Create Surfshark wireguard connection on OpenWrt easily

First...I appreciate all of your hard work.

Second...I am a nube :slight_smile: And would love to assist in clarifying directions by asking some questions.

On step 4, changing the password; would it be the following?
{
"config_folder": "/wg",
"username": "youremail@email.com",
"password": "ThisIsMyPassword!"
}

On Step 6, I imagine you copy and paste after the hash. for instance you would copy and paste exactly the following
"cat << "EOF" >> /etc/crontabs/root"
then
"# Thursday Key Reinstate ## Sunday conf files download and Key Reinstate
#######################################################
15 00 * * 4 /wg/sswg.sh >>/wg/wg.log 2 >&1 # standard registration and amend '>>' to log midnight+15min Thurs
15 00 * * 0 /wg/sswg.sh -g >>/wg/wg.log 2 >&1 # servers conf files dwl and amend '>>' to log midnight+15min Sunday
#######################################################
EOF"
then
"uci set system.@system[0].cronloglevel="5""
and so on?

On Post 97...I get really lost with the commands on step 3.

Dear Lukeyn,
Hello and I hope that you are well. OK here we go - I will try to help you.
Your e-mail and password for sswg.json are the details which you use to login into your SurfShark account on their website found here below :

Log in to your SurfShark account

these credentials are different from the credentials used when you connect to SurfShark using Manual Method - usually on a router or pfSense where you use OpenVPN Configuration files.

On Step # 6 you enter the entire entry as is into the SSH shell session and hit enter

cat << "EOF" >> /etc/crontabs/root
# Thursday Key Reinstate ## Sunday conf files download and Key Reinstate
#######################################################
15 00 * * 4 /wg/sswg.sh >>/wg/wg.log 2 >&1 # standard registration and Redirect standard output to file '>' to log midnight+15min Thurs
15 00 * * 0 /wg/sswg.sh -g >>/wg/wg.log 2 >&1 # servers conf files dwl and Append standard output to file '>>' to log midnight+15min Sunday
#######################################################
EOF

If you notice there is a hash mark on all the commands - because I believe that BusyBox is structured that way. So basically you are correct - but I hope that I have set you straight - for instance - all you enter to view the log is cat /wg/wg.log

Lastly

On Post 97...I get really lost with the commands on step 3.

Well - you go into the file which configures your router's firewall - which is

/etc/config/firewall 

You have to edit the file and add the WireGuard Network - for the WG interface which was created
in Step # 2
nano /etc/config/network
where you created WG interface with this below

config interface 'wg0'

To do that is very simple and straightforward -
Open firewall configuration file - # nano /etc/config/firewall

Use nano to go down to the WAN Zone - it is indicated by the following as described in post 97

config zone
        option name 'wan'

You see that all the networks in the WAN Zone are listed - you can tell so because - the entries say

    `list network 'wan'`  and so on

You move option input 'REJECT' down a space
in the new blank space you enter the new WireGuard Network - all you have to do is add wg0 interface
as this is the name of the Newtwork as well

    `list network 'wg0'`

You may have to bone up on nano if you have troubles with the commands - they are very easy to learn

Overview of nano's shortcuts

1 Like

It appears you may be using firmware that is not from the official OpenWrt project.

When using forks/offshoots/vendor-specific builds that are "based on OpenWrt", there may be many differences compared to the official versions (hosted by OpenWrt.org). Some of these customizations may fundamentally change the way that OpenWrt works. You might need help from people with specific/specialized knowledge about the firmware you are using, so it is possible that advice you get here may not be useful.

You may find that the best options are:

  1. Install an official version of OpenWrt, if your device is supported (see https://firmware-selector.openwrt.org).
  2. Ask for help from the maintainer(s) or user community of the specific firmware that you are using.
  3. Provide the source code for the firmware so that users on this forum can understand how your firmware works (OpenWrt forum users are volunteers, so somebody might look at the code if they have time and are interested in your issue).

If you believe that this specific issue is common to generic/official OpenWrt and/or the maintainers of your build have indicated as such, please feel free to clarify.

1 Like

image

I am using an official version. I get this error when attempting STEP 5.

Problem with your config.json. Very likely your run directory.
Post the output of:

find / -iname config.json

If you are using sswg.sh, the 429 code is telling you that the peer you have configured on your router has called the surfshark api too many times.

Your options are to disable your vpn and try the script again, configure a different peer and try the script again, or wait it out.

This was reported on post #120 and worked into the sswg.sh scripts echo=messages.

Umm, RFC6585

It seems like I'm so close but yet so far. Please help... :frowning:
I'm trying to make it work for 3 days straight to no avail.
In all fairness, I'm somewhat noob in all this.
But here's what I've got so far.
Installed all the reqs.
I got the list of confs. I chose the one I want and followed Post #97 instructions to setup the interface and firewall.
And it seems to connect to wgs.prod.surfshark.com server and exchange packets. But refuses to connect to a second peer which is a country of my choosing (sto.prod.surfshark.com) with allowed IPs of 0.0.0.0/0
And of course, I don't get any internet either.
Would really appreciate someone's help.
And huge thanks to you guys @Bill @directnupe and all the others great individuals in this post (I can only tag 2 unfortunately) for your amazing work!!!

