'eth0.2'                
        option force_link '1'                 
        option proto 'dhcp'                    
        option peerdns '0'                    
        list dns ''                    
        list dns '' 

(Optional) To prevent traffic leakage outside the VPN-tunnel you should remove forwarding rule from LAN to WAN. In default configuration there is a single forwarding rule, so the command is:
 uci del firewall.@forwarding[0]
You can also set "masquerading" option to '0' for wan zone, it goes after lan zone, so the command is:
uci set firewall.@zone[1].masq=0
After configuration you should commit changes:
uci commit firewall

You can also disable forwarding not to the specific interface by modification the file /etc/firewall.user:

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.

if (! iptables -C forwarding_lan_rule ! -o tun+ -j REJECT); then
        iptables -I forwarding_lan_rule ! -o tun+ -j REJECT

Additionally you could perform following steps. Append the lines to the file /etc/firewall.user:

if (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
        iptables -I forwarding_rule -j REJECT

Create the file 99-prevent-leak in the folder /etc/hotplug.d/iface/ with following content:

if [ "$ACTION" = ifup ] && (ip a s tun0 up) && (iptables -C forwarding_rule -j REJECT); then
        iptables -D forwarding_rule -j REJECT
if [ "$ACTION" = ifdown ] && (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
        iptables -I forwarding_rule -j REJECT

After configuration reboot the router with a command:

Afterward, you can check if your connection was successful by following this guide.

In some cases OpenVPN hangs with log message like (couldn't resolve host ...). In this case a tunnel stays up, but the connection is lost. It should be reconnected manually, with the following script /etc/openvpn/reconnect.sh, which is added to /etc/rc.local as:

/etc/openvpn/reconnect.sh &

The content of script reconnect.sh is like:

while sleep 50; do
        t=$(ping -c $n | grep -o -E '\d+ packets r' | grep -o -E '\d+')
        if [ "$t" -eq 0 ]; then
                /etc/init.d/openvpn restart

And that's it, your OpenWRT router is now configured with Surfshark!

Good luck surfing the net!


Was this article helpful?