Surfshark Openwrt

In this article, we are going to cover the basic VPN setup process on an OpenWRT router so that it can connect directly to the ProtonVPN servers.

Mar 22, 2021 Surfshark is not responsible for any damage that might be caused by installing custom firmware. Alternatively, you can choose a router that comes with VPN functionality by default. For general guidance, we recommend routers running AsusWRT firmware, which is really easy to set up with a VPN. Surfshark On Openwrt, chromebook vpn download, vpn hka, Connect Untangle Firewall To Ipvanish. Sandy Roberts-May 16, 2019. If you’d like to compare VPN. NordVPN is the best VPN to use with an OpenWrt router. How to set up a router with OpenWRT. What routers are not supported? Tomato router tutorial. Allow the Surfshark browser extension in the Incognito mode. Apr 20, 2021 Surfshark service credentials are different from your Surfshark account credentials, namely your email address and your password. You’ll need Surfshark service credentials to connect to the VPN using the manual OpenVPN configuration method explained below. Here is how you can get your Surfshark service credentials.

Learn more about why you should set up a VPN on your router.

We don’t recommend setting up a VPN connection if you aren’t a tech-savvy user.

1. Install needed packages

Install openvpn-openssl and luci-app-openvpn to be able to manage OpenVPN using the web interface.

A new page in the web interface should appear.

Navigate to VPN → OpenVPN to open the OpenVPN config management page.

2. Upload and edit an OpenVPN config file

This is available starting with the OpenWrt 19.07 version.

Log in to your ProtonVPN account and click the Downloads category. You can download the desired configuration files by selecting the Router option.

Then, go back to Openvpn and scroll down to the OVPN configuration file upload section. Browse (1) and get the desired configuration file that you have just downloaded. Give it a name (2) and upload it (3).

The configuration file will appear in the table of available OpenVPN configurations. You can now edit it.

Search for the line that begins with auth-user-pass in the first text box. Edit by adding the full path to the username/password .auth file, visible in the text just above the second text box (1). For the example below, this would be:

In the second box, enter the OpenVPN/IKEv2 username and password you retrieve on your account (2). Note: to use our NetShield DNS filtering feature, append the suffix +f1 to your username to block malware, or +f2 to block malware, ads, and trackers (for example 123456789+f2).

Back in the first box, add the following line to the configuration file (3):

Save the configuration file.

Go back to VPN → OpenVPN then click on Save & Apply

3. Add DNS updater script

Log in on your router via SSH client with root user. Type the following in the terminal:

Exit your shell.

4. Start and enable the client

Start the client by pressing the Start button in the table of available configurations. This can take up to 10 seconds to complete, as OpenVPN startup and shutdown are slow.

If you want this VPN client connection to start on boot and remain always active, tick the Enable checkbox.

Note: In case clicking the Start button in the table fails to start the VPN instance, tick the Enable checkbox, and press Save & Apply button.

5. Firewall

At this point, the VPN is set up and your router can use it. However, the devices in the LAN of your router won’t be able to access the Internet anymore. To do this, you need to set the VPN network interface as public by assigning a VPN interface to WAN zone.

5.1-a With OpenWRT versions up to 18.06 and 19.07

  1. Click on Network in the top bar and then on Interfaces to open the interfaces configuration page.
  2. Click on button Add new Interface…
  3. Fill the form with the following values: name = tun0, Protocol = Unmanaged, Interface = tun0. Then click on Create Interface.
  4. Edit the interface.
  5. In panel General Settings: unselect the checkbox Bring up on boot.
  6. In panel Firewall Settings: Assign firewall-zone to wan.
  7. Click on Save and Apply the new configuration.
  8. Reboot the router.

5.1-b With OpenWRT 19.07 (alternative to the above step 5.1-a)

Click on Network in the top bar and then on Firewall to open the firewall configuration page.

Click on the Edit button of the wan (red) zone in the Zones list at the bottom of the page.


Click on the Advanced Settings tab and select the tunX interface (tun0 in the screenshot, which is the most likely if you have a single OpenVPN client/server running)

Click on Status on the top bar and then click on System Log to see the interface name.

A few lines from the system log where you can see the interface name of the OpenVPN client started with the configuration file FR

6. Run a test

Surfshark Openwrt For Mac

Establish the VPN connection. Verify your client traffic is routed via VPN gateway.

6.1. Check your client public IP addresses.

6.2. Make sure there is no DNS leak on the client side.

OpenWrt offers several ways to “start over” with your router.

  • Failsafe Mode is useful if you have lost control of your device, and it has become inaccessible, perhaps through a configuration error. It allows you to reboot the router into a basic operating state, retaining all your packages and (most) settings. (see Failsafe Mode)
  • Factory Reset erases all your packages and settings, returning the router to its initial state after installing OpenWrt. (see Factory Reset)
  • Recovery Mode allows you to install new firmware on a router that has become corrupted. (see Recovery Mode)

Surfshark Openwrt Wireguard

Factory Reset depends on completing the boot process. If Factory Reset is not working, try with Failsafe Mode instead.

Failsafe Mode

OpenWrt allows you to boot into a failsafe mode that overrides its current configuration. If your device becomes inaccessible, e.g. after a configuration error, then failsafe mode is there to help you out. When you reboot in failsafe mode, the device starts up in a basic operating state, with a few hard coded defaults, and you can begin to fix the problem manually.

Failsafe mode cannot, however, fix more deeply rooted problems like faulty hardware or a broken kernel. It is similar to a reset, however with failsafe, you can access your device and restore settings if desired, whereas a reset would just wipe everything.

Caveat: Failsafe mode is only available if you have installed firmware from a SquashFS image, that includes the required read-only root partition. To verify whether your device has the SquashFS root partition, check for “squashfs” either in the OpenWrt image name or perform the following check on your device:

The terminal should return something similar to this:

Entering failsafe mode

Make sure you use a wired connection, since the failsafe will disable your wireless connectivity. Sometimes you need to connect to a specific network port of your router to get connectivity. Try the LAN 1 port first.

On most routers, OpenWrt will blink an LED (usually “Power”) during the boot process after it gets control from the initial bootloader (like u-boot). OpenWrt will rather early in the boot cycle check if the user wants to enter the failsafe mode instead of a normal boot. It listens for a button press inside a specific two second window, which is indicated with LEDs and by transmitting a UDP packet.

To enter failsafe mode, follow one of the procedures listed below:

Recommended for most users: Wait for a flashing LED and press a button. This is usually the easiest method once you figure out the correct moment.

For most users and most devices, the LEDs now (2018) provide sufficient clues as to timing to be able to avoid older recommendations to “press the XXX button as fast as you can until …” for entering failsafe mode.

There are three different (power) LED blinking speeds during boot for most of the routers:

  • A power-on sequence of lights that is specific to the device's bootloader
  • Then a fast 5-per-second blinking rhythm during two seconds, while router waits for user to trigger the failsafe mode, typically by a button press
    • A faster, 10-per-second blink if the user pressed a button and failsafe mode was triggered
    • A slower, 2.5-per-second blink continuing to the end of boot, if the failsafe was not triggered and the normal boot continues

Alternate for expert users: Wait (with a packet sniffer) for a special broadcast packet and press a button. The packet will be sent to destination address port UDP 4919. The packet contains the text “Please press button now to enter failsafe”. So for example, in a terminal and using tcpdump, with the router connected to port eth0, you would enter the command

Alternate for expert users with serial connection: Watch for a boot message on the serial console and press a key (“f”) on the serial keyboard. This requires that you have attached a serial cable to the device. The message shown in the console is “Press the [f] key and hit [enter] to enter failsafe mode

Usually, it is easiest to watch the LEDs. However, do consult the available documentation for your device, as there is no default button assigned as a reset button and not all procedures work on every device. Whichever trigger you use, the device will enter failsafe mode and you can access the command line with SSH (always possible) or a serial keyboard.

Surfshark Openwrt

Note that modern OpenWrt always uses SSH, but early OpenWrt releases (15.05 and before) offered a telnet connection in this state but no SSH.

Fixing your settings

Once failsafe mode is triggered, the router will boot with a network address of, usually on the eth0 network interface, with only essential services running. Using SSH or a serial connection, you can then mount the JFFS2 partition with the following command:

After that, you can start looking around and fix what’s broken. The JFFS2 partition will be mounted to /overlayVisual studio website. , as under normal operation.

Factory Reset

Surfshark openwrt for android

A factory reset returns your router to the configuration it had just after flashing. This works on any install with a squashfs / overlayfs setup (the norm for most installations), since it is based on erasing and reformatting the overlayfs.

x86 builds (made for PC/Server hardware) with an ext4 read-write rootfs cannot be reset this way.

With a large NOR chip, it can take 3 to 5 minutes for the overlayfs to be formatted in the flash. During this time, changes cannot be saved.

Reset Button

On devices with a physical reset button, OpenWrt can be reset to default settings without serial or SSH access.

Surfshark openwrt for mac
  1. Power on the device and wait for the status led to stop flashing (or go into failsafe mode, as described above).
  2. Release the reset button.

The device will do a hard factory reset (see below) and then reboot. This operation can be slow on some devices, so wait a few minutes before connecting again.

Soft Factory Reset

If you want a clean slate, there’s no need to flash again; just enter the following commands. Your device's settings will be reset to defaults like when OpenWrt was first installed.

Issuing “firstboot” or “jffs2reset” command will attempt to delete all files from the jffs2 overlay partition. Note that this “soft reset” is performed with file system actions, so in some cases it is not enough.

Note: If the commands above (all on one line) don't work, try those commands on separate lines in the terminal.

Note: for most routers, “firstboot” actually just issues a “jffs2reset” command, so there is not much difference compared to the “hard reset” advice below.

Note: if you're issuing this command inside a bash script, remember to add the option -y to force firstboot:

Hard Factory Reset

This command will erase and reformat the whole JFFS2 partition and create it again. They key for a real “hard reset” is to unmount the overlay partition first and only then issue the jffs2reset (or firstboot) command:

While in most cases this is producing similar end-result as the “soft reset”, this marks the whole flash area of the JFFS2 (read-write) overlay partition as a empty non-initialised JFFS2 partition. Thus the partition will be re-created at the next mount, usually at the next boot. So, this hard reset bypasses the current file system of the overlay.

Explanation: based on the mount status of the overlay, jffs2reset selects either a file-based delete operation or a partition mark-it-empty action:;a=blob;f=jffs2reset.c;h=dbe049881f5;hb=HEAD#l43

Another method to force F2FS reformatting if the above doesn't work:

File access through scp

It's possible to edit and transfer files from the Failsafe mode, by using scp command/protocol from Linux or Mac, or by using WinSCP from Windows.

If you transfer over a sysupgrade image, you can also do a commandline sysupgrade ( syupgrade -n /path/to/file ) as normal.

Recovery Mode

If neither Failsafe Mode nor Factory Reset returns control of your router, you can often replace the firmware of your device using one of the procedures described on the Recovery Mode page.

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies