Mikrotik WireGuard setup for Protone VPN

RouterOS General
1

Hi, I’m a noob and I’m trying to configure my Mikrotic hAP ac2 router to be VPN client using WireGuard VPN protocol for Proton VPN. After I’m using commands from Proton VPN Mikrotik router setup tutorial my router stops responding and internet is not working any more.

My setup:
I have Mikrotic hAP ac2 (RouterOS v7.3.1) connected via ethernet cable to the router from my Internet Provider.

Instructions that I use:
I have setup instruction and WireGuard configuration file from Protone VPN web page.

Setup instruction: https://protonvpn.com/support/wireguard-mikrotik-routers/

My WireGuard configuration:
[Interface]

Key for MikroTik Germany (via Switzerland)

NetShield = 1

Moderate NAT = off

VPN Accelerator = on

PrivateKey = *****
Address = 10.2.0.2/32
DNS = 10.2.0.1

[Peer]

CH-DE#1

PublicKey = *****
AllowedIPs = 0.0.0.0/0
Endpoint = 185.159.157.184:51820

What I do:
I use next commands to configure my router:

Route all internet traffic through a VPN server:
/ip firewall address-list add address=192.168.88.0/24 list=under_protonvpn
/ip firewall mangle add action=mark-connection chain=prerouting src-address-list=under_protonvpn new-connection-mark=under_protonvpn passthrough=yes

Create WireGuard configurations:
/interface/wireguard/add name=protonwg01 private-key=“" comment=“ProtonVPN interface”
/interface/wireguard/peers/add endpoint-address=185.159.157.184 endpoint-port=51820 public-key="” allowed-address=0.0.0.0/1,128.0.0.0/1 interface=protonwg01
/ip/address/add address=10.2.0.2/32 interface=protonwg01
/ip/dns/set servers=10.2.0.1 allow-remote-requests=yes
/routing/table/add name=protonvpn_wg fib
/ip/firewall/mangle/add chain=prerouting src-address-list=under_protonvpn action=mark-routing new-routing-mark=protonvpn_wg passthrough=yes
/ip/route/add routing-table=protonvpn_wg dst-address=0.0.0.0/0 gateway=protonwg01 comment=“ProtonVPN Wireguard default route”
After last command my router stops responding and internet stops working. I can’t access router web interface by http://192.168.88.1 any more. In order to access router I need press physical reset button on the router to set it to default.

I very appreciate if anyone can help me to solve my problem

2

Add one more match condition, dst-address-type=!local, to the action=mark-routing rule and you should be good. The Proton instruction for doesn’t yet take into account the recent surprising changes implemented by Mikrotik.

3

I personally would NOT follow protons VPN suggestions for MT, I would follow MTs and folks here advice for setting up WG with Proton.

To do so successfully means you have a clear idea of what you would like to accomplish vis-a-vis use cases.
How many users or groups of users (device or groups of devices) do you have,
What would you like the users to be able to do and not be able to do…

It may be as simple as I have two LANS and one LAN I want to use through wireguard for all internet.
It may be as simple as I have a firewall address list of users that I want to go through wireguard for internet
It may be as clear as for certain Public IPs I want to go through proton vpn…

Without knowing the use cases designing a config is not possible.
The actual parameters of wg are not complicated.
Assuming proton gave you
a. an endpoint address to connect to
b. an endpoint port to connect to
c. a wireguard public key to put in your MT peer settings for proton VPN.
d. they may request a public key from your MT to put on their peer settings but most dont/
e. A WIREGUARD IP Address, this is in the form of a single IP address or a subnet, most probably give out a single IP.

Based on your requirements and the what proton gave you/asks for, the config can be put together fairly easily.
IN my opinion, you should try to avoid mangling if possible. This could be as simple as one specific IP route and many route rules…
Again your requirements will point to the optimal solution

4

Unfortunately this doesn’t help.

5

In that case, enter all commands (including my modification) except the last one (/ip/route/add …), then post the file you obtain using /export file=somefilename command (see my automatic signature below for obfuscation hints).

6

I hope this export file helps better then my novels)))
exportfile001.rsc (7.29 KB)

7

Well, maybe “doesn’t help” is a too wide description? Adding dst-address-type=!local to the rule should have fixed the issue that you could not configure your router any more. Did it or not? Because there is yet another missing item, which prevents internet access via the tunnel, but it has nothing to do with managing the router itself.

Hint, before adding the route, store a backup of the configuration into a file whose name starts with flash/. If you have to reset the router configuration to factory default, you’ll be able to restore it, instead of setting it up manually from scratch.

If you use Winbox, you can also connect to MAC address of the router rather than its IP address, so whatewer you break in the IP part doesn’t prevent you from configuring it.

Also “safe mode” helps - enter safe mode before adding the route, and if you lose access to the router by adding it, the configuration will roll back to the one before safe mode has been activated (well, at least it should, therefore the backup still makes sense).

8

You should also provide a network diagram.

Comments on your config…
(1) If you want to allow users to go out proton VPN then
0.0.0.0/0 makes sense as this will permit all outgoing internet traffic to enter the tunnel to proton! ( as sindy noted you should have fixed this why is the 1 still there ?? )

(2) Also what is the purpose of this entry 128.0.0.0/1 ???
0.0.0.0/0 includes all entries so NO OTHERS ARE REQUIRED!!

(3) As for IP address I would state it as such proper notation…
From
/ip address
add address=10.2.0.2 interface=protonwg01 network=10.2.0.2

TO
add address=10.2.0.2/24 interface=protonwg01

(4) Why is your dns server setting do this.
/ip dns
set allow-remote-requests=yes servers=10.2.0.1 ??
Just ensure you have something like 1.1.1.1 or 9.9.9.9 which is usuable through local router or far site internet provider.
Unless there is something I don’t know about the limitations of third party VPN providers ???

(5) What is the purpose of the firewall address list?? /ip firewall address-list
add address=192.168.88.0/24 list=under_protonvpn ???

Remember there is no point in making a firewall address list of a single subnet, especially if its the only one behind the router.
A firewall address list is really suited for something less than a full subnet, like a subset of IPs of a subnet or picking various IPs across subnets OR a mix of various IPs with anything else such as whole subnets.
Other wise simply use the address of a subnet or its interface name etc…

src or dst address=192.168.88.0/24
in-interface=bridge etc…

(6) Missing source nat rule for proton VPN to accept your local traffic. Anything other than 10.2.0.2/32 will be rejected!!

IN CONCLUSION YOU DONT NEED MANGLING or anything complicated.

(7) Remove the following
/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=
under_protonvpn passthrough=yes src-address-list=under_protonvpn
add action=mark-routing chain=prerouting dst-address-type=!local
new-routing-mark=protonvpn_wg passthrough=yes src-address-list=
under_protonvpn

(8) ADD to sourc nat the following
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=protonwg01

Another option is to make the protonwg01 part of the WAN interface list and then it would be auto included in the existing first rule… up to you./
I prefer to state it explicitly myself.


(9) Missing keep alive settings anywhere around 40 seconds is good on your wireguard peer settings.

(10) Lastly lets look at routes info…

WELL WTF you have no routes info??
The only thing I see is the following
/routing table
add fib name=protonvpn_wg

So typically if you have added deafult route on your IP DHCP setting this would equate to (which is not visible on the config for some reason)
add dst-address=0.0.0.0/0 gwy=ISPgateway table=main.

So you need to add
add dst-address=0.0.0.0/0 gwy=protonvpn_wg table=protonvpn_wg

and one final entry is the Route Rule to match the existing table.
/routing rule add src-address=192.168.88.0/24 action=lookup table=protonvpn_wg

In this regard if the tunnel is up users will go through proton, if not up, will go to main table and pickup the local WAN.
If you never want users to go out local WAN, then change setting to lookup-only-in-table

9

Hello, new to routeros, and just stumbled upon this thread. I tried following ProtonVPN’s instructions, and like the OP, ran into the same issue. my setup is USB tether from android phone to a hEX rb750gr3. Plan to hook up an access point later, but trying to get everything else working first. I managed to set mangle to change tll value, which seems to be working correctly, so my last remaining remaining issue is setting up protonvpn… I read through suggestions in this thread, and my lack of experience and understanding have kept me from implementing them. What about the last step kills my working lte wan setup, and what can I do instead (in the simplest terms possible =P)?

Rob

10

Command line:
Setup Interface
/interface/wireguard/add name=protonwg00 private-key=“” comment=“ProtonVPN interface”
Add peer
/interface/wireguard/peers/add endpoint-address= endpoint-port=51820 public-key=“<public_key>” allowed-address=0.0.0.0/0 interface=protonwg00
setup Ip Address for interface
/ip/address/add address=10.2.0.2/30 interface=protonwg00
Keep DNS as Public DNS for now. we will tweak it to protonVPN DNS later
/ip/dns/set servers=1.1.1.1 allow-remote-requests=yes
add new routing table
/routing/table/add name=protonvpn_wg fib
add default route for the new routing table
/ip/route/add routing-table=protonvpn_wg dst-address=0.0.0.0/0 gateway=protonwg00 comment=“ProtonVPN Wireguard default route”
(Note: above setup is best done via command line (preferred over winbox). also if you mess up configuration later, its better to use a new interface name than try to reconfigure with same interface name)
Reboot Router.
Once it reboots, check the logs. you should see that RouterOS has detected that protonwg00 has internet and protonwg00 will be added to WAN interface list dynamically (/interface/interfacelist under winbox)
this means that the protonVPN interface is working correctly.

Next we need to move traffic into the tunnel.
use /Routing/Rules(in winbox or command line) to make specific traffic to use protonvpn_wg routing table (which in turn is setup to use VPN connection as default route)
ex: srcaddress: 0.0.0.0/0 dstaddress=0.0.0.0/0 interface =“LAN1/VLAN1 example” Action=lookup-only-in-table table=“protonvpn_wg”

Now to send DNS traffic to ProtonVPN DNS use /ip/firewall/NAT add a dst-nat with ‘action’ as dst-nat (for protocol udp port 53 and your interface list ‘ex: LAN’ - your criteria for VPN DNS traffic ) and ip as 10.2.0.1 (DNS of ProtonVPN) and port 53.
you can add one rule for tcp too.

thats it. this will push all traffic for above criteria into the Tunnel and DNS traffic to ProtonVPN DNS
above type of configuration gives you flexibility to push only certain traffic(defined by you) to VPN tunnel and others via ISP.

check public ip of a device in LAN/VLAN1 and it will show up as protonVPN IP.
check ipleak sites and you should see protonVPN Ip again (not your ISP DNS or 1.1.1.1. if you see ISP DNS then under /ip/dhcpclient uncheck ‘usepeer DNS’ for the wan connection )

11

Does proton provide a private key for you to use in the WG interface?
If not, then proton will need the public key generated by the private key provided by the MT router.

12

yes proton provides private key.here is sample information generated from protonVPN:
[Interface]

Bouncing = 0

NetShield = 2

Moderate NAT = off

NAT-PMP (Port Forwarding) = off

VPN Accelerator = on

PrivateKey =
Address = 10.2.0.2/32
DNS = 10.2.0.1

[Peer]

US-NY#19

PublicKey = <>
AllowedIPs = 0.0.0.0/0
Endpoint = :51820

13

/interface bridge
add admin-mac=DC:2C:6E:5F:1C:87 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX
disabled=no distance=indoors frequency=auto installation=indoor mode=
ap-bridge ssid=MikroTik-5F1C8B wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=
20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto
installation=indoor mode=ap-bridge ssid=MikroTik-5F1C8C
wireless-protocol=802.11
/interface wireguard
add comment=“ProtonVPN interface” listen-port=60085 mtu=1420 name=protonwg01
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf**
/routing table
add fib name=protonvpn_wg**
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=protonServerIP \ { whatever endpoint address proton provides }
endpoint-port=51820 interface=protonwg01 public-key=
"***/KLlMHc=" persistent-keep-alive=30s
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
add address=10.2.0.2/24 interface=protonwg01 network=10.2.0.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=10.2.0.1 gateway=
192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=protonwg01
add action=dstnat chain=dstnat src-address=192.168.88.0/24 dst-port=53
protocol=udp to-address=10.2.0.1
add action=dstnat chain=dstnat src-address=192.168.88.0/24 dst-port=53
protocol=tcp to-address=10.2.0.1
/ip route
add dst-address=0.0.0.0 gwy=ISPgatway_IP table=main
add dst-address=0.0.0.0 gwy=protonwg01 table=protonvpn_wg
/routing rule
add dst-address=192.168.88.0/24 action=lookup table=main
add src-address=192.168.88.0/24 action=lookup table=protonvpn_wg
set time-zone-name=Europe/Moscow
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Notes

  1. Unsure of WANIP if it includes a default route selected or not. I assumed not and thus manually entered a table main route.
14

I just got an answer from ProtonVPN, see below.
"We would like to note that our team is already aware of this specific behavior happening on some Mikrotik routers and they are already working on updating our official guide. However, at this point, we will be unable to share any specific time frame for that to happen.

In the meantime, please make sure to try setting up your Wireguard connection using the instructions below:"


/interface/wireguard/add listen-port=13231 mtu=1420 name=wireguard-inet private-key="<YOUR PRIVATE KEY>"
/ip/address/add address=10.2.0.2/30 interface=wireguard-inet network=10.2.0.0
/interface/wireguard/peers/add allowed-address=0.0.0.0/0 endpoint-address=<YOUR ENDPOINT IP> endpoint-port=51820 interface=wireguard-inet persistent-keepalive=25s public-key="<YOUR PUBLIC KEY>"
/ip/firewall/nat/add action=masquerade chain=srcnat out-interface=wireguard-inet src-address=192.168.88.0/24
/ip/route/add disabled=no distance=1 dst-address=0.0.0.0/1 gateway=10.2.0.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip/route/add disabled=no distance=1 dst-address=128.0.0.0/1 gateway=10.2.0.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip/route/add disabled=no dst-address=<YOUR ENDPOINT IP>/32 gateway=[/ip dhcp-client get [find interface=ether1] gateway] routing-table=main suppress-hw-offload=no
/ip/dns/set servers=10.2.0.1
/ip/dhcp-client/set 0 use-peer-dns=no

I have tested it and it works. Does anyone have any input on the configuration?

