WireGuard® router setups
How to set up WireGuard® on TP-Link Deco app How to set up a manual WireGuard® connection on a router How to set up WireGuard® on GL.iNet router(3.x firmware) How to set up WireGuard® on Keenetic router How to set up WireGuard® on FRITZ!Box How to set up WireGuard® on Asus VPN Fusion How to set up WireGuard® on OpenWRT router How to set up WireGuard® on a DD-WRT router
  1. Surfshark Customer Support
  2. VPN Guides
  3. Getting started
  4. Routers
  5. WireGuard® router setups

How to set up WireGuard® on OpenWRT router

Updated:


In this article, you will learn how to configure Surfshark with a manual WireGuard® connection on your OpenWRT firmware router.


To proceed, you first need an active Surfshark subscription. You can find the available plans on Surfshark's pricing page.

 
Get your key pair


There are two ways we can go from here. You might have generated a key pair, and you'll be able to use it. Or, we will have to generate one.

If you have a key pair already, continue the tutorial as usual. If you do not, you should move on to the I don’t have a key pair section.

I have a key pair

  1. Go to Surfshark's login page and log in. Then, visit VPN > Manual setup. Choose the Router option and click on WireGuard.
    Surfshark setup methods page with Router option selected and WireGuard protocol highlighted for manual VPN configuration.

  2. In the next window, click on I have a key pair.
    WireGuard manual configuration in Surfshark app, with option to connect using an existing key pair highlighted.

  3. Name your key pair and click Next.
    Naming a WireGuard key pair during manual setup for Surfshark VPN on a router.
  4. Enter your public key and hit Save.
    Entering and saving the public key for a WireGuard connection in the Surfshark manual setup interface.

I don't have a key pair

  1. Go to Surfshark's login page and log in. Then, visit VPN > Manual setup. Choose the Router option and click on WireGuard.
    Protocol selection screen in Surfshark’s manual setup for routers, highlighting the WireGuard option.

  2. In the next window, click on I don't have a key pair.
    Surfshark WireGuard manual setup displaying the option to proceed without an existing key pair.

  3. Name your new key pair.
    Step to name a new WireGuard key pair in Surfshark’s manual router setup, with “Next” button highlighted.
  4. Click on Generate a new key pair.

    NOTE: Copy and store the generated key pairs on your device. You will not be able to check them here again.
    Surfshark manual setup prompting to generate a new WireGuard key pair for router configuration.

Choose a Surfshark server

Once you have your key pair, you should see a Choose a location button. Click on it. Here, you'll find the list of available locations to connect to. Select one and hit the download button.
Surfshark WireGuard setup showing generated public and private keys with the option to choose a server location.
Surfshark WireGuard manual configuration page for selecting and downloading a VPN server location.

Install and configure WireGuard

 

  1. Access your router by typing one of the following websites on your browser:

    http://openwrt.org
    http://lede-project.org

  2. Routers flashed with OpenWRT firmware image initially accept connections only through the telnet protocol, so you should connect to telnet with the following IP address: 192.168.1.1 

    Change the root password with the command "passwd".

  3. Once logged in, click on System and select Software.
    OpenWrt status page with the System menu expanded and the Software option highlighted.

  4. On this page, you will download the WireGuard package. To do so, click on Update lists.
    OpenWrt Software page showing a cursor clicking the

  5. Once the lists are updated, in the search field type WireGuard, and install the WireGuard package first, following with luci-app-wireguard.

    If you are unable to install luci-app-wireguard, please install luci-proto-wireguard and wireguard-tools.
    OpenWrt Software page with WireGuard-related packages listed after a search, and the Install buttons highlighted.

  6. Restart the router. To do so, click on System and then click Reboot. After the reboot is done, log in to your router again.

Configure the interface

 

  1. Install the WireGuard interface. Click on Network > Interfaces. At the bottom of the page, select Add new interface.
    OpenWrt interfaces page showing LAN and WAN interfaces with “Add new interface…” highlighted.

  2. Fill in the following information:
    Name: wg0
    Protocol: WireGuard VPN

  3. Select Create Interface.
    Add new interface dialog in OpenWrt with the WireGuard VPN protocol selected and “Create interface” button highlighted.

  4. Enter the Private key (refer to Get your key pair sections in this article). Copy and paste it into the Private Key area.
    OpenWrt WireGuard interface settings screen with fields for private key and IP addresses highlighted.

  5. In the IP Address box, enter the IP address from the Surfshark WireGuard server file. In our case, it's 10.14.0.2/16.

  6. Click on the Advanced Settings tab and uncheck Use DNS servers advertised by peer and enter Surfshark DNS addresses, which are:

    162.252.172.57
    149.154.159.92
  7. Assign a firewall zone. To do so, click on Firewall settings. Here click on unspecified, and then in the bottom field, enter vpn.

  8. Now click on the Peers tab and select Add peer.

  9. Add the following information:
    Description: Name it whatever you like
    Public key: Paste your public key (refer to Get your key pair sections in this article)
    Allowed IPs: 0.0.0.0/0
    Route allowed IPs: check the box
    Endpoint host: enter the endpoint IP address of the configuration file (note that it should end with surfshark.com)
    Endpoint port: Enter the last 5 digits from the IP address of the configuration file

  10. Click Save.
    WireGuard peer settings page in OpenWrt, showing fields for description, public key, preshared key, and allowed IPs.

  11. You will notice that the WG0 interface has 7 pending changes. Click on Save & Apply here to confirm them.
    OpenWrt interfaces list, including the new WireGuard VPN interface, with “Save & Apply” button highlighted.

Configure the VPN zone

 

  1. Go to the Network tab and select Firewall at the bottom.

  2. You will find various zones on your network. At the bottom, you will find the VPN zone you created earlier. We need to change the input, output, forward, and masquerading options to match the “wan” zone.
    OpenWrt firewall zones overview showing LAN, WAN, and VPN zones with forwarding and default policies.

  3. Change the input from Accept to Reject and check the masquerading box. After doing so, click Save.
    OpenWrt firewall zone settings with vpn zone input set to reject and masquerading enabled.
  4. lan to wan zone needs to be edited, so click on Edit.
    OpenWrt firewall zones list with the Edit button highlighted for configuring a zone.

  5. Enable MSS clamping in the new window.
    OpenWrt firewall zone settings for LAN zone with MSS clamping option checked.

  6. In the Allow forward to destination zones section, click on this little arrow and select the VPN zone that we created.
    OpenWrt firewall zone settings for LAN with forward to destination set to VPN/WG0.

  7. Click Save.

  8. Next to Zones, make sure to click on Save & Apply and reboot your router.

  9. To verify your connection, click on Network > Interfaces. The WG0 interface we created should be receiving and sending packets.

 

Ensure the connection is successful

 

We always recommend checking if Surfshark VPN is working after setting it up for the first time. You can easily do it by performing Surfshark IP leak test and a DNS leak test. For your convenience, both are available on our website.

 



You may also be interested in:

Was this article helpful?
Thank you for your feedback!