Create Surfshark wireguard connection on OpenWrt easily

Yes with some more tinkering I made it work. Also put some improvements in the script but it's not finished yet :D. It seems there are some quirks like when you get a new token and immediately register a pubkey it doesn't work. Also if you register the key again you get empty response. I'm not sure if all servers are suitable or how the selection is supposed to work? But i can generate configs, and manually configure my wireguard interface.

I'm not sure about writing uci commands. I don't fully understand wireguard and VPNs in general, so would you create a peer for all remote hosts? And then use routing etc to divide traffic over different peers? Or would each connection use a random peer? Also why do you generate a peer for with a static pub key?

Not sure if it is worth fully automating, i will monitor it for a while and check how often servers change.

You have to remember that this is the API that is handling/interacting with all the various apps/platforms that SS provides a WG option. They tend to be transitory by their nature. It’s not intended to support/allow us to use a manual WG interface on our routers that at this point they don’t support. Them’s the quirks you come across as you’ve found.

Your Authentication Token token.json only has a limited lifespan (about 30 minutes~).

That’s why the -g switch gives you an unauthorized response beyond that until you get a new token.json using the -f -g switch.

So, bottom line - run once daily with -f -g switch, run once more within that ~30 minute window with just the -g switch to confirm the update.

SS has promised to give us a WG manual install for routers first quarter of 2022. I’ll believe it when I see it, but at the moment, this script works exceptionally well for me.

1 Like

Dear RuralRoots,
Hello and I hope that you are well. I took my first crack at setting up the script as you were kind enough to outline in your previous post / instructions. I ran across a few speed bumps. I think I went off course here -

You might also want to add a code snippet to the .sh script from 
an issue I posted on
regarding added verbosity. It helps to verify your current update 
SSWG validation timespan.

Q1 -Would you please indicate where to add the snippet in the script - you know - on which line ?

I just caught this - I did not change :

config.json entry "config_folder": ".", dot to the full path 
of your install folder ie. /mnt/shared/wgapi

I will correct this - I used install folder /mnt/shared/wgapi as I used exroot on usb just as you do in your directions

Q2 - Lastly - how do I get to this point below on the shell command prompt ?

~/mnt/shared/wgapi# cat wg.log

I can't cd to this point - once again I am an advanced novice at best - please bear with me


I will fix the folder full path error and hopefully hear from you regarding the other matters.

Thanks in your assistance - and hopefully I am getting closer to the top of the hill

Add code snippet to after line 122

cd /mnt/shared/wgapi

Change /mnt/shared/wgapi anywhere you see it in my instructions to wherever on your overlay you placed the

Replace the . to the same value.

~/mnt/shared/wgapi was just an example I used because that is where I placed my folder.

Dear RuralRoots,
Thanks -

are the snippet ( s ) - I was unable to see / find which your post you reference regarding

a code snippet to the .sh script from an issue I posted 
regarding added verbosity.

I assiduously and diligently searched for your post to no avail - should I add ( after line 122 )

-v   /  -g  /  -f 

I believe that  -v  is the only one I need  - am I correct ? - 
or is something else totally different required ?

I created my install folder as below

mkdir -p /mnt/shared/wgapi/

and my log file as below

mkdir -p /mnt/shared/wgapi/wg.log/

I corrected my config.json entry "config_folder": ".", dot to the full path to below :

    "config_folder": "/mnt/shared/wgapi/",

Finally given all the information above - should I just

cd /mnt/shared/wgapi

and from there

cat /wg.log

Thanks My Brother for the guidance

PS - Are You Referring to your fork ?

With regards to the code snippet to the .sh script ?

I found your fork and issue your raised here

added this code snippet to after line 122

        echo "TODAYS DATE"              # Display Run Date
        echo ""${now}""                 # and Time
        echo ""                         #
        echo "KEYS EXPIRE ON:"          # Display Authentication Token
        echo "${expire_date}"           # Expiry Date and Time
        logger -t SSWG "RUN DATE:${now}   KEYS EXPIRE ON: ${expire_date}"       # Log Status Information

You can remove the log file. It is set up in the crontabs/root entries.

You won't find any logs until the cron jobs run. You can copy the cron entries:
/mnt/shared/wgapi/ -f -g >/mnt/shared/wgapi/wg-f.log 2>&1
/mnt/shared/wgapi/ -g >>/mnt/shared/wgapi/wg-g.log 2>&1
run each seperately 5 minutes apart and you should see the 2 logs populate.

Should I just use your forked script here :

That would seem to just add the snippet as it is found natively in your script

I found your issue here

Thanks for all your help

Yes, you can do that. The credit goes to @yazdan though.

You will still need the cron entries as well.

Thanks - my man - I appreciate your modesty - and yes @yazdan deserves the credit for being the founder and innovator - like Henry Ford - but we have to give Elon Musk - some credit for Tesla as well
Moreover, I want to thank you greatly for your patience, kindness - and tutelage in assisting me in order to get this up and running.
God Bless You and Your Friends and Family -

Thank you one more again

Getting this error in your fork and when I add snippet to @yazdan script

parse error: Invalid numeric literal at line 1, column 42

cat | head -n20

I am going to do a fresh OpenWRT install hnyman Build for Netgear R7800
maybe I mucked up everything on this router

Q1 - Should I use @yazdan script for initial install / and then replace @yazdan script with yours for
automated cron job ?

I ask because I have never had issue with @yazdan script - this is why I will do fresh install.
Anyway - thanks for all your assistance

This is an error from jq that parses your config.json. So there is a misconfiguration of your config.json following the change to your full path to the script.

I diff’d the repo and my local copy that runs here and they are identical.

There is no need to re-flash.

Post the cd command that gets you to your


What do you use as an editor? vi, nano, a windows editor.

I would strongly suggest using “nano” to edit config files.

If you count characters including spaces from the start of your config.json you’ll see the point at which jq parse fails.

parse error: Invalid numeric literal at line 1, column 42

I suggest you copy the config.json.sample from the repo and use nano to re-edit it.

1 Like

Dear RuralRoots,
I did as you suggested - thanks for that I got your fork's to run / install properly
using this command ./ - I got

Loggin in if needed ...
Getting the list of servers ...
Selecting servers ...
Generating keys ...
Checking pubkey ...
Unauthorized. Please run again

running - ./ -f everything completed successfully

Loggin in if needed ...
Getting the list of servers ...
servers list already exist
Selecting servers ...
Generating keys ...
wg keys already exist
Registring pubkey ...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   102    0    44  100    58    165    218 --:--:-- --:--:-- --:--:--   387
Generating profiles...
generating config for

The issue may have been not configuring config.json.sample properly
as you suggested using nano.

Regarding the cron job - for my install folder - I am using as seen below

mkdir -p /root/wgapi/

So - would the correct / appropriate cron job ( s ) be as below :
After I mkdir wg.log in my install folder - i.e. - /root/wgapi

0 0 * * * now=$(date) ; echo "$now Start of Day - wg.log" >/root/wgapi/wg.log 2>&1  ## clear wg.log daily @ 00:00
5 00 * * * /root/wgapi/ -f -g >>/root/wgapi/wg.log 2>&1 ## force registration daily @00:05
10 00 * * */root/wgapi/wgapi/ -g >>/root/wgapi/wgapi/wg.log 2>&1 ## run once daily @00:10 after force

No. remove the /root/wgapi/ folder.

./ "means current working directory" ie. when you cd /mnt/shared/wgapi ./ simply means run from here.

The cron needs to know the Full Path to know where the script is located. Ergo, /mnt/shared/wgapi/. So use the cron entries I posted verbatim.

I keep encountering this last issue. Seems that I don't know how to create /mnt/shared directory.
When creating my usb exroot - I put /dev/sda1
Mount point = / ( root ) - should it be mount point = overlay instead ?
I Googled /mnt/shared - and I got cifs - windows - samba - basically information about file sharing. My setup is not that elaborate or sophisticated.
Is there an installation directory that I can use which is less complex to use for the cron job ?
Maybe something like -

mkdir -p /mnt/opt/wgapi

I successfully run AdguardHome on / from this directory on my current setup

Anyway - no matter the outcome of this attempt to get this working; I wish to thank you to the Nth degree for sticking with me - through all my fumbling, stumbling and ignorance. I am not ashamed that there are many things that I simply don't know. I try to the best of my ability to find the answers on my own ( in part - not to become a perpetual giant PITA ) ; however, there are times where I still remain in the dark - and have to reach out in order to led into the light.
Thanks RuralRoots - hopefully - this will be it on this topic.

PS - If you do suggest an alternate installation folder / directory - if you would include an illustration of the correct corresponding cron job I would appreciate it -

Yes, I was curious about that when you were talking overlay.

I’m not up on, but I’ll get back to you to work it out.

The cron was just a way to set and forget and the log was just to check key update because there wasn’t any visibility.

You can still run this once a day to update. /mnt/shared/wgapi/ -f -g
Wait a few minutes and run /mnt/shared/wgapi/ -g

find / -iname Should return path.