Create Surfshark wireguard connection on OpenWrt easily

@Bill So weird. Today I looked in the config directory and there was no log file. So I removed everything and again ran your sswg script. It didn't produce any config files. Only keys + registration with SurfShark.
Then I thought your script doesn't produce configs (which later I read It should).
So I ran yazdan's script (using keys generated and registered by your script).
Then I created interface and firewall rules + added DNS in DHCP and DNS in luci.
And VOILA I see globe turn into "internet access". It connected to the peers. BUT even though it showed "Internet Access" I couldn't browse anything.
So I started browsing google on a different machine and found out that MSS clamping should be enabled. Now I have internet access through SurfShark. BUUUUUT!!! I run speedtest and speed is only 44mbit for some reason!!!... Cut down 10x from my original 400mbit.
But it might be just my router. I've read in docs for Openwrt for my router (wd n750) that WAN->LAN has software limitations where's it is limited to 100mbit. Even though my wireless supports 450mbit and all ports are Gigabit. I thought maybe with wireguard it'll somehow magically bypass this limitation :stuck_out_tongue: but guess not. Still even 100mbit would be better than 44.
I guess it'll suffice for now until I get access to a better router. :slight_smile:

P.S. there was still no log file. Maybe I should've added some code like "> wg.log" or something.

No I should have been clear.

The cron job automatically calls for the logging. I should have stated that to produce a file wg.log in the directory you should run.

./wg/ -g >>/wg/wg.log


  • -g grabs the conf files.

  • just renews the keys.

  • Having a wg.json file is now something to covet and renew!

Running the script via your favorite terminal ssh you could have copied and pasted the output of the job also, which is what you see in my first post.

The good news is you managed to figure out how to get inet up. After other's jump in and provide further suggestions you may get it tweaked to your satisfaction.

Welcome aboard and I wish you well.

You can’t transfer more than a maximum 100Mbps. Run your speedtest with WG disabled and then run it again with WG enabled to get a better picture.

FWIW, @yazdan script(s) have never failed me once configured properly. My SS PubKey has been successfully updated daily since Dec. 21, 2021. The only thing I have added was 5 lines of code to allow logging PubKey refresh, a syslog entry on refresh, and a daily email sent to my gmail account. I’ve issued a PR to @yazdan asking to merge that into his script.

Edit: PR merged.

1 Like

Sweet to see your work attributed.

^^ Is misleadingly quoted.

The SSWG Script which Bill and Paul have forks for - will one or both of you update your Projects / Scripts to include the 5 ( five ) lines of code which Paul refers to in his post above. The PR which has been merged. BTW, just because I am a bit confused - if I may ask - Paul - what script do you have set up / run on your router?
Peace To All

Hello directnupe. I have always used @yazdan scripts with my additions.

3 of the lines of code you refer to relate to the WG AUTHENTICATION KEY UPDATE and syslog logread -e SSWG when wg auth key refresh successfully updates. You see this on the CLI when you run the script, or redirect the output to a log file.

This code has now been merged into @yazdan repository so our two scripts are now synced.

The other two lines of code was not part of the PR and exists only on my local repository. It lets me send a daily update to my gmail address with same information.

Thanks - @RurlRoots I appreciate the information. Regarding this below :

The other two lines of code was not part of the 
PR and exists only on my local repository. 
It lets me send a daily update to my gmail address 
with same information.

Is there anyway that I can modify the SSWG SCRIPT so that I can have a daily update sent to an email address of my own ? Just asking - not a deal breaker - and as always thank you for being so helpful and instructive.

That would be a question for @Bill. I’m not fully versed in his code to answer either way.

It also requires the msmtp package installed & configured to work with your mail provider. Here is a link to the configuration docs:

1 Like

Thanks for your redirect. I have no desire to involve Google SMTP in's code.

I'm sincerely happy that @yazdan is updating the threads topical script, and that your issue 2 was compiled into PR12.

1 Like


Google requires auth now or rejects.

Either way, it’s out of scope for @yazdan script as well and ergo not included in the PR. Anybody that can set up msmtp and successfully send/receive to their desired SMTP account via CLI should be able to attach the log as message body.

1 Like


And your additions were an eye opener for me even before I joined, I had added the lines to the base @yazdan script and enjoyed the foresight provided. Having logs to the System Log and a well thought out Cron Job, you provided the basis for my attempt to evolving @patrickm script prior to creating a GitHub account; which is my way of apologizing for 'Jumping the Shark' on the account of other's hard earned creds and work.


We have in the community users posting all sorts of ideas, queries and suggestions, and a great movement to think outside the box. Desire is everything. Ideas are born from it and results are paved by it.

Another form of notification is not desired as the work is done, logged, and enjoyed.

1 Like

What DNS did you add? I'm connected to surf shark but cannot browse

I use Stubby for DNS on the router. Going by the guide, it relies on
CloudFlare Inc. servers.

package dhcp

config dnsmasq
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	list server ''
	option noresolv '1'
	option dnssec '1'
	option domainneeded '1'
	option quietdhcp '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '0'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

If you had no issue with DNS resolution before adding a WG tunnel, it isn’t the problem.

Do both peers handshake, or does peer2 fail?

Try wg show. It will give you configuration and device info. Peer1 will always handshake. If Peer2 doesn’t handshake, check your pub/priv keys in the config.

The problem existed in the firewall settings. I have thus made the change and it works now. Only thing is that now although I am using US-MIA ..... from Surfhsark files, I cannot use the freevee app. Any suggestions?

Never mind. Got it.

Can you explain the “freevee app”?

Most streaming services disallow use over vpn.

You can use vpn-policy-routing to individually route specific devices on your network to use the alternate route via wan instead of the default route via tun.
Here’s the docs. You can find it in opkg.

freevee or formally called IMDB. Its an app that lets you view free US tv content.

You're bypassing geo restrictions it seems.

You might try changing the DNS servers.

uci set network.wan.peerdns='0'
uci del network.wan.dns
uci add_list network.wan.dns=''
uci add_list network.wan.dns=''
uci commit

I'm using unbound DNS over TLS. Would me adding this cause any issues

Sorry, I don’t use unbound, but by design it will point your dns to a US based opendns server and override your encrypted resolver.