I would like to configure ProtonVPN on my CCR2004 router. Does anyone have experience with this?
Second, how do I structure a bridge so that the VPN is active on the few port on that bridge?
My experience setting this up on Linux has been problematic to say the least so I want to eliminate that from the chain and put the VPN on the router directly. I have other machines that can use the VPN so I figure this is the most direct approach.
If its wireguard VPN, piece of cake.
Unfortunately, no.
I made some progress via, but it has errors. Fix ipsec adds with group=ProtonVPN, its misspelled and it breaks a few rules otherwise.
https://protonvpn.com/support/vpn-mikrotik-router/
This guide is rather poor for a scientific community.
I have the VPN for what I can see is installed, and all home internet works.
I targeted 1 PC as a test, and that PC connects via RDP, and I can ping 8888 in a terminal, but cannot resolve any addresses via browser.
This is the rule mentioning that PC I am testing:
/ip firewall address-list add address=10.1.1.240 list=under_protonvpn
I see no errors in the log. Can anyone think of why this PC, which looks to be getting influenced by the VPN now, cannot resolve any addresses? Why can’t it see DNS?
Do you mean this?
https://protonvpn.com/support/wireguard-mikrotik-routers/
From reading it, its more or less the same. I do see mention of DNS in it, though. I would hesitate to back out what I have already done unless there is a fundamental error I have made.
It has the same confusing part at the bottom. It does not explain this in a way I get: "Remove the two FastTrack rules (the default rule and dummy rule). To do this, enter the following command twice, using the numbers shown then you listed all the firewall rules. "
This person has the same issue.
http://forum.mikrotik.com/t/protonvpn-configuration-question-fastrack-dns/156490/1
Also DNS issues. Its not clear how this static DNS mentioned was set. Anyone know?
Two suggestions to get help.
Many use notepadd++ to open the export file and paste it here. Note, also use the code quotes black square with white square brackets on the same line with bold, Italica, underline etc…
Here is the config, but its after my best attempt at removing the protonvpn connection, I was starting to get hell from everyone at the house for hosing up the internet over and over all day. Any help getting past this would really be appreciated.
Boiled down, I have 2 problems:
Is this config clean and I can try again with the WireGuard version and see if it works?
Second problem is all of these examples are limiting IP addresses, this is not really what I care about. I want the VPN to only use port5, for example. From port5, I have a switch that directs only vpn traffic to the internet and back, and whatever is connected to port5 is automatically in the VPN grouping, is this wish flawed for some reason?
/interface bridge
add name=bridge1
/interface list
add name=WAN
add name=LAN
add
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec policy group
add name=ProtonVPN
/ip pool
add name=dhcp_pool2 ranges=10.1.0.1-10.1.2.0,10.1.2.2-10.1.255.254
/ip dhcp-server
add address-pool=dhcp_pool2 interface=bridge1 lease-time=1h name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus1
add bridge=bridge1 interface=sfp-sfpplus2
add bridge=bridge1 interface=ether7
/ipv6 settings
set forward=no
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=10.1.2.1/16 interface=bridge1 network=10.1.0.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=10.1.1.15 mac-address=94:83:C4:20:B9:77 server=dhcp1
/ip dhcp-server network
add address=10.1.0.0/16 dns-server=10.1.2.1 gateway=10.1.2.1
/ip dns
set allow-remote-requests=yes servers=10.1.2.1
/ip firewall address-list
add address=10.0.0.0-10.2.255.254 list=TRUSTED
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow admin" in-interface-list=LAN
src-address-list=TRUSTED
add action=accept chain=input comment="users to Router services" dst-port=53
in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="users to Router services" dst-port=53
in-interface-list=LAN protocol=udp
add action=drop chain=input comment="Drop all else"
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=accept chain=forward comment="allow internet" in-interface-list=
LAN out-interface-list=WAN
add action=drop chain=forward comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec policy
add dst-address=0.0.0.0/0 group=ProtonVPN proposal=*1 src-address=0.0.0.0/0
template=yes
/system clock
set time-zone-name=
/system identity
set name="MikroTik CCR2004-16G-2S"
/system routerboard settings
set enter-setup-on=delete-key
This post has a similar situation, Proton support got involved
http://forum.mikrotik.com/t/mikrotik-wireguard-setup-for-protone-vpn/159161/1
Here is the config discussed, but to try it:
/interface/wireguard/add listen-port=13231 mtu=1420 name=wireguard-inet private-key=“"
/ip/address/add address=10.2.0.2/30 interface=wireguard-inet network=10.2.0.0
/interface/wireguard/peers/add allowed-address=0.0.0.0/0 endpoint-address= endpoint-port=51820 interface=wireguard-inet persistent-keepalive=25s public-key="”
/ip/firewall/nat/add action=masquerade chain=srcnat out-interface=wireguard-inet src-address=192.168.88.0/24
/ip/route/add disabled=no distance=1 dst-address=0.0.0.0/1 gateway=10.2.0.1 pref-src=“” routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip/route/add disabled=no distance=1 dst-address=128.0.0.0/1 gateway=10.2.0.1 pref-src=“” routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip/route/add disabled=no dst-address=/32 gateway=[/ip dhcp-client get [find interface=ether1] gateway] routing-table=main suppress-hw-offload=no
/ip/dns/set servers=10.2.0.1
/ip/dhcp-client/set 0 use-peer-dns=no
I am not sure what the ether1 route being added is.
Can I define my own “ether1” as the port I want to be for VPN only? For example ethernet port 5 on the router, in which case I would define ether5 as an interface? And anything on that port will be vpn, so then the 0.0.0.0 for ether5. Or is ether1 in the context above defining the internet connection?
I get the family up in arms bit!!
Will look at your config tomorrow… late here was out tonight.
I tested the Wireguard config and it seems to configure, but I see no evidence of a VPN connection anywhere. I followed the Proton guide as closely as I could.
Here is the updated config. Do you see anything obvious amiss?
\
/interface bridge
add name=bridge1
/interface wireguard
add comment="ProtonVPN interface" listen-port=21154 mtu=1420 name=protonwg01
/interface list
add name=WAN
add name=LAN
add
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec policy group
add name=ProtonVPN
/ip pool
add name=dhcp_pool2 ranges=10.1.0.1-10.1.2.0,10.1.2.2-10.1.255.254
/ip dhcp-server
add address-pool=dhcp_pool2 interface=bridge1 lease-time=1h name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/routing table
add fib name=protonvpn_wg
/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus1
add bridge=bridge1 interface=sfp-sfpplus2
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether10
/ipv6 settings
set forward=no
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/interface wireguard peers
add allowed-address=0.0.0.0/1,128.0.0.0/1 endpoint-address=*********
endpoint-port=51820 interface=protonwg01 public-key=
"*******************************"
/ip address
add address=10.1.2.1/16 interface=bridge1 network=10.1.0.0
add address=10.2.0.2/30 interface=protonwg01 network=10.2.0.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=10.1.1.15 mac-address= server=dhcp1
/ip dhcp-server network
add address=10.1.0.0/16 dns-server=10.1.2.1 gateway=10.1.2.1
/ip dns
set allow-remote-requests=yes servers=10.2.0.1
/ip firewall address-list
add address=10.0.0.0-10.2.255.254 list=TRUSTED
add address=192.168.88.0/24 list=under_protonvpn
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow admin" in-interface-list=LAN
src-address-list=TRUSTED
add action=accept chain=input comment="users to Router services" dst-port=53
in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="users to Router services" dst-port=53
in-interface-list=LAN protocol=udp
add action=drop chain=input comment="Drop all else"
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=accept chain=forward comment="allow internet" in-interface-list=
LAN out-interface-list=WAN
add action=drop chain=forward comment="Drop all else"
/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=
under_protonvpn passthrough=yes src-address-list=under_protonvpn
add action=mark-routing chain=prerouting new-routing-mark=protonvpn_wg
passthrough=yes src-address-list=under_protonvpn
add action=change-mss chain=forward connection-mark=under_protonvpn new-mss=
1360 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1375
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec policy
add dst-address=0.0.0.0/0 group=ProtonVPN proposal=*1 src-address=0.0.0.0/0
template=yes
/ip route
add comment="ProtonVPN Wireguard default route" dst-address=0.0.0.0/0
gateway=protonwg01 routing-table=protonvpn_wg
/system clock
set time-zone-name=America/Chicago
/system identity
set name="MikroTik CCR2004-16G-2S"
/system routerboard settings
set enter-setup-on=delete-key
Okay I will assume proton vpn setup gave you some information. Have to guess because info not supplied.
Now to review config…
There are three areas to focus on getting wireguard right, allowed IPs, firewall rules, IP routes.
(7) The IP address from them should work fine and should provide the correct IP Route.
You can confirm this by seeing if the router created the automatic IP route for the address in your IP ROUTES.
should look like
dst-address=10.2.0.0/0 gwy=protonwg01 table=main
(8) You do not want to modify and change the /IP DNS settings that are for the LOCAL ROUTER.
You should only change the DHCP-SERVER NETWORK settings…
Should look like:
/ip dhcp-server network
add address=10.1.0.0/16 dns-server=10.2.0.1 gateway=10.1.2.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9 etc…
(9) Great rules, now because of the drop rule, all is good, everything is dropped.
Thus you need to add a rule for allowed traffic
See below:
add action=accept chain=forward comment=“allow internet” in-interface-list=
LAN out-interface-list=WAN
add action=accept chain=forward comment=“Allow Subnet into tunnel” '
src-address=10.1.0.0/16 out-interface=protonwg01
add action=drop chain=forward comment="Drop all else"
(10) I noted you are mangling traffic and its not clear why??
REMOVE all the mangling. THe only thing being mangled is a NON existent subnet 192.168.88.0/24 ???
We can move users out the wireguard interface WITHOUT mangling!!
(11) On the input chain rule you allow everyone access to the router and then you have rules allowing the same folks to port 53 tpc/udp.
Tell me if you actually think those rules will actually be matched, if they have already matched them on the allow all rule already…aka redundant.
The reason is that the first rule is supposed to limit full access to the admin only and the next two rules to everybody for needed DNS services for example.
However the first rule allows everyone.
I dont know why you made the source address list as you could already use existing structures.
src-address=10.1.0.0/16 or in-interface=bridge1
In any case, suggesting to be consistent in approach the following rule:
add chain=input action=accept in-interface-list=LAN src-address-list=AdminAccess
Where AdminAccess is a firewall address list of IPs (make static DHCP leases ) like so:
add ip-address=admin-desktop_IP list=AdminAccess (wired)
add ip-address=admin-laptop_IP list=AdminAccess (wired)
add ip-address=admin-laptop_IP list=AdminAccess (wifi)
add ip-address=admin-iphone/ipad_IP list=AdminAccess (wifi)
In any case not the main issue and you just may want to leave it for testing…
(12) I see you are trying a mangling rule for MTU manipulating. Any particular reason you elected to do this before getting everything else working right?
Is it something proton suggested? Lets leave this off for now DISABLE IT, until we get to that point for finesse IF it proves to be an issue.
(13) MISSING SOURCE NAT RULE
Remember proton gave you really one IP address and thus all the users on your local subnet will be rejected at the other end as source addresses.
Thus you need to add:
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=protonwg01
(a cool tip, you can have the same effect if you add the protonwg01 interface to the WAN interface list as a member and modify your one rule to
add action=masquerade chain=srcnat out-interface-list=WAN
(14) Your additional route to take your local subnet users and force them out the wireguard tunnel is excellent.
You also have the required table setup. What is MISSING is a ROUTING RULE;
/routing rule add src-address=10.1.0.0/16 action=lookup table=protonvpn_wg
Note: If you NEVER want your users to be able to get local internet, even if the wireguard tunnel is not working then change action to action=lookup-only-in-table
++++++++++++++++++
With mangling removed dont forget to put the fastrack rule back into the forward chain as first entry.
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
They did, excuses. It didn't cross my mind to post it.
I am looking at your post now, in the mean time here is the Proton supplied config:
[Interface]
PrivateKey = ************
Address = 10.2.0.2/32
DNS = 10.2.0.1
[Peer]
PublicKey = ************
AllowedIPs = 0.0.0.0/0
Endpoint = 89.**********:51820
The one part I was remiss to mention is that on the Router Peer Settings ( since you are client ) you need to add persistent-keep-alive=35 secs ( any time will do )
+++++++++++
Regarding the proton settings,
(1) Seem standard for the most part, you use the private key they have provided, for the creation of your wireguard interface, is probably the hardest step to fathom.
(2) These settings, have nothing for you to do on the Mikrotik............
(3) Okay they didnt give you a /30 but a /32 address.
In that case I would simply use 10.2.0.2/24 for IP address on the router. Address as /30 is very limiting.
++++++++++++++++++++
Once its clear you get a connection, then we can finesse MTU if required.
The point being? If they gave you /32, you should use /32, you won’t gain anything by using something else.
Thanks again. I have made the changes as you suggest to the best of my ability. This line…
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9 etc…
You lost me here, what should be in the servers line?
Wireguard seems like it has no state or status to speak of, so how do I verify it is connected or configured correctly?
Internet at home is fine will all the modifications as you prescribe, but when I turn on the routing rule below, the internet stops immediately.
EDIT: after about 10 mins, internet stopped, reset config to previous but have this one saved
/routing rule add src-address=10.1.0.0/16 action=lookup table=protonvpn_wg
I have this disconnected at the moment
I will attach my latest config in the next post.
