Thanks to ulmwind for creating these instructions!
In this tutorial, you will learn how to configure the OpenVPN tunnel on your OpenWRT router.
NOTE: Learn how to set up OpenVPN on OpenWRT using the router’s interface if you prefer this way instead.
To proceed, you need to have a router running OpenWRT firmware and an active Surfshark subscription, which you can purchase on our pricing page.
Get your credentials
NOTE: These are not your regular credentials, such as your email and password.
-
Enter the Surfshark login page and log in. Then, click on VPN > Manual Setup > Router > OpenVPN to generate your credentials.
-
Once there, make sure that you are in the Credentials tab and click on Generate credentials.
NOTE: Keep this tab open as we'll need it later.
Choose a Surfshark server
-
Open the same page on another browser tab, go to the Locations tab, and locate the server that you wish to connect to.
- Click on the download icon to the right of the server name and click on Download UDP.
Configure the OpenVPN client
- Access your router by opening one of the following websites on your browser:
http://openwrt.org
http://lede-project.org
Routers flashed with OpenWRT firmware image initially accept connections only through the telnet protocol. Try connecting to telnet with the following IP address: 192.168.1.1 and change the root password with the command "passwd". -
After this command, the router will accept the connection via SSH. By default, OpenVPN is not included in the firmware image, so you should install the client using opkg:
opkg updateopkg install openvpn-openssl
You can also install the luci-component of OpenVPN configuration, but this is optional:
opkg install luci-app-openvpn
- You can also build a firmware image with OpenVPN. This one will not require the installation of the Client. Check out how to set up an OpenWRT Based Router as OpenVPN Client.
We will follow it with modifications, specific for Surfshark. -
After installing OpenVPN you can set it to start automatically when the router starts by entering the following:
/etc/init.d/openvpn enable - Now you will need the Surfshark server configuration files (refer to Choose a Sursfhark server section in this article). Copy the file you downloaded with PSCP or WinSCP programs on Windows, scp command on Linux to /etc/openvpn/ folder of router filesystem.
In case of copy problems, you should force it using exactly scp protocol (you can also use sftp). - In the file line locate auth-user-pass, and append to it "cred.txt": "auth-user-pass cred.txt".
- Now, you will need to enter the credentials (refer to Get your credentials section of this article).
Create a file called cred.txt in the /etc/openvpn/ folder and insert your service username in the first line and service password in the second line:
Surfshark service username
Surfshark service password -
Time to implement your preferred OpenVPN configuration file. This could be done in two ways:
1) Change the extension of the file "ovpn" to "conf". In this case OpenVPN will find it automatically by the extension.
2) Specify the file name in /etc/config/openvpn using uci:
uci set openvpn.surfshark=openvpn
uci set openvpn.surfshark.enabled='1'
uci set openvpn.surfshark.config='/etc/openvpn/ae-dub.prod.surfshark.com_tcp.ovpn'
uci commit openvpn
The file /etc/config/openvpn should contain the following appended strings:
config openvpn 'surfshark'
option enabled '1'
option config '/etc/openvpn/ae-dub.prod.surfshark.com_tcp.ovpn'
-
Now, create a new network interface.
NOTE: There are two ways to do this. We do not recommend doing them both at the same time.
uci set network.surfsharktun=interface
uci set network.surfsharktun.proto='none'
uci set network.surfsharktun.ifname='tun0'
uci commit network
The file /etc/config/network should contain the following appended strings:
config interface 'surfsharktun'
option proto 'none'
option ifname 'tun0' -
Create a new firewall zone as shown below and add the forwarding rule from LAN to VPN:
uci add firewall zone
uci set firewall.@zone[-1].name='vpnfirewall'
uci set firewall.@zone[-1].input='REJECT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].forward='REJECT'
uci set firewall.@zone[-1].masq='1'
uci set firewall.@zone[-1].mtu_fix='1'
uci add_list firewall.@zone[-1].network='surfsharktun'
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='lan'
uci set firewall.@forwarding[-1].dest='vpnfirewall'
uci commit firewall
The file /etc/config/firewall should contain the following appended strings:config zone
option name 'vpnfirewall'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'surfsharktun'
config forwarding
option src 'lan'
option dest 'vpnfirewall' -
Now, you need to configure the DNS servers. Use Surfshark DNS for the WAN interface of the router. You can add the Surfshark DNS as shown below:
uci set network.wan.peerdns='0'
uci del network.wan.dns
uci add_list network.wan.dns='162.252.172.57'
uci add_list network.wan.dns='149.154.159.92'
uci commit
The file /etc/config/network should contain the section 'wan' with the following strings (three bottom strings have been appended):config interface 'wan'
option ifname 'eth0.2'
option force_link '1'
option proto 'dhcp'
option peerdns '0'
list dns '162.252.172.57'
list dns '149.154.159.92' -
(OPTIONAL) To prevent traffic leakage outside the VPN-tunnel, you need to remove the forwarding rule from LAN to WAN. In the default configuration, there is a single forwarding rule, and the command is:
uci del firewall.@forwarding[0]
You can also set the "masquerading" option to '0' for the wan zone; it goes after the lan zone. The command is:uci set firewall.@zone[1].masq=0
After configuration, you should commit changes:uci commit firewall -
You can also disable forwarding not to the specific interface by modifying the file /etc/firewall.user:
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
if (! iptables -C forwarding_lan_rule ! -o tun+ -j REJECT); then
iptables -I forwarding_lan_rule ! -o tun+ -j REJECT
fi -
Additionally, you could perform the following steps. Append the lines to the file /etc/firewall.user:
if (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
iptables -I forwarding_rule -j REJECT
fi
Create the file 99-prevent-leak in the folder /etc/hotplug.d/iface/ with the following content:
#!/bin/sh
if [ "$ACTION" = ifup ] && (ip a s tun0 up) && (iptables -C forwarding_rule -j REJECT); then
iptables -D forwarding_rule -j REJECT
fi
if [ "$ACTION" = ifdown ] && (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
iptables -I forwarding_rule -j REJECT
fi -
After configuration, reboot the router with the command:
#reboot -
In some cases, OpenVPN hangs with log messages like (couldn't resolve host ...). In this case, a tunnel stays up, but the connection is lost. It should be reconnected manually with the following script /etc/openvpn/reconnect.sh, which is added to /etc/rc.local as:
/etc/openvpn/reconnect.sh &
The content of the script reconnect.sh is:#!/bin/sh
n=10
while sleep 50; do
t=$(ping -c $n 8.8.8.8 | grep -o -E '\d+ packets r' | grep -o -E '\d+')
if [ "$t" -eq 0 ]; then
/etc/init.d/openvpn restart
fi
done
Ensure the connection is successful
We always recommend checking if Surfshark VPN is working after setting it up for the first time. You can easily do it by performing Surfshark IP leak test and a DNS leak test. For your convenience, both are available on our website.
You may also be interested in:
- How to make sure if Surfshark VPN is working
- How to set up WireGuard on OpenWRT router
- How to set up a VPN-protected Wi-Fi hotspot using Windows