How to set up Surfshark on an OPNsense router

In this article, you will learn how to set up an OpenVPN connection on an OPNsense router.

To proceed, you first need an active Surfshark subscription. You can find the available plans on Surfshark’s pricing page.

In this guide, you will learn how to:

  1. Get your credentials
  2. Choose a Surfshark server
  3. Configure the OpenVPN client
  4. Ensure that the connection is successful

 

Get your credentials


NOTE: These are not your regular credentials, such as your email and password.

  1. Enter the Surfshark login page and log in. Then, click on VPN > Manual Setup > Router > OpenVPN to generate your credentials.


  2. Once there, make sure that you are in the Credentials tab and click on Generate credentials.

    NOTE: Keep this tab open as we'll need it later.

 

Choose a Surfshark server

 

  1. Open the same page on another browser tab, go to the Locations tab, and locate the server that you wish to connect to.


  2. Click on the download icon to the right of the server name and click on Download UDP
     

 

Configure the OpenVPN client

 

1. Next up, open your browser and enter your OPNsense interface.

2. Navigate to System > Trust > Authorities and click on the +Add button. Once there, you should be able to see the window below:


3. Proceed to fill in the following details:

Descriptive name: Name it how you want, for example, Surfshark_VPN
Method: Import an existing Certificate Authority
Certificate data: input the contents below

-----BEGIN CERTIFICATE-----

MIIFCjCCAvKgAwIBAgIBATANBgkqhkiG9w0BAQ0FADA5MQswCQYDVQQGEwJQQTEQ

MA4GA1UEChMHTm9yZFZQTjEYMBYGA1UEAxMPTm9yZFZQTiBSb290IENBMB4XDTE2

MDEwMTAwMDAwMFoXDTM1MTIzMTIzNTk1OVowOTELMAkGA1UEBhMCUEExEDAOBgNV

BAoTB05vcmRWUE4xGDAWBgNVBAMTD05vcmRWUE4gUm9vdCBDQTCCAiIwDQYJKoZI

hvcNAQEBBQADggIPADCCAgoCggIBAMkr/BYhyo0F2upsIMXwC6QvkZps3NN2/eQF

kfQIS1gql0aejsKsEnmY0Kaon8uZCTXPsRH1gQNgg5D2gixdd1mJUvV3dE3y9FJr

XMoDkXdCGBodvKJyU6lcfEVF6/UxHcbBguZK9UtRHS9eJYm3rpL/5huQMCppX7kU

eQ8dpCwd3iKITqwd1ZudDqsWaU0vqzC2H55IyaZ/5/TnCk31Q1UP6BksbbuRcwOV

skEDsm6YoWDnn/IIzGOYnFJRzQH5jTz3j1QBvRIuQuBuvUkfhx1FEwhwZigrcxXu

MP+QgM54kezgziJUaZcOM2zF3lvrwMvXDMfNeIoJABv9ljw969xQ8czQCU5lMVmA

37ltv5Ec9U5hZuwk/9QO1Z+d/r6Jx0mlurS8gnCAKJgwa3kyZw6e4FZ8mYL4vpRR

hPdvRTWCMJkeB4yBHyhxUmTRgJHm6YR3D6hcFAc9cQcTEl/I60tMdz33G6m0O42s

Qt/+AR3YCY/RusWVBJB/qNS94EtNtj8iaebCQW1jHAhvGmFILVR9lzD0EzWKHkvy

WEjmUVRgCDd6Ne3eFRNS73gdv/C3l5boYySeu4exkEYVxVRn8DhCxs0MnkMHWFK6

MyzXCCn+JnWFDYPfDKHvpff/kLDobtPBf+Lbch5wQy9quY27xaj0XwLyjOltpiST

LWae/Q4vAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqG

SIb3DQEBDQUAA4ICAQC9fUL2sZPxIN2mD32VeNySTgZlCEdVmlq471o/bDMP4B8g

nQesFRtXY2ZCjs50Jm73B2LViL9qlREmI6vE5IC8IsRBJSV4ce1WYxyXro5rmVg/

k6a10rlsbK/eg//GHoJxDdXDOokLUSnxt7gk3QKpX6eCdh67p0PuWm/7WUJQxH2S

DxsT9vB/iZriTIEe/ILoOQF0Aqp7AgNCcLcLAmbxXQkXYCCSB35Vp06u+eTWjG0/

pyS5V14stGtw+fA0DJp5ZJV4eqJ5LqxMlYvEZ/qKTEdoCeaXv2QEmN6dVqjDoTAo

k0t5u4YRXzEVCfXAC3ocplNdtCA72wjFJcSbfif4BSC8bDACTXtnPC7nD0VndZLp

+RiNLeiENhk0oTC+UVdSc+n2nJOzkCK0vYu0Ads4JGIB7g8IB3z2t9ICmsWrgnhd

NdcOe15BincrGA8avQ1cWXsfIKEjbrnEuEk9b5jel6NfHtPKoHc9mDpRdNPISeVa

wDBM1mJChneHt59Nh8Gah74+TM1jBsw4fhJPvoc7Atcg740JErb904mZfkIEmojC

VPhBHVQ9LHBAdM8qFI2kRK0IynOmAZhexlP/aT/kpEsEPyaZQlnBn3An1CRz8h0S

PApL8PytggYKeQmRhl499+6jLxcZ2IegLfqq41dzIjwHwTMplg+1pKIOVojpWA==

-----END CERTIFICATE-----


Certificate Private Key: leave it blank
Serial for next certificate: leave it as it is by default

4. Go to VPN > OpenVPN > Clients and press +Add.

5. Once there, fill in the fields as follows:

GENERAL INFORMATION

Disabled: Leave unchecked

Description: Any name you like, for example, Surfshark_VPN

Server mode: Peer to Peer (SSL/TLS);

Protocol: UDP4 (you can also use TCP4);

Device mode: tun

Interface: any

Remote server:

 

Host or address:  (change to the hostname of the server you are going to use)

Port: 1194 (use 443 if you use TCP)

 

Retry DNS resolution: Check

Proxy host or address: Leave blank

Proxy port: Leave blank

Proxy Authentication: None


USER AUTHENTICATION SETTINGS

Username/Password: fill in the username and password you’ve gathered from Step 1.


CRYPTOGRAPHIC SETTINGS:

TLS Authentication: Enabled – Authentication only

TLS Shared Key: Paste the contents below


-----BEGIN OpenVPN Static key V1-----


b02cb1d7c6fee5d4f89b8de72b51a8d0

c7b282631d6fc19be1df6ebae9e2779e

6d9f097058a31c97f57f0c35526a44ae

09a01d1284b50b954d9246725a1ead1f

f224a102ed9ab3da0152a15525643b2e

ee226c37041dc55539d475183b889a10

e18bb94f079a4a49888da566b9978346

0ece01daaf93548beea6c827d9674897

e7279ff1a19cb092659e8c1860fbad0d

b4ad0ad5732f1af4655dbd66214e552f

04ed8fd0104e1d4bf99c249ac229ce16

9d9ba22068c6c0ab742424760911d463

6aafb4b85f0c952a9ce4275bc821391a

a65fcd0d2394f006e3fba0fd34c4bc4a

b260f4b45dec3285875589c97d3087c9

134d3a3aa2f904512e85aa2dc2202498

-----END OpenVPN Static key V1-----


Peer Certificate Authority: Surfshark_VPN

Client Certificate: None (Username and Password required)

Encryption Algorithm: AES-256-CBC

Auth Digest Algorithm: SHA512


TUNNEL SETTINGS:

IPv4 tunnel network: Leave blank

IPv6 tunnel network: Leave blank

IPv4 remote network: Leave blank

IPv6 remote network: Leave blank

Limit outgoing bandwidth: Leave blank

Compression: Legacy – Disabled LZO algorithm (--comp-lzo no)

Type-of-service: Leave unchecked

Don’t pull routes: Leave unchecked

Don’t add/remove routes: Check


ADVANCED CONFIGURATION:

Advanced: Paste the contents down below

remote-random;

tun-mtu 1500;

tun-mtu-extra 32;

mssfix 1450;

persist-key;

persist-tun;

reneg-sec 0;

remote-cert-tls server;

Verbosity level: 3 (recommended)


6. Click on Save.

7. Navigate to Interfaces > Assignments and click on + near New Interface. By default, it should be ovpnc1.


8. Click on OPT1 to edit the interface.


9. Click on the Enable Interface and fill in the following information:

 

Description: SurfsharkVPN (or anything you want)

Block private networks: Leave unchecked

Block bogon networks: Leave unchecked

IPv4 Configuration Type: None

IPv6 Configuration Type: None

MAC address: Leave blank

MTU: Leave blank

MSS: Leave blank

No changes required on the DHCP client configuration, so just click the Save button.


10. Click on the Apply changes button.

11. Navigate to Services -> Unbound DNS -> General and fill in the following information:

 

Enable: Check

Listen port: 53

Network Interfaces: All

DNSSEC: Uncheck

DHCP Registration: Check

DHCP Domain Override: Leave blank

DHCP Static Mappings: Check

IPv6 Link-local: Unchecked

TXT Comment Support: Leave unchecked

DNS Query Forwarding: Check

Local Zone Type: Transparent

Custom options: Leave blank

Outgoing Network Interfaces: SurfsharkVPN(or whatever you named your OpenVPN interface)

WPAD Records: Leave unchecked


12. Click Save and Apply changes.

13. Navigate to Services -> Unbound DNS -> Advanced and check the following options:

 

Hide Identity: Check

Hide Version: Check

Prefetch Support: Check

Prefetch DNS Key Support: Check

 

14. Leave everything else as it is by default, click Save, and Apply Settings.

15. Navigate to Firewall > NAT > Outbound, select Hybrid outbound NAT rule generation (automatically generated rules are applied after manual rules), click Save and Apply Changes.

16. Click on the +Add button on top, on the edit menu, select Interface as SurfsharkVPN. Leave anything else as it is by default, click Save, and Apply Changes.

17. Navigate to Firewall -> Rules -> LAN and delete the IPv6 rule. After that, click on the edit button next to IPv4. Scroll down and under Advanced features, select Gateway as SurfsharkVPN (or similarly called). Click Save.

 

18. Click +Add, change Source to LAN net and Destination to LAN Address, don't change anything else, Save and Apply Changes.


19. Navigate to System -> Settings -> General and do the following changes:

 

Under Networking, check the Prefer IPv4 over IPv6;

DNS servers:

162.252.172.57, Use Gateway: none;

149.154.159.92, Use Gateway: none.

 

On DNS server options, uncheck Allow DNS server list to be overridden by DHCP/PPP on WAN

 

20. Click Save and Apply Changes.


21. Navigate to System -> Gateways -> Single and do the following changes:

 

Edit SurfsharkVPN -> click Disabled

 

22. Save and Apply Changes.

23. Navigate to VPN > OpenVPN > Connection Status and it should state that the service is “up”.

 

Ensure the connection is successful

 

We always recommend checking if Surfshark VPN is working after setting it up for the first time. You can easily do it by performing Surfshark IP leak test and a DNS leak test. For your convenience, both are available on our website.



You may also be interested in:

Was this article helpful?
Thank you for your feedback!
  翻译: