How to setup SurfShark with OpenVPN on Ubuntu (2023)

By | January 12, 2023

OpenVPN

OpenVPN is open source, secure and robust. It is readily available for most platforms and can be setup quickly. The SurfShark native client also uses OpenVPN underneath.

It supports both tcp and udp based wrappers for vpn traffic over internet. UDP is significantly faster than tcp and works really well. There are multiple ways to use Surfshark on ubuntu with openvpn technology.

You can either install the Surfshark native client and it will automatically do everything. If you do not want to install any 3rd party applications on your ubuntu system then you can do the manual openvpn setup from the command line.

If you plan to use surfshark vpn on a ubuntu server which does not have a desktop interface for running gui applications then use the manual setup option.

The surfshark gui client app is currently available for only debian based distros like Debian, Ubuntu, Linux Mint. If you are using a linux distro that is not yet supported by the surfshark client app (like Fedora), then use the manual openvpn setup. More details can be found here.

With manual OpenVPN setup you will not be able to get some features like ad blocking which can be enabled only using the native client, or the chrome extension.

In this quick tutorial we take a quick look at how to setup surfshark with OpenVPN on ubuntu. The entire process is a simple 3 step process:

  • 1. Install OpenVPN
  • 2. Download Surfshark openvpn configuration files
  • 3. Connect using the configuration file

1. Install openvpn

The first step is to install the openvpn package. OpenVPN can be used to run a vpn server as well as vpn client that can connect to other vpn servers. In our example we shall use openvpn as a client to connect to SurfShark.

sudo apt install openvpn -y

The good thing is that we need not do any complicated configuration to use OpenVPN as a client for SurfShark. The configuration files are located in the following directory:

/etc/openvpn/

2.Download SurfShark OpenVPN Configuration Files

The next step is to download the openvpn configuration files (.ovpn extension) and use them with openvpn right away. Each ovpn configuration file contains details about how to connect to a particular vpn server.

The configuration files can be downloaded as single archive from the following url:

https://my.surfshark.com/vpn/api/v1/server/configurations

Note: You do not need root privileges for setting up the configuration files. We shall install them in the home directory.

mkdir openvpn_config
cd openvpn_config
wget https://my.surfshark.com/vpn/api/v1/server/configurations

Now extract the "configurations" archive file using the unzip command:

unzip configurations

Each of the configuration file is a profile to connect to a particular VPN server. For example the following configuration file is for a vpn server in USA-New York location that uses UDP protocol:

us-nyc.prod.surfshark.com_udp.ovpn

You will see lots of similar configuration files, 2 for each location (one for tcp and another for udp protocol).

The configuration file consists of server ip address, certificates and encryption key to be used.

OpenVPN has provided a sample client configuration file here and a full how-to guide here. Check them out if you want to dig deeper into how OpenVPN configuration works.

The contents of a SurfShark OpenVPN configuration file look like this:

us-nyc.prod.surfshark.com_udp.ovpn

client
dev tun
proto udp
remote 37.19.199.214 1194
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0

remote-cert-tls server

auth-user-pass

#comp-lzo
verb 3
pull
fast-io
cipher AES-256-CBC

auth SHA512

<ca>
-----BEGIN CERTIFICATE-----
MIIFTTCCAzWgAwIBAgIJAMs9S3fqwv+mMA0GCSqGSIb3DQEBCwUAMD0xCzAJBgNV
BAYTAlZHMRIwEAYDVQQKDAlTdXJmc2hhcmsxGjAYBgNVBAMMEVN1cmZzaGFyayBS
b290IENBMB4XDTE4MDMxNDA4NTkyM1oXDTI4MDMxMTA4NTkyM1owPTELMAkGA1UE
BhMCVkcxEjAQBgNVBAoMCVN1cmZzaGFyazEaMBgGA1UEAwwRU3VyZnNoYXJrIFJv
b3QgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDEGMNj0aisM63o
SkmVJyZPaYX7aPsZtzsxo6m6p5Wta3MGASoryRsBuRaH6VVa0fwbI1nw5ubyxkua
Na4v3zHVwuSq6F1p8S811+1YP1av+jqDcMyojH0ujZSHIcb/i5LtaHNXBQ3qN48C
c7sqBnTIIFpmb5HthQ/4pW+a82b1guM5dZHsh7q+LKQDIGmvtMtO1+NEnmj81BAp
FayiaD1ggvwDI4x7o/Y3ksfWSCHnqXGyqzSFLh8QuQrTmWUm84YHGFxoI1/8AKdI
yVoB6BjcaMKtKs/pbctk6vkzmYf0XmGovDKPQF6MwUekchLjB5gSBNnptSQ9kNgn
TLqi0OpSwI6ixX52Ksva6UM8P01ZIhWZ6ua/T/tArgODy5JZMW+pQ1A6L0b7egIe
ghpwKnPRG+5CzgO0J5UE6gv000mqbmC3CbiS8xi2xuNgruAyY2hUOoV9/BuBev8t
tE5ZCsJH3YlG6NtbZ9hPc61GiBSx8NJnX5QHyCnfic/X87eST/amZsZCAOJ5v4EP
SaKrItt+HrEFWZQIq4fJmHJNNbYvWzCE08AL+5/6Z+lxb/Bm3dapx2zdit3x2e+m
iGHekuiE8lQWD0rXD4+T+nDRi3X+kyt8Ex/8qRiUfrisrSHFzVMRungIMGdO9O/z
CINFrb7wahm4PqU2f12Z9TRCOTXciQIDAQABo1AwTjAdBgNVHQ4EFgQUYRpbQwyD
ahLMN3F2ony3+UqOYOgwHwYDVR0jBBgwFoAUYRpbQwyDahLMN3F2ony3+UqOYOgw
DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAn9zV7F/XVnFNZhHFrt0Z
S1Yqz+qM9CojLmiyblMFh0p7t+Hh+VKVgMwrz0LwDH4UsOosXA28eJPmech6/bjf
ymkoXISy/NUSTFpUChGO9RabGGxJsT4dugOw9MPaIVZffny4qYOc/rXDXDSfF2b+
303lLPI43y9qoe0oyZ1vtk/UKG75FkWfFUogGNbpOkuz+et5Y0aIEiyg0yh6/l5Q
5h8+yom0HZnREHhqieGbkaGKLkyu7zQ4D4tRK/mBhd8nv+09GtPEG+D5LPbabFVx
KjBMP4Vp24WuSUOqcGSsURHevawPVBfgmsxf1UCjelaIwngdh6WfNCRXa5QQPQTK
ubQvkvXONCDdhmdXQccnRX1nJWhPYi0onffvjsWUfztRypsKzX4dvM9k7xnIcGSG
EnCC4RCgt1UiZIj7frcCMssbA6vJ9naM0s7JF7N3VKeHJtqe1OCRHMYnWUZt9vrq
X6IoIHlZCoLlv39wFW9QNxelcAOCVbD+19MZ0ZXt7LitjIqe7yF5WxDQN4xru087
FzQ4Hfj7eH1SNLLyKZkA1eecjmRoi/OoqAt7afSnwtQLtMUc2bQDg6rHt5C0e4dC
LqP/9PGZTSJiwmtRHJ/N5qYWIh9ju83APvLm/AGBTR2pXmj9G3KdVOkpIC7L35dI
623cSEC3Q3UZutsEm/UplsM=
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
b02cb1d7c6fee5d4f89b8de72b51a8d0
c7b282631d6fc19be1df6ebae9e2779e
6d9f097058a31c97f57f0c35526a44ae
09a01d1284b50b954d9246725a1ead1f
f224a102ed9ab3da0152a15525643b2e
ee226c37041dc55539d475183b889a10
e18bb94f079a4a49888da566b9978346
0ece01daaf93548beea6c827d9674897
e7279ff1a19cb092659e8c1860fbad0d
b4ad0ad5732f1af4655dbd66214e552f
04ed8fd0104e1d4bf99c249ac229ce16
9d9ba22068c6c0ab742424760911d463
6aafb4b85f0c952a9ce4275bc821391a
a65fcd0d2394f006e3fba0fd34c4bc4a
b260f4b45dec3285875589c97d3087c9
134d3a3aa2f904512e85aa2dc2202498
-----END OpenVPN Static key V1-----
</tls-auth>

3. Connect to VPN server

Now that we have installed OpenVPN and downloaded configuration files, its time to connect to the vpn server and start surfing.

