Newbie, here. Trying to set up Surfshark on OpenWrt on Archer A7

Went through everything on this forum post, hoping it would help:

No luck. I tried following surfshark's instructions on their website, linked in that forum, first. Didn't work, so I reset and tried the other one linked. Still no dice.

I'm not even sure how I can find out what I'm doing wrong at this point. Can somebody help?

What's your use case? Tell us what you want to accomplish.

I'd be happy with using it behind my router strictly as a VPN device. Ideally, I'd be able to use it as a router for three computers and three cell phones, along with any guest devices, while the VPN filters my traffic so I can maintain privacy.

No it doesn't..

I understand what a VPN does and does not do. I'm only concerned with my ISP directly.

depending on what you think/know they do, you might not need to run your traffic through it, only your DNSes.

Okay. So, if a person were filesharing using torrents, that would be sufficient protection? And more importantly, how would someone set that up? I don't want to have to ask my guests what they're doing on my network.

well, you could simply send all guest traffic through the VPN.

or just redirect torrent ports through the VPN.

OpenVPN puts lots of messages in the system log as it starts up and connects to the server, so you can usually identify problems with starting or connecting by reading the System Log (logread). If you reach Initialization Sequence Completed then the VPN is up but there can still be problems routing into it.

The new device option in firewall config allows putting the VPN tunnel into the wan firewall zone without creating a dummy network for it, just add `list device tun0' to the wan zone.

I'm a little lost in these logs. Don't even really know what I'm looking at. It seems I must have a configuration setting wrong, because it says it's connecting. Any ideas?

Mon Jun 28 15:19:37 2021 daemon.warn openvpn(Orlando)[9073]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Mon Jun 28 15:19:37 2021 daemon.notice openvpn(Orlando)[9073]: OpenVPN 2.5.2 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Mon Jun 28 15:19:37 2021 daemon.notice openvpn(Orlando)[9073]: library versions: OpenSSL 1.1.1k  25 Mar 2021
Mon Jun 28 15:19:37 2021 daemon.warn openvpn(Orlando)[9073]: WARNING: --ping should normally be used with --ping-restart or --ping-exit
Mon Jun 28 15:19:37 2021 daemon.warn openvpn(Orlando)[9073]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Jun 28 15:19:37 2021 daemon.notice openvpn(Orlando)[9073]: NOTE: --fast-io is disabled since we are not using UDP
Mon Jun 28 15:19:37 2021 daemon.notice openvpn(Orlando)[9073]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Jun 28 15:19:37 2021 daemon.notice openvpn(Orlando)[9073]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Jun 28 15:19:37 2021 daemon.notice openvpn(Orlando)[9073]: TCP/UDP: Preserving recently used remote address: [AF_INET]198.147.22.149:1443
Mon Jun 28 15:19:37 2021 daemon.notice openvpn(Orlando)[9073]: Socket Buffers: R=[131072->131072] S=[16384->16384]
Mon Jun 28 15:19:37 2021 daemon.notice openvpn(Orlando)[9073]: Attempting to establish TCP connection with [AF_INET]198.147.22.149:1443 [nonblock]
Mon Jun 28 15:19:37 2021 daemon.notice openvpn(Orlando)[9073]: TCP connection established with [AF_INET]198.147.22.149:1443
Mon Jun 28 15:19:37 2021 daemon.notice openvpn(Orlando)[9073]: TCP_CLIENT link local: (not bound)
Mon Jun 28 15:19:37 2021 daemon.notice openvpn(Orlando)[9073]: TCP_CLIENT link remote: [AF_INET]198.147.22.149:1443
Mon Jun 28 15:19:37 2021 daemon.notice openvpn(Orlando)[9073]: TLS: Initial packet from [AF_INET]198.147.22.149:1443, sid=95c0c760 7c098d94
Mon Jun 28 15:19:38 2021 daemon.notice openvpn(Orlando)[9073]: VERIFY OK: depth=2, C=VG, O=Surfshark, CN=Surfshark Root CA
Mon Jun 28 15:19:38 2021 daemon.notice openvpn(Orlando)[9073]: VERIFY OK: depth=1, C=VG, O=Surfshark, CN=Surfshark Intermediate CA
Mon Jun 28 15:19:38 2021 daemon.notice openvpn(Orlando)[9073]: VERIFY KU OK
Mon Jun 28 15:19:38 2021 daemon.notice openvpn(Orlando)[9073]: Validating certificate extended key usage
Mon Jun 28 15:19:38 2021 daemon.notice openvpn(Orlando)[9073]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Jun 28 15:19:38 2021 daemon.notice openvpn(Orlando)[9073]: VERIFY EKU OK
Mon Jun 28 15:19:38 2021 daemon.notice openvpn(Orlando)[9073]: VERIFY OK: depth=0, CN=us-orl-v011.prod.surfshark.com
Mon Jun 28 15:19:38 2021 daemon.warn openvpn(Orlando)[9073]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1635', remote='link-mtu 1583'
Mon Jun 28 15:19:38 2021 daemon.warn openvpn(Orlando)[9073]: WARNING: 'auth' is used inconsistently, local='auth SHA512', remote='auth [null-digest]'
Mon Jun 28 15:19:38 2021 daemon.notice openvpn(Orlando)[9073]: Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
Mon Jun 28 15:19:38 2021 daemon.notice openvpn(Orlando)[9073]: [us-orl-v011.prod.surfshark.com] Peer Connection Initiated with [AF_INET]198.147.22.149:1443
Mon Jun 28 15:19:39 2021 daemon.notice openvpn(Orlando)[9073]: SENT CONTROL [us-orl-v011.prod.surfshark.com]: 'PUSH_REQUEST' (status=1)
Mon Jun 28 15:19:39 2021 daemon.notice openvpn(Orlando)[9073]: PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 162.252.172.57,dhcp-option DNS 149.154.159.92,redirect-gateway def1,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,block-outside-dns,route-gateway 10.7.7.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.7.7.3 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Mon Jun 28 15:19:39 2021 daemon.err openvpn(Orlando)[9073]: Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:7: block-outside-dns (2.5.2)
Mon Jun 28 15:19:39 2021 daemon.notice openvpn(Orlando)[9073]: OPTIONS IMPORT: timers and/or timeouts modified
Mon Jun 28 15:19:39 2021 daemon.notice openvpn(Orlando)[9073]: OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp
Mon Jun 28 15:19:39 2021 daemon.notice openvpn(Orlando)[9073]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Mon Jun 28 15:19:39 2021 daemon.notice openvpn(Orlando)[9073]: Socket Buffers: R=[131072->360448] S=[44800->360448]
Mon Jun 28 15:19:39 2021 daemon.notice openvpn(Orlando)[9073]: OPTIONS IMPORT: --ifconfig/up options modified
Mon Jun 28 15:19:39 2021 daemon.notice openvpn(Orlando)[9073]: OPTIONS IMPORT: route options modified
Mon Jun 28 15:19:39 2021 daemon.notice openvpn(Orlando)[9073]: OPTIONS IMPORT: route-related options modified
Mon Jun 28 15:19:39 2021 daemon.notice openvpn(Orlando)[9073]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon Jun 28 15:19:39 2021 daemon.notice openvpn(Orlando)[9073]: OPTIONS IMPORT: peer-id set
Mon Jun 28 15:19:39 2021 daemon.notice openvpn(Orlando)[9073]: OPTIONS IMPORT: adjusting link_mtu to 1658
Mon Jun 28 15:19:39 2021 daemon.notice openvpn(Orlando)[9073]: OPTIONS IMPORT: data channel crypto options modified
Mon Jun 28 15:19:39 2021 daemon.notice openvpn(Orlando)[9073]: Data Channel: using negotiated cipher 'AES-256-GCM'
Mon Jun 28 15:19:39 2021 daemon.notice openvpn(Orlando)[9073]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Jun 28 15:19:39 2021 daemon.notice openvpn(Orlando)[9073]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Jun 28 15:19:39 2021 daemon.notice openvpn(Orlando)[9073]: net_route_v4_best_gw query: dst 0.0.0.0
Mon Jun 28 15:19:39 2021 daemon.notice openvpn(Orlando)[9073]: net_route_v4_best_gw result: via 192.168.1.1 dev eth0.2
Mon Jun 28 15:19:39 2021 daemon.notice netifd: Interface 'surfsharktun' is enabled
Mon Jun 28 15:19:39 2021 daemon.notice netifd: Network device 'tun0' link is up
Mon Jun 28 15:19:39 2021 daemon.notice netifd: Interface 'surfsharktun' has link connectivity
Mon Jun 28 15:19:39 2021 daemon.notice netifd: Interface 'surfsharktun' is setting up now
Mon Jun 28 15:19:39 2021 daemon.notice openvpn(Orlando)[9073]: TUN/TAP device tun0 opened
Mon Jun 28 15:19:39 2021 daemon.notice openvpn(Orlando)[9073]: net_iface_mtu_set: mtu 1500 for tun0
Mon Jun 28 15:19:39 2021 daemon.notice netifd: Interface 'surfsharktun' is now up
Mon Jun 28 15:19:39 2021 daemon.notice openvpn(Orlando)[9073]: net_iface_up: set tun0 up
Mon Jun 28 15:19:39 2021 daemon.notice openvpn(Orlando)[9073]: net_addr_v4_add: 10.7.7.3/24 dev tun0
Mon Jun 28 15:19:39 2021 daemon.notice openvpn(Orlando)[9073]: /usr/libexec/openvpn-hotplug up Orlando tun0 1500 1586 10.7.7.3 255.255.255.0 init
Mon Jun 28 15:19:39 2021 daemon.notice openvpn(Orlando)[9073]: net_route_v4_add: 198.147.22.149/32 via 192.168.1.1 dev [NULL] table 0 metric -1
Mon Jun 28 15:19:39 2021 daemon.notice openvpn(Orlando)[9073]: net_route_v4_add: 0.0.0.0/1 via 10.7.7.1 dev [NULL] table 0 metric -1
Mon Jun 28 15:19:39 2021 daemon.notice openvpn(Orlando)[9073]: net_route_v4_add: 128.0.0.0/1 via 10.7.7.1 dev [NULL] table 0 metric -1
Mon Jun 28 15:19:39 2021 daemon.warn openvpn(Orlando)[9073]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Jun 28 15:19:39 2021 daemon.notice openvpn(Orlando)[9073]: Initialization Sequence Completed
Mon Jun 28 15:19:39 2021 user.notice firewall: Reloading firewall due to ifup of surfsharktun (tun0)
Mon Jun 28 15:19:43 2021 daemon.notice netifd: wan (2133): udhcpc: sending renew to 192.168.1.1

You’re authenticated and the tunnel is established. Look to your firewall.

Can you point me in the direction of a guide on how to set my firewall up? I've been searching for one without any luck.

Okay. I found a guide that supposedly shows me how to config my Firewall to let my VPN through. I think the problem is when I uploaded the OVPN config file, it didn't generate a tun0 device interface for me to select under Firewall Settings - Advanced Settings. How do I create a tun0 interface and link it to my VPN?

Pull down the list and type it in at the bottom. Be sure to press enter when done typing, don't just click the mouse.

The tun0 device only exists while OpenVPN is connected. OpenVPN creates it during connection and destroys it upon disconnection.