Create Surfshark wireguard connection on OpenWrt easily

Community Builds, Projects & Packages
127

This is dedicate to the OP @yazdan , @patrickm , and @RuralRoots!

Thanks to @directnupe for Tutorial-1 and Tutorial-2 and Testing Script and Cron Job.

Summary of Scripts Available on This Thread

  1. yazdan Feb 2, 2023 ~ gen_wg_config.sh: Support adding config files to a zip archive
    Utility flag, useful to import the configurations to the android app
    New Switches and Suffix's on the tagged {p2p, virtual, physical} in the config folder for refined selection.
            echo "  -f force register ignore checking"
            echo "  -g ignore generating profile files"
            echo "  -n <name> create a manual named key"
            echo "  -k <key> use provided private key"
            echo "  -l list registered manual keys"
            echo "  -d <key-id> delete registered manual key"
            echo "  -z [zip-file] zip archive in which to save the config files"

  1. Bill reIyst update on Feb, 7 2023 Release 1.0.1 Keys.sh

  2. patrickm revised this gist May 17, 2022

Interface 'wg0' Endpoint Swap

image This README is dedicated to making a cli uci install of the Wireguard services and sswg script to enable one to swap endpoint easily and quickly. The front end work is lengthy, mostly reading; yet the outcome is well worth the time, especially since most of the work of configuration is uci set. Enjoy!

OpenWrt SurfShark WireGurard ~ SSWG

Have the requirements to run the script

opkg update opkg install diffutils curl jq ntpdate

:fast_forward: You can install and run the script to obtain the keys within the wg.json file prior to doing Multi Peer section

From the reIyst SSWG download the 'sswg.sh' and 'sswg.json' files. If you have WinSCP your day is made easy. SSH into your router via WinSCP/Putty and create the folder structure. Copy the two files into the 'wg' directory and make the sswg.sh file executable. ./sswg.sh -g Is the first run application and will produce all connection files w/ pvt keys needed to configure your router, and/or import in WireGuard's© desktop app.

mkdir -p /wg/

chmod +x sswg.sh

./sswg.sh -g

Multi (Peer) For Interface named 'wg0'

Have the requirements to use Luci/uci WireGuard©

opkg update opkg install luci-app-wireguard luci-proto-wireguard wireguard-tools

  • Reboot your system so the above packages can manifest in Luci.

Installing w/out Peer(1) and with Multi Peer for uci cli Swapping.

Follow the Templet Use all or at least two, or configure within the file your own. Double check the wan.metric='10' with ip route show default to ensure metric 10 is not already in use; modify accordingly. All public key are dummy. Until changed with legitimate pub key from you downloaded client conf files; you will be without :surfer: Internet access.

cd /
uci set network.wan.metric='10'

uci set network.wg0=interface
uci set network.wg0.proto='wireguard'
uci set network.wg0.listen_port='51820'
uci set network.wg0.addresses='10.14.0.2/8'
uci set network.wg0.private_key=$(eval echo $(jq '.prv' ./wg/wg.json))	
uci commit network

uci set network.peerchiu='wireguard_wg0'
uci set network.peerchiu.description=peerchiu
uci set network.peerchiu.public_key=DpMfulanF/MVHmt3AX4dqLqcyE0dpPqYBjDlWMaUI00=
uci add_list network.peerchiu.allowed_ips='0.0.0.0/0'
uci add_list network.peerchiu.allowed_ips='::/0'
uci set network.peerchiu.route_allowed_ips='1'
uci set network.peerchiu.endpoint_host=us-chi.prod.surfshark.com
uci set network.peerchiu.endpoint_port='51820'
uci set network.peerchiu.persistent_keepalive='25'
uci commit network

uci set network.peerdalu='wireguard_wg0'
uci set network.peerdalu.description=peerdalu
uci set network.peerdalu.public_key=0iwHQpV+rsOg38ogv4g4XMLJa51YqWY/yKWR9UEUMDk=
uci add_list network.peerdalu.allowed_ips='0.0.0.0/0'
uci add_list network.peerdalu.allowed_ips='::/0'
uci set network.peerdalu.route_allowed_ips='1'
uci set network.peerdalu.endpoint_host=us-dal.prod.surfshark.com
uci set network.peerdalu.endpoint_port='51820'
uci set network.peerdalu.persistent_keepalive='25'
uci commit network

