How to setup SurfShark with OpenVPN on Ubuntu (2023)

By | May 19, 2023


OpenVPN is open source, secure and robust. It is readily available for most platforms and can be setup quickly. The SurfShark native client also uses OpenVPN underneath.

It supports both tcp and udp based wrappers for vpn traffic over internet. UDP is significantly faster than tcp and works really well. There are multiple ways to use Surfshark on ubuntu with openvpn technology.

You can either install the Surfshark native client and it will automatically do everything. If you do not want to install any 3rd party applications on your ubuntu system then you can do the manual openvpn setup from the command line.

If you plan to use surfshark vpn on a ubuntu server which does not have a desktop interface for running gui applications then use the manual setup option.

The surfshark gui client app is currently available for only debian based distros like Debian, Ubuntu, Linux Mint. If you are using a linux distro that is not yet supported by the surfshark client app (like Fedora), then use the manual openvpn setup. More details can be found here.

With manual OpenVPN setup you will not be able to get some features like ad blocking which can be enabled only using the native client, or the chrome extension.

In this quick tutorial we take a quick look at how to setup surfshark with OpenVPN on ubuntu. The entire process is a simple 3 step process:

  • 1. Install OpenVPN
  • 2. Download Surfshark openvpn configuration files
  • 3. Connect using the configuration file

1. Install openvpn

The first step is to install the openvpn package. OpenVPN can be used to run a vpn server as well as vpn client that can connect to other vpn servers. In our example we shall use openvpn as a client to connect to SurfShark.

sudo apt install openvpn -y

The good thing is that we need not do any complicated configuration to use OpenVPN as a client for SurfShark. The configuration files are located in the following directory:


2.Download SurfShark OpenVPN Configuration Files

The next step is to download the openvpn configuration files (.ovpn extension) and use them with openvpn right away. Each ovpn configuration file contains details about how to connect to a particular vpn server.

The configuration files can be downloaded as single archive from the following url:

Note: You do not need root privileges for setting up the configuration files. We shall install them in the home directory.

mkdir openvpn_config
cd openvpn_config

Now extract the "configurations" archive file using the unzip command:

unzip configurations

Each of the configuration file is a profile to connect to a particular VPN server. For example the following configuration file is for a vpn server in USA-New York location that uses UDP protocol:

You will see lots of similar configuration files, 2 for each location (one for tcp and another for udp protocol).

The configuration file consists of server ip address, certificates and encryption key to be used.

OpenVPN has provided a sample client configuration file here and a full how-to guide here. Check them out if you want to dig deeper into how OpenVPN configuration works.

The contents of a SurfShark OpenVPN configuration file look like this:

dev tun
proto udp
remote 1194
resolv-retry infinite
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ping 15
ping-restart 0
reneg-sec 0

remote-cert-tls server


verb 3
cipher AES-256-CBC

auth SHA512

key-direction 1
# 2048 bit OpenVPN static key
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----

3. Connect to VPN server

Now that we have installed OpenVPN and downloaded configuration files, its time to connect to the vpn server and start surfing.

The command is actually very short and simple:

sudo openvpn

The above command will connect to the vpn server specified in that particular configuration file using encryption keys and certificates. You will need to provide the username and password provided by Surfshark to connect to the vpn server. The same can be found in the Surfshark user dashboard.

On my system the output looks something like this

silver@silver:~/openvpn_config$ sudo openvpn
2023-01-05 19:09:22 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations.
2023-01-05 19:09:22 Note: Kernel support for ovpn-dco missing, disabling data channel offload.
2023-01-05 19:09:22 OpenVPN 2.6_git x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
2023-01-05 19:09:22 library versions: OpenSSL 3.0.5 5 Jul 2022, LZO 2.10
Enter Auth Username: USERNAME
&#x1f510; Enter Auth Password: ************************
2023-01-05 19:09:53 WARNING: --ping should normally be used with --ping-restart or --ping-exit
2023-01-05 19:09:53 NOTE: --fast-io is disabled since we are not using UDP
2023-01-05 19:09:53 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2023-01-05 19:09:53 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2023-01-05 19:09:53 TCP/UDP: Preserving recently used remote address: [AF_INET]
2023-01-05 19:09:53 Socket Buffers: R=[131072->131072] S=[16384->16384]
2023-01-05 19:09:53 Attempting to establish TCP connection with [AF_INET]
2023-01-05 19:09:54 TCP connection established with [AF_INET]
2023-01-05 19:09:54 TCPv4_CLIENT link local: (not bound)
2023-01-05 19:09:54 TCPv4_CLIENT link remote: [AF_INET]
2023-01-05 19:09:54 TLS: Initial packet from [AF_INET], sid=ef975c9c 5f528167
2023-01-05 19:09:55 VERIFY OK: depth=2, C=VG, O=Surfshark, CN=Surfshark Root CA
2023-01-05 19:09:55 VERIFY OK: depth=1, C=VG, O=Surfshark, CN=Surfshark Intermediate CA
2023-01-05 19:09:55 VERIFY KU OK
2023-01-05 19:09:55 Validating certificate extended key usage
2023-01-05 19:09:55 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2023-01-05 19:09:55 VERIFY EKU OK
2023-01-05 19:09:55 VERIFY OK: depth=0,
2023-01-05 19:09:55 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1635', remote='link-mtu 1583'
2023-01-05 19:09:55 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 1532'
2023-01-05 19:09:55 WARNING: 'auth' is used inconsistently, local='auth SHA512', remote='auth [null-digest]'
2023-01-05 19:09:55 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2023-01-05 19:09:55 [] Peer Connection Initiated with [AF_INET]
2023-01-05 19:09:55 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS,dhcp-option DNS,redirect-gateway def1,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,block-outside-dns,route-gateway,topology subnet,ping 60,ping-restart 180,ifconfig,peer-id 0,cipher AES-256-GCM'
2023-01-05 19:09:55 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:7: block-outside-dns (2.6_git)
2023-01-05 19:09:55 OPTIONS IMPORT: timers and/or timeouts modified
2023-01-05 19:09:55 OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp
2023-01-05 19:09:55 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
2023-01-05 19:09:55 Socket Buffers: R=[131072->425984] S=[87040->425984]
2023-01-05 19:09:55 OPTIONS IMPORT: --ifconfig/up options modified
2023-01-05 19:09:55 OPTIONS IMPORT: route options modified
2023-01-05 19:09:55 OPTIONS IMPORT: route-related options modified
2023-01-05 19:09:55 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2023-01-05 19:09:55 OPTIONS IMPORT: peer-id set
2023-01-05 19:09:55 OPTIONS IMPORT: data channel crypto options modified
2023-01-05 19:09:55 net_route_v4_best_gw query: dst
2023-01-05 19:09:55 net_route_v4_best_gw result: via dev enp0s3
2023-01-05 19:09:55 ROUTE_GATEWAY IFACE=enp0s3 HWADDR=08:00:27:f5:88:31
2023-01-05 19:09:55 TUN/TAP device tun0 opened
2023-01-05 19:09:55 net_iface_mtu_set: mtu 1500 for tun0
2023-01-05 19:09:55 net_iface_up: set tun0 up
2023-01-05 19:09:55 net_addr_v4_add: dev tun0
2023-01-05 19:09:55 net_route_v4_add: via dev [NULL] table 0 metric -1
2023-01-05 19:09:55 net_route_v4_add: via dev [NULL] table 0 metric -1
2023-01-05 19:09:55 net_route_v4_add: via dev [NULL] table 0 metric -1
2023-01-05 19:09:55 Data Channel: using negotiated cipher 'AES-256-GCM'
2023-01-05 19:09:55 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-01-05 19:09:55 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-01-05 19:09:55 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2023-01-05 19:09:55 Initialization Sequence Completed

Note that last line which says:

Initialization Sequence Completed

This indicates that connection to the openvpn server was established successfully and now we can use it to connect to internet.

To end the OpenVPN session (disconnect) just press Ctrl+c.

Once you are connected to the vpn, you can see the new network connection using the nmcli command:

$ nmcli connection show
NAME                UUID                                  TYPE      DEVICE 
Wired connection 1  02ca8777-82b9-36a1-993f-4ca7a62ea9cc  ethernet  enp0s3 
tun0                f651b0fd-961a-41fe-961a-8d1c9354ff9d  tun       tun0   

In the above output the "Wired connection 1" is the actual ethernet connection, whereas the tun0 is the openvpn connection. When you disconnect from the vpn by pressing Ctrl+c, the tun0 interface will be removed as well.

$ nmcli connection show
NAME                UUID                                  TYPE      DEVICE 
Wired connection 1  02ca8777-82b9-36a1-993f-4ca7a62ea9cc  ethernet  enp0s3 

List of surfshark vpn servers

A complete list of surfshark vpn servers can be found at the following url:

According to the current stats they have over 3200 servers in 100 countries, which gives its users great coverage and options.

Tweak authentication

The openvpn command requires you to provide the username and password everytime by typing it. If you want to avoid this, then provide the login details using a simple text file.

Create password file to avoid copy pasting everytime.

nano pass.txt

Paste your username and password in 2 separate lines like below and save and close the file.


Now run the openvpn command with the "--auth-user-pass" argument as follows:

sudo openvpn --config --auth-user-pass pass.txt

So now you do not need to manually type the username/password everytime.

For using VPN profiles with NetworkManager on KDE, install the following package.
sudo apt-get install network-manager-openvpn

4. Check your public IP

After setting up the connection to the remove OpenVPN server its time to check our public ip address to see whether we are protected or not. To quickly check the ip address from command line, open the domain using curl.

$ curl

And it should show your public ip address which should be the same as ip address of the surfshark vpn server.

Alternatively just search google for "what is my ip" and you will get what you want.

5. Check Routes and Interface

OpenVPN re-routes all traffic through the vpn server it is connected to. It does this by creating a virtual network interface (NIC) and then changes the IP routing table in the operating system. It re-routes all traffic via this virtual nic, except the one destined to the vpn server (which is sent via the real nic connected to internet).

The ifconfig command will show this virtual network interface as follows:

$ ifconfig
enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet  netmask  broadcast
        inet6 fe80::f59d:aac5:7a7f:48ee  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:f5:88:31  txqueuelen 1000  (Ethernet)
        RX packets 1343093  bytes 1432484283 (1.4 GB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1058525  bytes 900333007 (900.3 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet  netmask
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 4635  bytes 1211480 (1.2 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4635  bytes 1211480 (1.2 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

        inet  netmask  destination
        inet6 fe80::89fd:29b7:d3fc:8097  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)
        RX packets 396  bytes 186455 (186.4 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 496  bytes 119663 (119.6 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


In the above output tun0 is the virtual network interface created by openvpn whereas enp0s3 is actual ethernet card.

The same can be checked with the "ip a" command. If you run "ip a" command you shall see an entry named tun0:

$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:f5:88:31 brd ff:ff:ff:ff:ff:ff
    inet brd scope global dynamic noprefixroute enp0s3
       valid_lft 84966sec preferred_lft 84966sec
    inet6 fe80::f59d:aac5:7a7f:48ee/64 scope link noprefixroute
       valid_lft forever preferred_lft forever
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500
    inet scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::6c66:4595:5883:771/64 scope link stable-privacy
       valid_lft forever preferred_lft forever

The tun0 is the gateway of the SurfShark VPN.

Now that we have checked the network interface, lets take a look at the ip routing table which shows the gateway as well.
Here are a bunch of commands that can be used to check the routing table and gateway.

  • route -n
  • netstat -rn
  • ip r
  • ip route show

The output of route and netstat commands will look similar, whereas the ip command output looks different. Lets check these.

$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface       UG    0      0        0 tun0         UG    100    0        0 enp0s3   U     0      0        0 tun0 UGH   0      0        0 enp0s3       UG    0      0        0 tun0     U     1000   0        0 enp0s3   U     100    0        0 enp0s3

Note the first line for destination "".       UG    0      0        0 tun0

This line tells the kernel to route all ip traffic via (tun0) which is the virtual network interface created by OpenVPN.

Check another line: UGH   0      0        0 enp0s3

This line tells that all traffic destined to "" (the remote VPN server) should be routed via (enp0s3) which is the real ethernet interface connected to the internet.

$ netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface       UG        0 0          0 tun0         UG        0 0          0 enp0s3   U         0 0          0 tun0 UGH       0 0          0 enp0s3       UG        0 0          0 tun0     U         0 0          0 enp0s3   U         0 0          0 enp0s3

The same when done with the "ip r" or "ip route show" command:

$ ip r via dev tun0 
default via dev enp0s3 proto dhcp src metric 100 dev tun0 proto kernel scope link src via dev enp0s3 via dev tun0 dev enp0s3 scope link metric 1000 dev enp0s3 proto kernel scope link src metric 100 

OpenVPN Log Files

By default openvpn outputs all messages to the same terminal where it is being run from. In case of any errors you can always check the messages for diagnostic information.

If you want to log messages from openvpn to a specific file use the "--log-append" option as follows:

sudo openvpn --config --auth-user-pass pass.txt --log-append ~/openvpn.log

The above command will log all openvpn output in the home directory. The verbosity of the logging can be set with the "--verb" option 0-11. 0 being the lowest and 11 being the highest.

sudo openvpn --config --auth-user-pass pass.txt --log-append ~/openvpn.log --verb 3

Default verbosity level is 3.

IP/DNS Leak Test, Speed Test

After setting up surfshark vpn it is very important to check that you are fully protected and getting the best speed.

For privacy protection we need to check ip and dns leak test results. It is very simple. Just go to the following site:

The page would immediately show your visible public ip address and the dns servers that your computer is connecting to. Both the IP address and DNS servers should be different from the ones being used by your isp.

A common problem with vpn services is dns leak, where the system actually is able to connect to isp dns servers directly.

Ping Speed Test

The next thing to test is the speed. After setting up surfshark you want to make sure that you are getting optimal download speed. The best way to check this is with the Ookla tool.

File download test

Or you can google for "test file download" and find some dummy large file that can be downloaded to test download speed. With this method you get a more accurate measurement of the download speed. For example I am using this site: It got files of 100 MB, 1GB, 10GB.

$ wget

Now as wget completes the download it will report the overall download speed. This would give a proper measurement of the download speed.

Browser Extensions

Surfshark extensions for both chrome and firefox. Its a good option if you do not want to use vpn for all traffic on your system, but only when browsing few sites.

The chrome extension also makes it very quick and easy to connect to and change vpn servers with a single click. With openvpn if you have to run a command from a terminal every time.

The surfshark browser extension does not protect you as good as the openvpn or client app setup. Any traffic outside the browser will not use the vpn. Moreover the browser will suffer dns leaks as it is will only use surfshark as a proxy.

Search google for "surfshark chrome extension" or visit the following url:

The chrome extension requires the surfshark account username and password to login.

Note: Do not activate both openvpn and surfshark chrome extension simultaneously, otherwise you would establish a dual vpn route to internet. It would look something like You system -> openvpn vpn server -> chrome extension vpn server -> internet. This would make it slow.

How does Surfshark chrome extension work ?

Browsers do not support any kind of vpn technologies. Therefore the surfshark chrome extension does not really use establish a vpn connection. It connects to the same server as openvpn, but uses the HTTPS proxy protocol instead.

The speed when using chrome extension is also very good, similar to openvpn udp mode. This makes it an effective option for proxy.


OpenVPN is one of the many vpn technologies available out there. Other popular vpn technologies include WireGuard and IkeV2/IPSEC.

Surfshark supports all 3 major technologies. namely OpenVPN, WireGuard and IPSec(IKEv2).

If you have any questions do let us know in the comments below.


Here are some useful links and resources that were used in the development of this article.

About Silver Moon

A Tech Enthusiast, Blogger, Linux Fan and a Software Developer. Writes about Computer hardware, Linux and Open Source software and coding in Python, Php and Javascript. He can be reached at [email protected].

Leave a Reply

Your email address will not be published. Required fields are marked *