/interface bridge
add name=bridge1
add name=bridge2
/interface wireguard
add comment="ProtonVPN interface" listen-port=21154 mtu=1420 name=protonwg01
/interface list
add name=WAN
add name=LAN
add
add name=fVPN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec policy group
add name=ProtonVPN
/ip pool
add name=dhcp_pool2 ranges=10.1.0.1-10.1.2.0,10.1.2.2-10.1.255.254
/ip dhcp-server
add address-pool=dhcp_pool2 interface=bridge1 lease-time=1h name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/routing table
add fib name=protonvpn_wg
/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus1
add bridge=bridge1 interface=sfp-sfpplus2
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether10
/ipv6 settings
set forward=no
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
add interface=ether10 list=fVPN
/interface wireguard peers
add allowed-address=0.0.0.0/0,128.0.0.0/1 endpoint-address=........
endpoint-port=51820 interface=protonwg01 public-key=
"<><>"
/ip address
add address=10.1.2.1/16 interface=bridge1 network=10.1.0.0
add address=10.2.0.2/24 interface=protonwg01 network=10.2.0.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=10.1.1.15 mac-address=*** server=dhcp1
/ip dhcp-server network
add address=10.1.0.0/16 dns-server=10.2.0.1 gateway=10.1.2.1
/ip dns
set allow-remote-requests=yes servers=10.2.0.1
/ip firewall address-list
add address=10.0.0.0-10.2.255.254 list=TRUSTED
add address=192.168.88.0/24 list=under_protonvpn
add address=10.1.0.0/16 disabled=yes list=under_protonvpn
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow admin" in-interface-list=LAN
src-address-list=TRUSTED
add action=accept chain=input comment="users to Router services" dst-port=53
in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="users to Router services" dst-port=53
in-interface-list=LAN protocol=udp
add action=drop chain=input comment="Drop all else"
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=accept chain=forward comment="allow internet" in-interface-list=
LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow Subnet into tunnel"
out-interface=protonwg01 src-address=10.1.0.0/16
add action=drop chain=forward comment="Drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
/ip firewall mangle
add action=mark-connection chain=prerouting disabled=yes new-connection-mark=
under_protonvpn passthrough=yes src-address-list=under_protonvpn
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=
protonvpn_wg passthrough=yes src-address-list=under_protonvpn
add action=change-mss chain=forward connection-mark=under_protonvpn disabled=
yes new-mss=1360 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=
!0-1375
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=protonwg01
/ip ipsec policy
add dst-address=0.0.0.0/0 group=ProtonVPN proposal=*1 src-address=0.0.0.0/0
template=yes
/ip route
add comment="ProtonVPN Wireguard default route" dst-address=0.0.0.0/0
gateway=protonwg01 routing-table=protonvpn_wg
/routing rule
add action=lookup disabled=yes src-address=10.1.0.0/16 table=protonvpn_wg
/system clock
set time-zone-name=America/Chicago
/system identity
set name="MikroTik CCR2004-16G-2S"
/system routerboard settings
set enter-setup-on=delete-key
You know because you have all the answers! LOL.
I have no confidence that a /32 Ip address will provide a proper IP router for wireguard but I do know that using a /24 will.
So I only recommend what I know works…
I am talking about an MT router client, and I would never use /32 for an IP address on an MT Router be it client or server, so I have no clues as to what happens setting it to /32.
At the end of the day, there is no harm in it, if it is not required and thus the user will have success regardless.
(1) you need to remove incomplete entries.
/interface list
add name=WAN
add name=LAN
add
add name=fVPN
(2) There is only one bridge you can remove the second one…
/interface bridge
add name=bridge1
add name=bridge2
As for the rest, you didnt change the allowed addresses as noted you still have two entries…
you didnt add persistent keep alive.
you didnt change allowed dns servers… Which is for the router, not for wireguard and I explained that already (as you noted you changed dns in the right spot) but you also kept the wrong one argg.
you added the fastrack rule at the end of the forward chain instead of as the first rule. On top of that you included the second rule, which was only meant to show WHERE to place the first rule so you have one rule out of place and the other is a duplicate.
You are stll mangling…
Routing rule disabled.
Not much more to add at this point.
I am breaking out my reply, as its becoming hard for me to follow.
I asked this question, what to add confuses me. Can you help clarify this?
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9 etc…
You lost me here, what should be in the servers line?
As I wrote it, you can replace 1.1.1.1,9.9.9.9. with 8.8.8.8 for example.
Just a decent external DNS service with remote requests being allowed.
OK, I understand now, 1 or many. I will do my best with a new version of the config and post it, thank you for the help. I am going to leave out the firewall as you suggested and focus on getting the connection established correctly.