Welcome aboard.
First I'd like to see the output of your log file. Like this!
Run command from terminal copy/paste/execute

cat /wg/wg.log
root@Dachshund:/wg# ./sswg.sh -g
Just a Sec 'ntpdate' sycning clock
Running at Tue Apr 26 20:08:25 EDT 2022
WireGuard keys "/wg/wg.json" already exist
  Using public key: xxXXXlz6nPuI0ITsymy/t7CwkY5qelc6/Ro2amxXXxx=
Logging in...
  HTTP status OK
Registering public key...
  Already registered
  Renewed! (expires: 2022-05-04T00:08:42+00:00)
  Hello World Wide WireGuard©
  Thanks Jason A. Donenfeld
Retrieving servers list...
  HTTP status OK (131 servers downloaded)
  Selecting suitable servers... (98 servers selected)
  Servers list "/wg/surfshark_servers.json" already exists
  Servers changed! Updating servers file
generating config for al-tia.prod.surfshark.com
generating config for au-bne.prod.surfshark.com
## Truncated ##
generating config for us-ltm.prod.surfshark.com
generating config for us-bos.prod.surfshark.com
Done at Tue Apr 26 20:12:50 EDT 2022
Enjoy!
root@Dachshund:/wg#

Mask your keys with an editor.

How can we verify that outgoing traffic is passing the wireguard-tunnel of surfshark?

A couple of spots

  • In ssh ifconfig Look for your wg interface and you’ll see the RX/TX packets.

  • in LuCI/Network/Interfaces

  • *in LuCI/Status/Wireguard

@Bill So weird. Today I looked in the config directory and there was no log file. So I removed everything and again ran your sswg script. It didn't produce any config files. Only keys + registration with SurfShark.
Then I thought your script doesn't produce configs (which later I read It should).
So I ran yazdan's script (using keys generated and registered by your script).
Then I created interface and firewall rules + added DNS in DHCP and DNS in luci.
And VOILA I see globe turn into "internet access". It connected to the peers. BUT even though it showed "Internet Access" I couldn't browse anything.
So I started browsing google on a different machine and found out that MSS clamping should be enabled. Now I have internet access through SurfShark. BUUUUUT!!! I run speedtest and speed is only 44mbit for some reason!!!... Cut down 10x from my original 400mbit.
But it might be just my router. I've read in docs for Openwrt for my router (wd n750) that WAN->LAN has software limitations where's it is limited to 100mbit. Even though my wireless supports 450mbit and all ports are Gigabit. I thought maybe with wireguard it'll somehow magically bypass this limitation :stuck_out_tongue: but guess not. Still even 100mbit would be better than 44.
I guess it'll suffice for now until I get access to a better router. :slight_smile:

P.S. there was still no log file. Maybe I should've added some code like "> wg.log" or something.

No I should have been clear.

The cron job automatically calls for the logging. I should have stated that to produce a file wg.log in the directory you should run.

./wg/sswg.sh -g >>/wg/wg.log

Remember

  • sswg.sh -g grabs the conf files.

  • sswg.sh just renews the keys.

  • Having a wg.json file is now something to covet and renew!

Running the script via your favorite terminal ssh you could have copied and pasted the output of the job also, which is what you see in my first post.

The good news is you managed to figure out how to get inet up. After other's jump in and provide further suggestions you may get it tweaked to your satisfaction.

Welcome aboard and I wish you well.

You can’t transfer more than a maximum 100Mbps. Run your speedtest with WG disabled and then run it again with WG enabled to get a better picture.

FWIW, @yazdan script(s) have never failed me once configured properly. My SS PubKey has been successfully updated daily since Dec. 21, 2021. The only thing I have added was 5 lines of code to allow logging PubKey refresh, a syslog entry on refresh, and a daily email sent to my gmail account. I’ve issued a PR to @yazdan asking to merge that into his script.

Edit: PR merged.

1 Like

Sweet to see your work attributed.

^^ Is misleadingly quoted.

The SSWG Script which Bill and Paul have forks for - will one or both of you update your Projects / Scripts to include the 5 ( five ) lines of code which Paul refers to in his post above. The PR which has been merged. BTW, just because I am a bit confused - if I may ask - Paul - what script do you have set up / run on your router?
Peace To All
:v:

Hello directnupe. I have always used @yazdan scripts with my additions.

3 of the lines of code you refer to relate to the WG AUTHENTICATION KEY UPDATE and syslog logread -e SSWG when wg auth key refresh successfully updates. You see this on the CLI when you run the script, or redirect the output to a log file.

This code has now been merged into @yazdan repository so our two scripts are now synced.

The other two lines of code was not part of the PR and exists only on my local repository. It lets me send a daily update to my gmail address with same information.

Thanks - @RurlRoots I appreciate the information. Regarding this below :

The other two lines of code was not part of the 
PR and exists only on my local repository. 
It lets me send a daily update to my gmail address 
with same information.

Is there anyway that I can modify the SSWG SCRIPT so that I can have a daily update sent to an email address of my own ? Just asking - not a deal breaker - and as always thank you for being so helpful and instructive.

That would be a question for @Bill. I’m not fully versed in his code to answer either way.

It also requires the msmtp package installed & configured to work with your mail provider. Here is a link to the configuration docs:

1 Like

Thanks for your redirect. I have no desire to involve Google SMTP in sswg.sh's code.

I'm sincerely happy that @yazdan is updating the threads topical script, and that your issue 2 was compiled into PR12.

1 Like