I keep encountering this last issue. Seems that I don't know how to create /mnt/shared directory.
When creating my usb exroot - I put /dev/sda1
Mount point = / ( root ) - should it be mount point = overlay instead ?
I Googled /mnt/shared - and I got cifs - windows - samba - basically information about file sharing. My setup is not that elaborate or sophisticated.
Is there an installation directory that I can use which is less complex to use for the cron job ?
Maybe something like -
mkdir -p /mnt/opt/wgapi
I successfully run AdguardHome on / from this directory on my current setup
Anyway - no matter the outcome of this attempt to get this working; I wish to thank you to the Nth degree for sticking with me - through all my fumbling, stumbling and ignorance. I am not ashamed that there are many things that I simply don't know. I try to the best of my ability to find the answers on my own ( in part - not to become a perpetual giant PITA ) ; however, there are times where I still remain in the dark - and have to reach out in order to led into the light.
Thanks RuralRoots - hopefully - this will be it on this topic.
PS - If you do suggest an alternate installation folder / directory - if you would include an illustration of the correct corresponding cron job I would appreciate it -
Thanks I will run that command and report back shortly. I am truly amazed by your knowledge and expertise. Thank you so very much for pointing me in the right directions - and most of all for your patience. I am a retired HS English Teacher - and this was not always among my best qualities. So, I especially appreciate and respect the courtesy and kindness you have shown throughout my struggles here. Hopefully, others will benefit from - the " alls well that ends well " culmination of our interchanges.
Here's my current version of the script: https://gist.github.com/trickapm/deaeffea9a45e1a6e28468b52f726c42
Still fine tuning but it works well for public key registration, renewal and retrieving SurfShark server configs (which seems to be updated every 30 mins or so). Next step is generating/updating OpenWRT configuration, still not sure if there's any benefit in having multiple peers. Maybe config.json should be extended with a 'preferred server' so only one is selected? Also you could do some neat filtering based on current load and other properties in the surfshark json response but i really need to brush up on my jq skills for that...
From the dummy file below: Go to the the very bottom of this file and add the following :
The keys and addresses used here are fictional and used only for illustrative purposes.
Set the server's network configuration by editing /etc/config/network to include following parts.
In the default install folder ( /wg/ ) after running script ( sswg.sh ) - you will find SurfShark Wireguard configuration files in the default installation folder /wg/ in the conf directory. In this example I am using us-ash.prod.conf - you can read the file - by running # cat us-ash.prod.conf - while in the conf directory. All configuration files are in /wg/conf directory - my file used here is
1) Set the wireguard server's network configuration by editing
to include following parts.
2 - Open the file: nano /etc/config/network - and go to the very bottom of the file
Here is how you configure the SurfShark WireGuard Interface and Two Peers
The Information is found in the example directly above.
config interface 'wg0'
option proto 'wireguard'
option private_key 'foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q='
list addresses '10.16.1.7/8'
option mtu '1350'
option dns '188.8.131.52 184.108.40.206'
option public_key '/llFOsnvj7GcXasKrojhZl6nRnnn4D8sRuDUKEdiZzM='
option route_allowed_ips '1'
list allowed_ips '172.18.0.40/32'
option persistent_keepalive '25'
option description 'WG_1'
option endpoint_host 'wgs.prod.surfshark.com'
option endpoint_port '51820'
option public_key 'cxti1XR6uW483xAioP3d1ZaoGSy+obY6WaE4fW1A6Nk='
list allowed_ips '0.0.0.0/0'
option persistent_keepalive '25'
option description 'WG_2'
option route_allowed_ips '1'
option endpoint_host 'us-ash.prod.surfshark.com'
option endpoint_port '51820'
Save and Exit
3) Configure the OpenWRT firewall for your Surfshark WIRGUARD Client:
Special Thanks to trendy ( from the OpenWRT Forum ) for helping me with this elegant solution
The most simple, effective and efficient method to set up your firewall
for Surfshark WIREGUARD this is to add the 'wg0' network
to the wan zone in the /etc/config/firewall configuration file
Edit /etc/config/firewall file and add the 'wg0' network as follows:
Open the file: nano /etc/config/firewall
option name 'wan'
list network 'wan'
list network 'wan6'
list network 'wg0' ## This is the line you need to add - and you are done
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
Save and Exit
Then issue from command line Step 4 below:
4 ) Apply changes
# wg show ## in order to check connection and data transfer rates
Thanks for the script - should a cron job be set up with this script. BTW - your script registered / renewed keys just fine. Ran into a bit of an issue as it did not generate / retrieve SurfShark server configs.
I ran both of the commands below :
gen_wg_config.sh and gen_wg_config.sh -f
Neither command produced the SurfShark server configs, but both registered the public key - and generated both wg.json and the token.json. Just reporting back
Any information about possible necessity of cron job - and information as to how to properly use your script will be greatly appreciated.
What is the reason for adding a peer for wgs.prod.surfshark.com? I didn't do that and it seems to work fine for me but i've seen this in RuralRoots script as well. No idea if it has any purpose?
How do you guys take care of not leaking DNS requests? I think I need to setup a split DNS, so eligible clients on my LAN resolve remote hosts over VPN without losing access to local DNS.
Without any arguments my version of the script just registers or renews the public key. It's valid for 7 days, i've not yet confirmed the connection actually breaks if you don't renew in time. If it does you should run it in a cronjob at least once per week I guess. But my goal is to update openwrt wireguard config in place, run it maybe every ~6 hours to check for config changes, run it automatically when connection goes down etc.
For now to generate conf for all servers (which takes a while and you likely just need one), in my version of the script, run it with -g parameter.
Log into your router: CHECK your "WG_IF "interface" doublechecking the copy/paste wiz/bang you did from the clean install of "Client". Look at your keys.
Now use your terminal to ssh into your router. I use WinSCP because Windows grants the cheat to visualize this and eventually make directories, files, text edits; without wondering what vi or nano keyboard command are for text editing. ¯(ツ)/¯ winking @ Paul again for weeks now ¯(ツ)/¯
Try looking in /root.. Once you find the keys from vanilla's install step 2:
It's time to decide where you're; going to run your awesome RuralRoots Cron job from and... AND, edit that location into the "gen_wg_config.sh" file. Yup you heard me right Paul...Awesome! Speaking of Awesome don't neglect to get the code snippet he's posted. This code makes life fun!
My example is shown in the pics.. and crontab job below.. I buried yazdan's files in /etc/config/wireguard/ Notice line 26 of the current Git sh.
I've edited the gen_wg_config.sh file and left the config.json with only my user/pass.. that darnblamfrigglefracking lost cause "config_folder": "." thingy can stay "." OK! BECAUSE we are going to tell json to go to hello world with line 26 of the gen_wg_config.sh file. Why? because the Professor asked a good question. If you run this from Putty anywhere, Crontab defaults to /root, or six folders deep in WinSCP's Console: config.json errors are a bygone problem.
And make it happen your style. This means moving your files to a folder of your making and align it to placeholders in gen_wg_config.sh line 26, and Crontab.
BTW.. I've camped on this page for about 6 weeks now reading up/down/sideway/over/beyond, so apologies since I've given ya'll nicknames to your avatars. Professor aka directnupe you've been pleasantly persistent asking the hard questions. By that I means humble yet succinct. Paul aka RuralRoots. Bless you for making us think and learn and strive. I hope yazdan lives to plug your verbose mods.
If you're a smart feller, edit the crontab below to align with the directory you placed yazdan's edited files.. If you're a *art smeller and copied my example.. it's simply copy/paste from here.
cat << "EOF" >> /etc/crontabs/root
# Periodically reinstate Key duration
05 00 * * * /etc/config/wireguard/gen_wg_config.sh -f -g >/etc/config/wireguard/wg-f.log 2>&1 # force registration and print to log midnight+5min
10 00 * * * /etc/config/wireguard/gen_wg_config.sh -g >/etc/config/wireguard/wg-g.log 2>&1 # after force and print to log.
05 12 * * * /etc/config/wireguard/gen_wg_config.sh -f -g >/etc/config/wireguard/wg-f.log 2>&1 # force registration and print to log noon+5min
10 12 * * * /etc/config/wireguard/gen_wg_config.sh -g >/etc/config/wireguard/wg-g.log 2>&1 # after force and print to log.
uci set system.@system.cronloglevel="5"
uci commit system
Good Luck All
I trust one pic is enough newbie's of any age: Born Limited.
The actual server configs seldom change. I haven’t regenerated the 5 I employ round-robin here since day one. I think you’ll find the contents of the json response as you alluded to in your reference to some neat filtering . . . is the primary reason for the regular updates.
Nor do I. Considering it only listens to a single ip (/32) I just considered it part of the api’s authentication mechanism. Have you tried removing Peer 1 ?
DNS leaks? If you haven’t changed your upstream resolver . . . ?
Hey Patrickm. I'm intrigued by the work of your script. Some things I really like and one maybe two things I don't understand.
Like the echo you use to show potential errors. Since I run your script to a log >>/etc/config/wireguard/wg-g.log 2>&1 I can see the work accomplished. I like that it can run with a -g argument. Spent the good portion of last night testing this by deleting all files just to watch it work. This brings me to my quandary/question/confusion.
Was the writing of this scripts intent not to populate private keys for every server downloaded and why does it not write the client configs to the conf folder?
Question to the Round Robin; is that a unique Wireguard VPN Interface per config file?
Also since you have linked stangri or actually Melmac site, do you employ this addon as well?
Thanks for your insights.
I'm going to need a primer on this.. I just logged into my router and pasted that into putty and opps! I get the -ash can't open ...
Not really sure what to do and what I expected to see. When the shell barks back like that, I feel kinda dumb. Was that your plan? lol
So... from /etc/config/wireguard Or /etc/config/wireguard/conf where the Server/Client files download?
Also do I use the file name of the conf-file as "pl-waw.prod.json"
EDIT: My bad!
My eyes are shot from tinkering with @patrickm script. I deleted so much from my run directory that I didn't see what was right in front of me.
His mangled/sniffed/ script dropped a lot of curl and used more jq and the output of the surf_servers.json file is replaced with surfshark_servers.json in the exact same format as your cat command. Much easier to read.. but what to I gain from examining this json file?
Brain Dump! Feel free to share a cool link because I'll read it.
Thanks again for stretching my limits.