In this article, you will learn how to configure Surfshark with a manual WireGuard® connection on your OpenWRT firmware router.
To proceed, you first need an active Surfshark subscription. You can find the available plans on Surfshark's pricing page.
Credentials and server selection
Before setting up the router, you will need to obtain the credentials for the manual setup and select a server to connect to.
NOTE: These are not your regular credentials, such as your email and password.
- Head to the Surfshark login page and log in. Then, click on VPN -> manual setup.
-
Select set up manually.
-
Choose the WireGuard protocol.
-
Once there, select I don't have a key pair.
NOTE: If you have already created a key pair, simply press I have a key pair, and enter your public key.
-
Enter a name for the keypair, and click next.
-
Click generate new key pair.
-
You will be able to see a public and a private key pair. Make sure to save both of them.
Choose a Surfshark VPN server
-
Head to the Locations tab and locate the server that you wish to connect to.
-
Click on the download icon to the right of the server name.
-
Click on the download icon.
Configure the interface
- Install the WireGuard interface. Click on Network > Interfaces. At the bottom of the page, select Add new interface.
-
Fill in the following information:
Name: wg0
Protocol: WireGuard VPN
- Select Create Interface.
- Enter the Private key (refer to Get your key pair sections in this article). Copy and paste it into the Private Key area.
- In the IP Address box, enter the IP address from the Surfshark WireGuard server file. In our case, it's 10.14.0.2/16.
-
Click on the Advanced Settings tab and uncheck Use DNS servers advertised by peer and enter Surfshark DNS addresses, which are:
162.252.172.57
149.154.159.92
- Assign a firewall zone. To do so, click on Firewall settings. Here click on unspecified, and then in the bottom field, enter vpn.
- Now click on the Peers tab and select Add peer.
-
Add the following information:
Description: Name it whatever you like
Public key: Paste your public key (refer to Get your key pair sections in this article)
Allowed IPs: 0.0.0.0/0
Route allowed IPs: check the box
Endpoint host: enter the endpoint IP address of the configuration file (note that it should end with surfshark.com)
Endpoint port: Enter the last 5 digits from the IP address of the configuration file
- Click Save.
- You will notice that the WG0 interface has 7 pending changes. Click on Save & Apply here to confirm them.
Configure the VPN zone
- Go to the Network tab and select Firewall at the bottom.
- You will find various zones on your network. At the bottom, you will find the VPN zone you created earlier. We need to change the input, output, forward, and masquerading options to match the “wan” zone.
- Change the input from Accept to Reject and check the masquerading box. After doing so, click Save.
- lan to wan zone needs to be edited, so click on Edit.
- Enable MSS clamping in the new window.
- In the Allow forward to destination zones section, click on this little arrow and select the VPN zone that we created.
- Click Save.
- Next to Zones, make sure to click on Save & Apply and reboot your router.
- To verify your connection, click on Network > Interfaces. The WG0 interface we created should be receiving and sending packets.
Ensure the connection is successful
We always recommend checking if Surfshark VPN is working after setting it up for the first time. You can easily do it by performing Surfshark IP leak test and a DNS leak test. For your convenience, both are available on our website.
You may also be interested in: