I have successfully set up WireGuard using How to setup Proton VPN on MikroTik routers using WireGuard. The configuration file was created using How to download WireGuard configuration files with the NAT-PMP (Port Forwarding) option enabled.
Is there a way in RouterOS 7 to support port forwarding through Proton VPN?
Proton VPN recommend using WireGuard. However, I would consider using IKEv2 or OpenVPN if they can support port forwarding through Proton VPN.
NAT PMP, is nothing to do with MT.
So lets get the facts.
You have a third party VPN connecting your router (as a client ) to the PROTON wireguard server.
Typically this is NOT for incoming originated requests, this is designed for sending some subnets or all subnets out the proton site for internet instead of your local site.
Heck it even says that on their page…
You can set up Proton VPN on your MikroTik router so that all devices that connect to the internet through it are protected by Proton VPN.
By the way, its recommended setup is actually misleading, and I would request assistance so that you do it properly once all the network facts are known.
++++++++++++++++
So lets be clear on what you are asking.
YES< the mikrotik does port forwarding. It can take INCOMING!!! requests hitting the WANIP of the router on specified ports, and direct them to LAN servers.
YES< the mikrotik can take incoming requests (coming from the proton wireguard connection) and port forward them to local LAN servers.
/interface list
add ether1 list=WAN
add wireguard1 list=WAN
/ip firewall filter rule
add chain=forward action=accept connection-nat-state=dstnat
/ip firewall nat
add chain=dstnat action=dst-nat in-interface-list=WAN dst-port=serverport protocol=xxx
to-address=ServerIP
The question you should be asking IMHO is → can remote users connect to PROTON which will then connect to you. The answer is probably NO. They are not build to handle multiple incoming users attempting to get to your router. They are built to accept your assigned IP address ONLY as viable connection source and solely for outward connection from their site to the internet.
Similarly, the associated question is does PROTON provide the port forwarding capability at their site, and the answer is no.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
You have to be clear on the requirements of your traffic flows and the tools and methods to accomplish them.
Proton or third party VPN has very little flexibility. If you have a few users, provide wireguard access to your router directly for them to your servers!
Thanks for the detailed reply. My apologies for the lack of clarity in my requirements. I have a hAP ax³ in my home connected to Virgin Media broadband. I have set up Proton VPN on your MikroTik router so that all devices that connect to the internet through it are protected by Proton VPN following the Proton VPN recommendations.
I have Home Assistant running on a system on my LAN. I would like to connect to it remotely using port 8123/tcp (this worked before I configured Proton VPN using WireGuard).
Useful to know. I will disable NAT-PMP in the configuration file.
Agreed.
Interesting observation! If the recommended setup can be improved then that would be very helpful.
The first YES is what I had working before configuring Proton VPN using WireGuard.
The second YES is what I aim to achieve.
I am using the Duck DNS integration to keep my public IP address up-to-date and Securing it using SSL/TLS and Let’s Encrypt. For this to work my public Ip address needs to be the ‘Endpoint’ from the WireGuard configuration file (it now is for outgoing traffic).
Apologies for my confusion over NAT-PMP. I saw Port Forwarding and thought it might be relevant. If any further clarification is required, please ask.
Just so I understand you have a hapax3 that gets a public IP…
If so you dont need Proton VPN for incoming, you can use your own router with wireguard to let remote users access home assistant.
Even if its not a public IP ( behind an ISP router ) if you can forward a port on the ISP modem/router to your hap, you can run wireguard.
Even if you cannot forward a port you can run wireguard via BTH as an option.
PROTON is not required for what you are asking for in terms of a requirement for home assistant access.
Proton VPN wont do that for you.
If you still want proton vpn to allow some users to go out internet via proton you can do both at the same time.
The hAP ax³ obtains a dynamic IP address from the upstream Virgin Media device. Before enabling the VPN, the Home Assistant system used the DuckDNS add-on to associate a public DNS name of the form .duckdns.org with this IP address and manage the Let’s Encrypt certificate used to secure the connection. This used port forwarding of port 8123/tcp for the remote connection (and port 80/tcp for the Let’s Encrypt challenge).
The WireGuard ‘Endpoint’ provides another public IP. As the outgoing connection from the Home Assistant system is via WireGuard it is this IP address that DuckDNS has used to associate with the public DNS name.
Agreed. Traffic to and from the Home Assistant system could be routed through the public IP address obtained from the upstream Virgin Media device. Other outgoing traffic could be routed through WireGuard.
I have a public IP.
Agree that a VPN isn’t required for a remote connection to the Home Assistant system (as noted before, it worked before I enabled a VPN).
The original question was about port forwarding through Proton VPN. I think you are saying that a remote connection originating from outside cannot be port forwarded though the VPN?
YES it can, just not through PROTON.
You could host a CHR on VPS for example ( cloud server ) or linux OS etc…
(1) All users would go directly to the public IP of the CHR vice your public IP to connect to a server.
(2) The CHR would then port forward that traffic INTO a wireguard TUNNEL
(3) The wireguard tunnel is between the CHR and the MT ROUTER, transparent to the users that are connecting via public IP to the CHR.
I personally dont like the idea of using any public IP for Serving, and the CHR/VPS method is one way around that.
Another is using container function of zerotrust cloudflare tunnel which uses a third party so thats a personal choice but allows you to provide servers without exposing public IP.
Sounds complicated! I suspect my requirements could be met without the need for involving additional cloud based resources.
The answer to my original question: Is port forwarding possible through Proton VPN using WireGuard on a Mikrotik router running RouterOS 7 to a downstream system? appears to be NO.
I think a solution might be Route all traffic to VPN (With exceptions). All outbound traffic is routed via WireGuard except for traffic originating from, in my case, the Home Assistant system which is routed directly to my ISP over, in my case, ether2. Other exceptions could be made for any destination addresses that fall foul of VPN blockers. However, I couldn’t see how exceptions were handled in that thread. Apologies if I have missed something obvious. I have little experience with firewalls and routers.
This doesn’t seem a particularly uncommon requirement for home users who wish to use a VPN and also be able to connect remotely to home automation or similar systems. Maybe a recipe for this would be useful?
My current thoughts are that two WANs could be used: one for direct connections via the ISP; the other for connection through WireGuard. My local addresses are from 192.168.199.0/24 and I was thinking that 192.168.199.2-192.168.199.247 would use WireGuard and 192.168.199.248/29 would be direct (and be suitable targets for port forwarding). Would it be possible to use something like this for routing?
Any exceptions based on destination address could be explicitly routed to the direct connection to avoid VPN blockers.
Is this a plausible approach? Or am I going in totally the wrong direction?
I would still be interested to know how the Proton VPN recommended setup is misleading. If it can be clarified then perhaps others and I wouldn’t be mislead?
Thanks again for the assistance.
You keep changing the story.
Yes, it is common to use wireguard, as a safe method, for external originated traffic to reach a server or to config the router.
PROTON VPN is not for this, its for traffic originated on the router heading outbound. Two different cases.
You don’t seem to grasp that external users cannot connect to PROTON via wireguard and magically reach your MT router. The proton connection is designed for your router or perhaps you at a coffee shop ( single IP only ) to connect to proton via Wireguard and GO OUT THE INTERNET.
If you want to use wireguard to allow external users to connect directly to your router then you need.
a. A public IP or an ISP modem router that can forward a port to your router
OR
b. rent a VPS cloud instance and run CHR for example as the Wireguard SERVER, and connect your router to the server cloud instance.
All users would also connect to the VPS cloud which then permit relaying that traffic to your router and servers.
OR
c. If you have an ARM router that can run BTH wireguard, which is a mikrotik wireguard special functionality for those instances where you dont have a, or b, and c is not an option.
Basically you tell the router you want to set up a BTH instance which basically makes the router available for wireguard BECAUSE mikrotik provides a CLOUD RELAY point for your router.
That means, the BTH component in the cloud will allow the mT router to connect to it, and will allow external clients connect to it, and will marry them together.
Something like that… in rough terms. A cheapie in the cloud connection point ( something less than a full blown wireguard servers ) but an ability to connect the wireguard setup on the router and external users when one has no other options… I am not fully cognizant of the limitations of this approach not having used it yet.
Not intentionally.
I intend to use WireGuard for outgoing traffic where that is suitable. I was mislead by the description of NAT-PMP into thinking that it might be possible to port forward back through the same connection. You have confirmed that it is NOT possible.
A VPN connection isn’t necessarily required on the incoming traffic. The incoming connection to Home Assistant can be secured by TLS and Let’s Encrypt over an unencrypted connection. Port forwarding is needed for this to work. I think the outgoing and incoming connections need to leave and enter the router using the same IP address otherwise DuckDNS with Let’s Encrypt won’t work.
I will look into Back To Home (BTH). I have installed the app on my mobile running GrapheneOS (I think it was flagged as “Early Access”?). I run Proton VPN but I may be able to configure BTH by using split tunneling to exclude my router’s IP address (192.168.199.1) and the BTH app from the VPN tunnel. So far, I haven’t been able to connect …
You have answered the question in the subject with a definite NO. Many thanks.
Wish I had more info for you on BTH, but normands was on vacation today and didnt answer my BTH questions LOL.
Just noticed that there is a /ip/nat-pmp in RouterOS 7.13. It is not enabled by default. Maybe Mikrotik does have something to do with NAT-PMP?
As noted elsewhere, NAT PMP on RouterOS Official documentation missing. There is a brief mention of NAT-PMP under ZeroTier in the RouterOS Documentation.
There is a Home Assistant Community Add-on: ZeroTier One which might offer another remote access option.
For now, I think I will stick with trying to get old school port forwarding to work.
I am in a very similar situation except for a single difference, my ISP doesn’t give me the luxury of doing port forwarding (nevermind a static IP address). Ignoring my ailments with the ISP I actually could setup NAT-PMP to do what John originally set out to do, it does require another step and you won’t be able to specify the external Port number.
I have a wireguard config (note: the “Moderate NAT” option MUST be disabled for this when generating on ProtonVPN’s site) setup on RouterOS and then setting up the NTP-PMP from the host I want to port forward to (example for Ubuntu host):
root@metasvn:~# natpmpc -a 1 22 tcp 60 -g 192.168.10.1
initnatpmp() returned 0 (SUCCESS)
using gateway : 192.168.10.1
sendpublicaddressrequest returned 2 (SUCCESS)
readnatpmpresponseorretry returned -100 (TRY AGAIN)
readnatpmpresponseorretry returned 0 (OK)
Public IP address : 188.214.158.38
epoch = 3487535
sendnewportmappingrequest returned 12 (SUCCESS)
readnatpmpresponseorretry returned 0 (OK)
readnatpmpresponseorretry received unexpected reply type 0 , retrying...
readnatpmpresponseorretry returned -100 (TRY AGAIN)
readnatpmpresponseorretry returned 0 (OK)
Mapped public port 63578 protocol TCP to local port 22 lifetime 60
epoch = 3487535
closenatpmp() returned 0 (SUCCESS)
NOTE: 192.168.10.0/30 is the Wireguard interface address, with the client set to 192.168.10.2, I think the server is automatically assigned the other one in the subnet
Creates the port forward on the VPN server side albeit limited periods etc.
Just tested with putty and it’s all working nicely now.
Sorry whatever your posting is nothing but pure garbage, its not router OS.
if i’m not mistaken, then
a) the wireguard profile is issued only for a limited time, several hours, so it is not suitable for use
b) the proton works with ike2 and works on mikrotik
Yea but it’s the best i can do aside from paying someone with another ISP to handle my packets instead.
I haven’t been able to find a way to configure ikev2 via proton. please elaborate?
Sorry if I confused you. yes the command I posted is run from a ubuntu machine inside the subnet forwarded to the wireguard interface
if you want to continue using wireguard, then pay attention to Warp from Cloudflare, I know that it is a little unfair, but it is stable, and it is a clean gateway without restrictions, which you can use for your further connections,
if you want to use ipsec from Proton, then
a) find the configuration for Proton, exp ProtonVPN on Mikrotik - #15 by newbeen
cert(if needed) https://protonvpn.com/download/ProtonVPN_ike_root.der
b) name and password, taken from the personal account of proton
c) server address, taken from the server address in the configuration for ovpn
you can also pay attention to other analogues, for example, nordvpn or purevpn, they also work well with mikrotik