uci set network.peernycu='wireguard_wg0'
uci set network.peernycu.description=peernycu
uci set network.peernycu.public_key=rhuoCmHdyYrh0zW3J0YXZK4aN3It7DD26TXlACuWnwU=
uci add_list network.peernycu.allowed_ips='0.0.0.0/0'
uci add_list network.peernycu.allowed_ips='::/0'
uci set network.peernycu.route_allowed_ips='1'
uci set network.peernycu.endpoint_host=us-nyc.prod.surfshark.com
uci set network.peernycu.endpoint_port='51820'
uci set network.peernycu.persistent_keepalive='25'
uci commit network

uci set network.peerwarp='wireguard_wg0'
uci set network.peerwarp.description=peerwarp
uci set network.peerwarp.public_key=vBa3HK7QXietG64rHRLm085VMS2cAX2paeAaphB/SEU=
uci add_list network.peerwarp.allowed_ips='0.0.0.0/0'
uci add_list network.peerwarp.allowed_ips='::/0'
uci set network.peerwarp.route_allowed_ips='1'
uci set network.peerwarp.endpoint_host=pl-waw.prod.surfshark.com
uci set network.peerwarp.endpoint_port='51820'
uci set network.peerwarp.persistent_keepalive='25'
uci commit network

uci set network.peertorc='wireguard_wg0'
uci set network.peertorc.description=peertorc
uci set network.peertorc.public_key=W9bzkcL3fiV64vDpB4pbrz8QafNn3y5P9Yc/kQvy4TA=
uci add_list network.peertorc.allowed_ips='0.0.0.0/0'
uci add_list network.peertorc.allowed_ips='::/0'
uci set network.peertorc.route_allowed_ips='1'
uci set network.peertorc.endpoint_host=ca-tor.prod.surfshark.com
uci set network.peertorc.endpoint_port='51820'
uci set network.peertorc.persistent_keepalive='25'
uci commit network
/etc/init.d/network restart

To minimize Firewall setup; Consider VPN network as public. Assign VPN interface to WAN zone.

uci add_list firewall.wan.network="wg0"
uci commit firewall
/etc/init.d/firewall restart

Swapping

Uci CLI Peer Swapping

The peer swapping is achieved by placing the desired peer config in the last/bottom order of the /etc/config/network file. The high arbitrary number '99' should suffice to place desired network peer at bottom. My personal config has only 15. The resulting command will also be represented in the Wireguard Status, Interface Peer Pages of Luci. Simple command, long description.

From the above install, Toronto Canada is the last peer installed and will be the default route the wg0 vpn tunnels through. By running the below command the Warsaw Poland endpoint takes the bottom position and becomes wg0 vpn tunnel. This is achieved from the network.peerwarp NETWORK not the description=peerwarp! A look at your /etc/config/network file will enlighten your understanding later.

Warsaw :surfer:
uci reorder network.peerwarp=99;uci commit network;/etc/init.d/network restart
Chicago :surfer:
uci reorder network.peerchiu=99;uci commit network;/etc/init.d/network restart
Dallas :surfer:
uci reorder network.peerdalu=99;uci commit network;/etc/init.d/network restart
New York :surfer:
uci reorder network.peernycu=99;uci commit network;/etc/init.d/network restart
Toranto :surfer:
uci reorder network.peertorc=99;uci commit network;/etc/init.d/network restart

Common uci commands for introspective users.

ip rule
wg.show
ip route show default
ubus call system board; uci export dhcp; uci export network; uci export firewall

Copyright and Attribution of developed software, tool, logo, names are the right of the following entities respectively.

Image CC Attribution-Share Alike 4.0 International

Image © 2022 Copyright Surfshark. All rights reserved.

Image © Copyright 2015-2022 Jason A. Donenfeld. All Rights Reserved. "WireGuard" and the "WireGuard" logo are registered trademarks of Jason A. Donenfeld.

1 Like