Create Surfshark wireguard connection on OpenWrt easily

Hello directnupe. I have always used @yazdan scripts with my additions.

3 of the lines of code you refer to relate to the WG AUTHENTICATION KEY UPDATE and syslog logread -e SSWG when wg auth key refresh successfully updates. You see this on the CLI when you run the script, or redirect the output to a log file.

This code has now been merged into @yazdan repository so our two scripts are now synced.

The other two lines of code was not part of the PR and exists only on my local repository. It lets me send a daily update to my gmail address with same information.

Thanks - @RurlRoots I appreciate the information. Regarding this below :

The other two lines of code was not part of the 
PR and exists only on my local repository. 
It lets me send a daily update to my gmail address 
with same information.

Is there anyway that I can modify the SSWG SCRIPT so that I can have a daily update sent to an email address of my own ? Just asking - not a deal breaker - and as always thank you for being so helpful and instructive.

That would be a question for @Bill. I’m not fully versed in his code to answer either way.

It also requires the msmtp package installed & configured to work with your mail provider. Here is a link to the configuration docs:

1 Like

Thanks for your redirect. I have no desire to involve Google SMTP in's code.

I'm sincerely happy that @yazdan is updating the threads topical script, and that your issue 2 was compiled into PR12.

1 Like


Google requires auth now or rejects.

Either way, it’s out of scope for @yazdan script as well and ergo not included in the PR. Anybody that can set up msmtp and successfully send/receive to their desired SMTP account via CLI should be able to attach the log as message body.

1 Like


And your additions were an eye opener for me even before I joined, I had added the lines to the base @yazdan script and enjoyed the foresight provided. Having logs to the System Log and a well thought out Cron Job, you provided the basis for my attempt to evolving @patrickm script prior to creating a GitHub account; which is my way of apologizing for 'Jumping the Shark' on the account of other's hard earned creds and work.


We have in the community users posting all sorts of ideas, queries and suggestions, and a great movement to think outside the box. Desire is everything. Ideas are born from it and results are paved by it.

Another form of notification is not desired as the work is done, logged, and enjoyed.

1 Like

What DNS did you add? I'm connected to surf shark but cannot browse

I use Stubby for DNS on the router. Going by the guide, it relies on
CloudFlare Inc. servers.

package dhcp

config dnsmasq
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	list server ''
	option noresolv '1'
	option dnssec '1'
	option domainneeded '1'
	option quietdhcp '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '0'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

If you had no issue with DNS resolution before adding a WG tunnel, it isn’t the problem.

Do both peers handshake, or does peer2 fail?

Try wg show. It will give you configuration and device info. Peer1 will always handshake. If Peer2 doesn’t handshake, check your pub/priv keys in the config.

The problem existed in the firewall settings. I have thus made the change and it works now. Only thing is that now although I am using US-MIA ..... from Surfhsark files, I cannot use the freevee app. Any suggestions?

Never mind. Got it.

Can you explain the “freevee app”?

Most streaming services disallow use over vpn.

You can use vpn-policy-routing to individually route specific devices on your network to use the alternate route via wan instead of the default route via tun.
Here’s the docs. You can find it in opkg.

freevee or formally called IMDB. Its an app that lets you view free US tv content.

You're bypassing geo restrictions it seems.

You might try changing the DNS servers.

uci set network.wan.peerdns='0'
uci del network.wan.dns
uci add_list network.wan.dns=''
uci add_list network.wan.dns=''
uci commit

I'm using unbound DNS over TLS. Would me adding this cause any issues

Sorry, I don’t use unbound, but by design it will point your dns to a US based opendns server and override your encrypted resolver.

I copied the configuration into my gl-inet wireguard client to test and it isn't getting online at all.

What variant are you using, yazdan’s package or the other 2 packages mentioned in the thread?

If you feel compelled to investigate, the first question from Paul @ruralroots is just as important as the configurations you can provide by ssh command executed and copied into preformatted text.

ubus call system board; uci export dhcp; uci export network; uci export firewall

You leave so much to be assumed; however, I will offer this.

I have a valid Surfshark account, my firewall is good, my DNS is good, my device is supported, my Wireguard install on said device is unchanged since 4/15/2022.
However!! Thursday was a bad day for the WireGuard Client app on my pc.
Log shows, and results were no connection out. By Friday morning it was back to normal without me changing anything.

4 unique peers were all not handshaking over the course hours. With the Wireguard App on PC, I can assign the Surfshark DNS servers exactly as assinged from say the Surfshark OpenVPN .ovpn connection. And to that point OpenVPN to Surfshark worked where Wireguard did not for this period of time below.

2022-06-23 14:47:19.413694: [MGR] [] Trying again to stop zombie tunnel
2022-06-23 16:00:41.575181: [MGR] [] Trying again to stop zombie tunnel
2022-06-23 17:01:37.582344: [MGR] [] Trying again to stop zombie tunnel
2022-06-23 17:10:21.627157: [MGR] [] Trying again to stop zombie tunnel
2022-06-23 17:11:03.165115: [MGR] [] Trying again to stop zombie tunnel
2022-06-24 09:43:08.220643: [MGR] [] Trying again to stop zombie tunnel ```


I cannot find some conf files for wireguard i.e. they are not returned via the API call.


Am I missing something on my side, could someone please help ?

These are only ones returned in my conf folder:

Where did you see