How to set up WireGuard® on OpenWRT router


In this article, you will learn how to configure Surfshark with a manual WireGuard® connection on your OpenWRT firmware router.


To proceed, you first need an active Surfshark subscription. You can find the available plans on Surfshark's pricing page.

Credentials and server selection

Before setting up the router, you will need to obtain the credentials for the manual setup and select a server to connect to.
 

NOTE: These are not your regular credentials, such as your email and password.
 

  1. Head to the Surfshark login page and log in. Then, click on VPN -> manual setup.



  2. Select set up manually.



  3. Choose the WireGuard protocol.



  4. Once there, select I don't have a key pair.



    NOTE: If you have already created a key pair, simply press I have a key pair, and enter your public key.


  5. Enter a name for the keypair, and click next.



  6. Click generate new key pair.



  7. You will be able to see a public and a private key pair. Make sure to save both of them.

 

Choose a Surfshark VPN server

  1. Head to the Locations tab and locate the server that you wish to connect to.


     
  2. Click on the download icon to the right of the server name.



  3. Click on the download icon.



Configure the interface

  1. Install the WireGuard interface. Click on Network > Interfaces. At the bottom of the page, select Add new interface.
    OpenWrt interfaces page showing LAN and WAN interfaces with “Add new interface…” highlighted.

  2. Fill in the following information:
    Name: wg0
    Protocol: WireGuard VPN

  3. Select Create Interface.
    Add new interface dialog in OpenWrt with the WireGuard VPN protocol selected and “Create interface” button highlighted.

  4. Enter the Private key (refer to Get your key pair sections in this article). Copy and paste it into the Private Key area.
    OpenWrt WireGuard interface settings screen with fields for private key and IP addresses highlighted.

  5. In the IP Address box, enter the IP address from the Surfshark WireGuard server file. In our case, it's 10.14.0.2/16.

  6. Click on the Advanced Settings tab and uncheck Use DNS servers advertised by peer and enter Surfshark DNS addresses, which are:

    162.252.172.57
    149.154.159.92

  7. Assign a firewall zone. To do so, click on Firewall settings. Here click on unspecified, and then in the bottom field, enter vpn.

  8. Now click on the Peers tab and select Add peer.

  9. Add the following information:
    Description: Name it whatever you like
    Public key: Paste your public key (refer to Get your key pair sections in this article)
    Allowed IPs: 0.0.0.0/0
    Route allowed IPs: check the box
    Endpoint host: enter the endpoint IP address of the configuration file (note that it should end with surfshark.com)
    Endpoint port: Enter the last 5 digits from the IP address of the configuration file

  10. Click Save.
    WireGuard peer settings page in OpenWrt, showing fields for description, public key, preshared key, and allowed IPs.

  11. You will notice that the WG0 interface has 7 pending changes. Click on Save & Apply here to confirm them.
    OpenWrt interfaces list, including the new WireGuard VPN interface, with “Save & Apply” button highlighted.

Configure the VPN zone

  1. Go to the Network tab and select Firewall at the bottom.

  2. You will find various zones on your network. At the bottom, you will find the VPN zone you created earlier. We need to change the input, output, forward, and masquerading options to match the “wan” zone.
    OpenWrt firewall zones overview showing LAN, WAN, and VPN zones with forwarding and default policies.

  3. Change the input from Accept to Reject and check the masquerading box. After doing so, click Save.
    OpenWrt firewall zone settings with vpn zone input set to reject and masquerading enabled.
  4. lan to wan zone needs to be edited, so click on Edit.
    OpenWrt firewall zones list with the Edit button highlighted for configuring a zone.

  5. Enable MSS clamping in the new window.
    OpenWrt firewall zone settings for LAN zone with MSS clamping option checked.

  6. In the Allow forward to destination zones section, click on this little arrow and select the VPN zone that we created.
    OpenWrt firewall zone settings for LAN with forward to destination set to VPN/WG0.

  7. Click Save.

  8. Next to Zones, make sure to click on Save & Apply and reboot your router.

  9. To verify your connection, click on Network > Interfaces. The WG0 interface we created should be receiving and sending packets.

 

Ensure the connection is successful

We always recommend checking if Surfshark VPN is working after setting it up for the first time. You can easily do it by performing Surfshark IP leak test and a DNS leak test. For your convenience, both are available on our website.

 



You may also be interested in:

Was this article helpful?
Thank you for your feedback!