after some debugging @yazdan script working fine for me,
the issue is when validating the public key to the api https://api.surfshark.com/v1/account/users/public-keys/validate, the response is empty or bad request (only on the first time the script run) like @usernameTaken said, so the wg_reg_pubkey function not called.
you can force the register function by adding register=1 after the config_file variable at the top of file, and commenting the check public key at this line using # at the start line.
Much thanks to @usernameTaken and all the others who have helped with
me being able to get SurfShark WireGuard Connection on OpenWRT using @yazdan script.
@oanqa has helped everyone with his straightforward approach to registering the public key. I have not tried it but it certainly looks promising.
I followed @usernameTaken instructions. Just a few points if you decide to go that route.
Bearer Token Authentication value is found under user entry when you go through - there will be " me " there - and If you are using Charles Proxy, then right click on this URL and "Copy cURL request".
Paste it into a text editor. as @usernameTaken instructed.
I've been trying to get this to work for days now, i can't figure it out
I've done as suggested by @usernameTaken@oanqa and @directnupe
I've added register=1 and commented out #wg_reg_pubkey and #wg_check_pubkey
I'm getting public and private keys generated, both in my wg.json and in all my conf files.
I'm setting the interface up in Luci, following these pictures as yazdan linked earlier:
If i check my wireguard status in Luci, my first peer is connected and there was a handshake, but the second peer never connects.
The token.json you get from the SS server contains an expiry date that seems to point to failure.
Add the verbose -v switch to the curl statement in the wg_check_pubkey() function.
Add echo ""${now}" '<' "${expire_date}"" after the line: if [ "${now}" '<' "${expire_date}" ] in the same function.
Don't remove any generated files, leave them alone - config.json, wg.json, surf_servers.json, selected_servers.json, token.json
Run the script. You will get a response from the curl POST (what got sent and the response status). The echo statement will return the ISO-8601 dateSPECseconds < and the expiry date from the token.json file. Let me know if the curl output indicates any failure, and the expiry date ouput you see.
If you face the validate 400 bad request problem (No need to register pubkey appears in output console) you don't have to do any sniffing and no cookie is needed, just run the registration command to send pubKey as follows (and no validation command needed)
XXXXXX = The token tag value in token.json generated (pay attention to do not copy the renewToken tag as well by copy-paste) YYYYYY = The pub tag value in wg.json generated
Do not execute this command from the router but directly from pc shell (linux or Mac). if the output looks like below the previously created configuration files will works (note that the expiration date is one year)
created configuration files appears with key=value format. In my case (GL.iNet router) I had to add spaces between = to make it work
for the password some special characters create problems (es: $). I had to force it with backslash ahead directly into the code, in the config it didn't work
Curious, I’ve been running this via SSH from a usb drive partition on the router without issue successfully using somewhat similar logic
Umm, It looks more like the same range I get 7 days to expiration
What is interesting to me is that the API has a mechanism that Updates the expiry date that would appear to be based on the current Pubkey still being active beyond that expiry date.
when the expiration date is exceeded, the connection is still active, however, if the router is restarted, the interface will go offline and all the steps must be repeated from the beginning.
I'm using PFSense. Handshaking was only working with the "wgs.prod.xxx" peer at first. After running the script many-many times with -f & -g then the second peer "uk-lon.xxx" was fine. Not sure what the combination was, but after a few days of fiddling for a couple of hours a day it magically started to handshake. Now i'm running a cron job on a linux box nightly with -g to keep the cert registered.
I just have a weird issue with stability / connectivity. I route specific lan IPs to the wireguard interface. On a debian box when i try to run "apt-get update", it fails to connect to some locations. So, for now i switched it back to openvpn. Any idea what this could be?
Here is an example of the "apt-get update" connection failure that only occurs with wireguard; fine with openvpn.
Get:5 file:/var/cache/openmediavault/archives Translation-en_GB
Ign:5 file:/var/cache/openmediavault/archives Translation-en_GB
Hit:6 http://httpredir.debian.org/debian buster-backports InRelease
Hit:7 http://download.proxmox.com/debian/pve bullseye InRelease
Hit:9 http://packages.openmediavault.org/public shaitan InRelease
Hit:10 http://deb.debian.org/debian bullseye InRelease
Hit:11 http://deb.debian.org/debian bullseye-updates InRelease
Hit:12 http://deb.debian.org/debian buster-backports InRelease
Hit:13 http://deb.debian.org/debian bullseye-backports InRelease
Hit:14 http://linux.teamviewer.com/deb stable InRelease
Err:15 https://openmediavault-plugin-developers.github.io/packages/debian shaitan InRelease
Could not wait for server fd - select (11: Resource temporarily unavailable) [IP: 185.199.110.153 443]
Err:8 https://openmediavault.github.io/packages shaitan InRelease
Could not wait for server fd - select (11: Resource temporarily unavailable) [IP: 185.199.110.153 443]
Err:16 https://download.docker.com/linux/debian bullseye InRelease
Could not wait for server fd - select (11: Resource temporarily unavailable) [IP: 13.227.168.114 443]
Err:17 https://openmediavault-plugin-developers.github.io/packages/debian shaitan-testing InRelease
Could not wait for server fd - select (11: Resource temporarily unavailable) [IP: 185.199.110.153 443]
Reading package lists... Done
W: Failed to fetch https://openmediavault-plugin-developers.github.io/packages/debian/dists/shaitan/InRelease Could not wait for server fd - select (11: Resource temporarily unavailable) [IP: 185.199.110.153 443]
W: Failed to fetch https://openmediavault-plugin-developers.github.io/packages/debian/dists/shaitan-testing/InRelease Could not wait for server fd - select (11: Resource temporarily unavailable) [IP: 185.199.110.153 443]
W: Failed to fetch https://download.docker.com/linux/debian/dists/bullseye/InRelease Could not wait for server fd - select (11: Resource temporarily unavailable) [IP: 13.227.168.114 443]
W: Failed to fetch http://openmediavault.github.io/packages/dists/shaitan/InRelease Could not wait for server fd - select (11: Resource temporarily unavailable) [IP: 185.199.110.153 443]
W: Some index files failed to download. They have been ignored, or old ones used instead.
Btw, I noticed that in earlier comments it was stated that this config would not work with the Wireguard Client (https://www.wireguard.com/install/), but i tested and it works for me.
No improvement. I was really hoping that my weird wireguard issue with stability / connectivity with PFSense was related to the RC version. Even after upgrading to the official PFSense 2.6, which came with a minor update for the wireguard package (0.1.6_1), I'm having the same problem.
The only theory I have is that it has something to do with IPV6 being forced even though my ISP (TalkTalk) only issues me an IPV4 address and I have IPV6 disabled in PFSense. The errors when running an apt-get update show IPV4 addresses being resolved, so not sure; btw .. i'm using the Surfshark DNS's for the wireguard interface - 162.252.172.57 and 149.154.159.92. The other thought is that there is possibly an aggressive IDS rule on github.io that does not like wireguard, but if this was the case then many people would be complaining.
Hoping someone can point me in the right direction.