The command is actually very short and simple:

sudo openvpn us-nyc.prod.surfshark.com_tcp.ovpn

The above command will connect to the vpn server specified in that particular configuration file using encryption keys and certificates. You will need to provide the username and password provided by Surfshark to connect to the vpn server. The same can be found in the Surfshark user dashboard.

On my system the output looks something like this

[email protected]:~/openvpn_config$ sudo openvpn us-nyc.prod.surfshark.com_tcp.ovpn
2023-01-05 19:09:22 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations.
2023-01-05 19:09:22 Note: Kernel support for ovpn-dco missing, disabling data channel offload.
2023-01-05 19:09:22 OpenVPN 2.6_git x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
2023-01-05 19:09:22 library versions: OpenSSL 3.0.5 5 Jul 2022, LZO 2.10
Enter Auth Username: USERNAME
&#x1f510; Enter Auth Password: ************************
2023-01-05 19:09:53 WARNING: --ping should normally be used with --ping-restart or --ping-exit
2023-01-05 19:09:53 NOTE: --fast-io is disabled since we are not using UDP
2023-01-05 19:09:53 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2023-01-05 19:09:53 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2023-01-05 19:09:53 TCP/UDP: Preserving recently used remote address: [AF_INET]37.19.199.214:1443
2023-01-05 19:09:53 Socket Buffers: R=[131072->131072] S=[16384->16384]
2023-01-05 19:09:53 Attempting to establish TCP connection with [AF_INET]37.19.199.214:1443
2023-01-05 19:09:54 TCP connection established with [AF_INET]37.19.199.214:1443
2023-01-05 19:09:54 TCPv4_CLIENT link local: (not bound)
2023-01-05 19:09:54 TCPv4_CLIENT link remote: [AF_INET]37.19.199.214:1443
2023-01-05 19:09:54 TLS: Initial packet from [AF_INET]37.19.199.214:1443, sid=ef975c9c 5f528167
2023-01-05 19:09:55 VERIFY OK: depth=2, C=VG, O=Surfshark, CN=Surfshark Root CA
2023-01-05 19:09:55 VERIFY OK: depth=1, C=VG, O=Surfshark, CN=Surfshark Intermediate CA
2023-01-05 19:09:55 VERIFY KU OK
2023-01-05 19:09:55 Validating certificate extended key usage
2023-01-05 19:09:55 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2023-01-05 19:09:55 VERIFY EKU OK
2023-01-05 19:09:55 VERIFY OK: depth=0, CN=us-nyc-v085.prod.surfshark.com
2023-01-05 19:09:55 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1635', remote='link-mtu 1583'
2023-01-05 19:09:55 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 1532'
2023-01-05 19:09:55 WARNING: 'auth' is used inconsistently, local='auth SHA512', remote='auth [null-digest]'
2023-01-05 19:09:55 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2023-01-05 19:09:55 [us-nyc-v085.prod.surfshark.com] Peer Connection Initiated with [AF_INET]37.19.199.214:1443
2023-01-05 19:09:55 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 162.252.172.57,dhcp-option DNS 149.154.159.92,redirect-gateway def1,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,block-outside-dns,route-gateway 10.7.7.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.7.7.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
2023-01-05 19:09:55 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:7: block-outside-dns (2.6_git)
2023-01-05 19:09:55 OPTIONS IMPORT: timers and/or timeouts modified
2023-01-05 19:09:55 OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp
2023-01-05 19:09:55 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
2023-01-05 19:09:55 Socket Buffers: R=[131072->425984] S=[87040->425984]
2023-01-05 19:09:55 OPTIONS IMPORT: --ifconfig/up options modified
2023-01-05 19:09:55 OPTIONS IMPORT: route options modified
2023-01-05 19:09:55 OPTIONS IMPORT: route-related options modified
2023-01-05 19:09:55 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2023-01-05 19:09:55 OPTIONS IMPORT: peer-id set
2023-01-05 19:09:55 OPTIONS IMPORT: data channel crypto options modified
2023-01-05 19:09:55 net_route_v4_best_gw query: dst 0.0.0.0
2023-01-05 19:09:55 net_route_v4_best_gw result: via 192.168.1.1 dev enp0s3
2023-01-05 19:09:55 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=enp0s3 HWADDR=08:00:27:f5:88:31
2023-01-05 19:09:55 TUN/TAP device tun0 opened
2023-01-05 19:09:55 net_iface_mtu_set: mtu 1500 for tun0
2023-01-05 19:09:55 net_iface_up: set tun0 up
2023-01-05 19:09:55 net_addr_v4_add: 10.7.7.2/24 dev tun0
2023-01-05 19:09:55 net_route_v4_add: 37.19.199.214/32 via 192.168.1.1 dev [NULL] table 0 metric -1
2023-01-05 19:09:55 net_route_v4_add: 0.0.0.0/1 via 10.7.7.1 dev [NULL] table 0 metric -1
2023-01-05 19:09:55 net_route_v4_add: 128.0.0.0/1 via 10.7.7.1 dev [NULL] table 0 metric -1
2023-01-05 19:09:55 Data Channel: using negotiated cipher 'AES-256-GCM'
2023-01-05 19:09:55 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-01-05 19:09:55 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-01-05 19:09:55 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2023-01-05 19:09:55 Initialization Sequence Completed

Note that last line which says:

Initialization Sequence Completed

This indicates that connection to the openvpn server was established successfully and now we can use it to connect to internet.

To end the OpenVPN session (disconnect) just press Ctrl+c.

Once you are connected to the vpn, you can see the new network connection using the nmcli command:

$ nmcli connection show
NAME                UUID                                  TYPE      DEVICE
Wired connection 1  02ca8777-82b9-36a1-993f-4ca7a62ea9cc  ethernet  enp0s3
tun0                f651b0fd-961a-41fe-961a-8d1c9354ff9d  tun       tun0
$

In the above output the "Wired connection 1" is the actual ethernet connection, whereas the tun0 is the openvpn connection. When you disconnect from the vpn by pressing Ctrl+c, the tun0 interface will be removed as well.

$ nmcli connection show
NAME                UUID                                  TYPE      DEVICE
Wired connection 1  02ca8777-82b9-36a1-993f-4ca7a62ea9cc  ethernet  enp0s3
$

List of surfshark vpn servers

A complete list of surfshark vpn servers can be found at the following url:

https://surfshark.com/servers

According to the current stats they have over 3200 servers in 100 countries, which gives its users great coverage and options.

Tweak authentication

The openvpn command requires you to provide the username and password everytime by typing it. If you want to avoid this, then provide the login details using a simple text file.

Create password file to avoid copy pasting everytime.

nano pass.txt

Paste your username and password in 2 separate lines like below and save and close the file.

USERNAME
PASSWORD

Now run the openvpn command with the "--auth-user-pass" argument as follows:

sudo openvpn --config us-kan.prod.surfshark.com_tcp.ovpn --auth-user-pass pass.txt

So now you do not need to manually type the username/password everytime.

For using VPN profiles with NetworkManager on KDE, install the following package.
sudo apt-get install network-manager-openvpn

4. Check your public IP

After setting up the connection to the remove OpenVPN server its time to check our public ip address to see whether we are protected or not. To quickly check the ip address from command line, open the domain ifconfig.me using curl.

$ curl ifconfig.me

And it should show your public ip address which should be the same as ip address of the surfshark vpn server.

Alternatively just search google for "what is my ip" and you will get what you want.

5. Check Routes and Interface

OpenVPN re-routes all traffic through the vpn server it is connected to. It does this by creating a virtual network interface (NIC) and then changes the IP routing table in the operating system. It re-routes all traffic via this virtual nic, except the one destined to the vpn server (which is sent via the real nic connected to internet).

The ifconfig command will show this virtual network interface as follows:

$ ifconfig
enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.92  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::f59d:aac5:7a7f:48ee  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:f5:88:31  txqueuelen 1000  (Ethernet)
        RX packets 1343093  bytes 1432484283 (1.4 GB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1058525  bytes 900333007 (900.3 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 4635  bytes 1211480 (1.2 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4635  bytes 1211480 (1.2 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.8.5  netmask 255.255.255.0  destination 10.8.8.5
        inet6 fe80::89fd:29b7:d3fc:8097  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)
        RX packets 396  bytes 186455 (186.4 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 496  bytes 119663 (119.6 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
$

In the above output tun0 is the virtual network interface created by openvpn whereas enp0s3 is actual ethernet card.

The same can be checked with the "ip a" command. If you run "ip a" command you shall see an entry named tun0:

$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:f5:88:31 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.92/24 brd 192.168.1.255 scope global dynamic noprefixroute enp0s3
       valid_lft 84966sec preferred_lft 84966sec
    inet6 fe80::f59d:aac5:7a7f:48ee/64 scope link noprefixroute
       valid_lft forever preferred_lft forever
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500
    link/none
    inet 10.7.7.2/24 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::6c66:4595:5883:771/64 scope link stable-privacy
       valid_lft forever preferred_lft forever
$

The tun0 is the gateway of the SurfShark VPN.

Now that we have checked the network interface, lets take a look at the ip routing table which shows the gateway as well.
Here are a bunch of commands that can be used to check the routing table and gateway.

  • route -n
  • netstat -rn
  • ip r
  • ip route show

The output of route and netstat commands will look similar, whereas the ip command output looks different. Lets check these.

$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.8.8.1        128.0.0.0       UG    0      0        0 tun0
0.0.0.0         192.168.1.1     0.0.0.0         UG    100    0        0 enp0s3
10.8.8.0        0.0.0.0         255.255.255.0   U     0      0        0 tun0
74.80.182.87    192.168.1.1     255.255.255.255 UGH   0      0        0 enp0s3
128.0.0.0       10.8.8.1        128.0.0.0       UG    0      0        0 tun0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 enp0s3
192.168.1.0     0.0.0.0         255.255.255.0   U     100    0        0 enp0s3
$

Note the first line for destination "0.0.0.0".

0.0.0.0         10.8.8.1        128.0.0.0       UG    0      0        0 tun0

This line tells the kernel to route all ip traffic via 10.8.8.1 (tun0) which is the virtual network interface created by OpenVPN.

Check another line:

74.80.182.87    192.168.1.1     255.255.255.255 UGH   0      0        0 enp0s3

This line tells that all traffic destined to "74.80.182.87" (the remote VPN server) should be routed via 192.168.1.1 (enp0s3) which is the real ethernet interface connected to the internet.

$ netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         10.8.8.1        128.0.0.0       UG        0 0          0 tun0
0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 enp0s3
10.8.8.0        0.0.0.0         255.255.255.0   U         0 0          0 tun0
74.80.182.87    192.168.1.1     255.255.255.255 UGH       0 0          0 enp0s3
128.0.0.0       10.8.8.1        128.0.0.0       UG        0 0          0 tun0
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 enp0s3
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 enp0s3
$

The same when done with the "ip r" or "ip route show" command:

$ ip r
0.0.0.0/1 via 10.8.8.1 dev tun0
default via 192.168.1.1 dev enp0s3 proto dhcp src 192.168.1.92 metric 100
10.8.8.0/24 dev tun0 proto kernel scope link src 10.8.8.3
74.80.182.87 via 192.168.1.1 dev enp0s3
128.0.0.0/1 via 10.8.8.1 dev tun0
169.254.0.0/16 dev enp0s3 scope link metric 1000
192.168.1.0/24 dev enp0s3 proto kernel scope link src 192.168.1.92 metric 100
$

OpenVPN Log Files

By default openvpn outputs all messages to the same terminal where it is being run from. In case of any errors you can always check the messages for diagnostic information.