15

fwiw, i just setup the same configuration, with immediate success.
One change made: my router has a fixed WAN ip addres, instead of

[/ip dhcp-client get [find interface=ether1] gateway]

The setup seems (..) quite responsive, better then previous ProtonVPN instructions (and some variations of that).

16

Hello everyone!
I’m trying to setup Mikrotik hap ac2 to work over my paid Proton
Read this page thru and can’t get it working

Applied following commands in terminal:

/interface wireguard add listen-port=13231 mtu=1420 name=wireguard-inet private-key=“”
/ip address add address=10.2.0.2/30 interface=wireguard-inet network=10.2.0.0
/interface wireguard peers add allowed-address=0.0.0.0/0 endpoint-address=149.22.94.1 endpoint-port=51820 interface=wireguard-inet persistent-keepalive=25s public-key=“PbK”
/ip route add disabled=no distance=1 dst-address=0.0.0.0/1 gateway=10.2.0.1 pref-src=“” routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add disabled=no distance=1 dst-address=128.0.0.0/1 gateway=10.2.0.1 pref-src=“” routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add disabled=no dst-address=149.22.94.1/32 gateway=[/ip dhcp-client get [find interface=ether1] gateway] routing-table=main suppress-hw-offload=no

Sites do not open with this config,
However using this config Windows Proton CAN connect to the same server USGA210 via Mikrotik.
That’s strange! Why proton can connect, and other sites cannot?

Please help!

17

post your config
/export file=anynameyouwish (minus router serial number, any public WANIP info, keys )

please provide setup instructions provided ( without the keys ) as in post above #14.
also did they provide a DNS IP to use?

18

Please see config attached.
I have copy-pasted instructions from post #14, replacing Endpoint, Public, and Private keys.

I guess something is wrong in attached config …

Before attempts to setup wireGuard,
I erroneously restored some .rsc file which bricked the router
After that I had to use netinstall to make it loading

Thanks a lot!
hap-ac2-config-2.rsc (8 KB)

19

(1) Would remove this default setting…
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan

(2) dont really need source address on this rule but no harm.
add action=masquerade chain=srcnat out-interface=wireguard-inet src-address=
192.168.88.0/24


ROUTES ARE COMPLETELY BIZARRE.

(3) Dont need to create this route manually, due to the fact its already made when you entered in an IP address for the wireguard network. Remove it.
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/1 gateway=10.2.0.1 pref-src=“”
routing-table=main scope=30 suppress-hw-offload=no target-scope=10

(4) No idea why this route is even your config remove it as well.
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/1 gateway=10.2.0.1 pref-src=“”
routing-table=main scope=30 suppress-hw-offload=no target-scope=10

(5) MISSING IS YOUR ISP MAIN TABLE ROUTE ???

(6) Why do you have duplicates of this rule…what is its purpose?? Remove both of them they are bogus.
add disabled=no dst-address=149.22.94.1/32 gateway=192.168.1.1 routing-table=
main suppress-hw-offload=no

++++++++++++++++++++++++++++++++++++++++
What you need is

a. Main table route for ISP, this may not be shown because you have selected default-route=yes in the IP DHCP CLIENT settings. Please confirm.
If not then you need the following
/ip route
add dst-address=0.0.0.0/0 gateway=ISP-gateway-IP routing-table=main
add dst-address=0.0.0.0/0 gateway=wireguard-inet routing-table=usePROTON

Then you need a routing rules
/routing rule
add min-prefix=0 action=lookup-only-in-table table=main comment=“allow local traffic”
add src-address=192.168.88.0/24 action=lookup table=usePROTON comment=“forces subnet into tunnel”

Then report back to see what is happening.
If not quite working then add this additional work.

To be on the safe side for DNS… assuming PROTON has provided a DNS IP…
/ip route
add dst-address=proton-dns-ip gateway=wireguard-inet table=main

/ip firewall nat
add chain=dstnat action=dst-nat src-address=192.168.88.0/24 dst-port=53 protocol=udp to-address=proton-dns-ip
add chain=dstnat action=dst-nat src-address=192.168.88.0/24 dst-port=53 protocol=tcp to-address=proton-dns-ip

Note: If the wireguard tunnel is not working (gets broke) then you will need to disable the two dstnat rules. There is a way to automate this and working on it.

20

the tutorial works perfectly! thanks! i was looking for a tutorial for WireGuard ProtonVPN on my Mikrotik with PPPoE connection. it turns out with just steps

set WG → set Routing Table → set Routing Rule → set IP Route.

no need to set Firewall Mangel NAT etc.