If you want to log messages from openvpn to a specific file use the "--log-append" option as follows:

sudo openvpn --config us-kan.prod.surfshark.com_udp.ovpn --auth-user-pass pass.txt --log-append ~/openvpn.log

The above command will log all openvpn output in the home directory. The verbosity of the logging can be set with the "--verb" option 0-11. 0 being the lowest and 11 being the highest.

sudo openvpn --config us-kan.prod.surfshark.com_udp.ovpn --auth-user-pass pass.txt --log-append ~/openvpn.log --verb 3

Default verbosity level is 3.

IP/DNS Leak Test, Speed Test

After setting up surfshark vpn it is very important to check that you are fully protected and getting the best speed.

For privacy protection we need to check ip and dns leak test results. It is very simple. Just go to the following site: https://ipleak.net/

The page would immediately show your visible public ip address and the dns servers that your computer is connecting to. Both the IP address and DNS servers should be different from the ones being used by your isp.

A common problem with vpn services is dns leak, where the system actually is able to connect to isp dns servers directly.

Ping Speed Test

The next thing to test is the speed. After setting up surfshark you want to make sure that you are getting optimal download speed. The best way to check this is with the Ookla speedtest.net tool.

https://www.speedtest.net/

File download test

Or you can google for "test file download" and find some dummy large file that can be downloaded to test download speed. With this method you get a more accurate measurement of the download speed. For example I am using this site: https://speed.hetzner.de/. It got files of 100 MB, 1GB, 10GB.

$ wget https://speed.hetzner.de/100MB.bin

Now as wget completes the download it will report the overall download speed. This would give a proper measurement of the download speed.

Browser Extensions

Surfshark extensions for both chrome and firefox. Its a good option if you do not want to use vpn for all traffic on your system, but only when browsing few sites.

The chrome extension also makes it very quick and easy to connect to and change vpn servers with a single click. With openvpn if you have to run a command from a terminal every time.

The surfshark browser extension does not protect you as good as the openvpn or client app setup. Any traffic outside the browser will not use the vpn. Moreover the browser will suffer dns leaks as it is will only use surfshark as a proxy.

Search google for "surfshark chrome extension" or visit the following url:

https://chrome.google.com/webstore/detail/surfshark-vpn-extension/ailoabdmgclmfmhdagmlohpjlbpffblp

The chrome extension requires the surfshark account username and password to login.

Note: Do not activate both openvpn and surfshark chrome extension simultaneously, otherwise you would establish a dual vpn route to internet. It would look something like You system -> openvpn vpn server -> chrome extension vpn server -> internet. This would make it slow.

How does Surfshark chrome extension work ?

Browsers do not support any kind of vpn technologies. Therefore the surfshark chrome extension does not really use establish a vpn connection. It connects to the same server as openvpn, but uses the HTTPS proxy protocol instead.

The speed when using chrome extension is also very good, similar to openvpn udp mode. This makes it an effective option for proxy.

Conclusion

OpenVPN is one of the many vpn technologies available out there. Other popular vpn technologies include WireGuard and IkeV2/IPSEC.

Surfshark supports all 3 major technologies. namely OpenVPN, WireGuard and IPSec(IKEv2).

If you have any questions do let us know in the comments below.

References:

Here are some useful links and resources that were used in the development of this article.

https://askubuntu.com/questions/947178/how-can-i-find-the-default-gateway-of-a-machine
https://stackoverflow.com/questions/38869427/openvpn-on-linux-passing-username-and-password-in-command-line
https://support.surfshark.com/hc/en-us/articles/360011051133

About Silver Moon

A Tech Enthusiast, Blogger, Linux Fan and a Software Developer. Writes about Computer hardware, Linux and Open Source software and coding in Python, Php and Javascript. He can be reached at [email protected].

Leave a Reply

Your email address will not be published. Required fields are marked *