ProtonVPN configuration but only for a handful of IP's

jigzat · May 19, 2024, 3:27am

Hello, everyone. I’m trying to set up a VPN connection using ProtonVPN on a MIkrotik RB960PGS. I followed this https://protonvpn.com/support/wireguard-mikrotik-routers/ official guide but it puts everything under the VPN and it worked but I only need two TV’s under this VPN. I already tried to modify it unsuccessfully to fit my scenario with no results, traffic continue as usual.

I’m going to post here what I did but pretty sure is far away from the solution. Can someone please help me out?

# may/19/2024 09:54:00 by RouterOS 7.7
# software id = AMBP-KK9N
#
# model = RB960PGS
# serial number = ****************

/interface bridge add admin-mac=xx:xx:xx:xx:xx:x auto-mac=no comment=defconf name=bridge
/interface wireguard add listen-port=13231 mtu=1420 name=wireguard-inet
/disk set usb1-part1 parent=usb1 partition-offset=512 partition-size="31 029 460 480"

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik

/ip hotspot profile set [ find default=yes ] html-directory=hotspot
/ip pool add name=dhcp ranges=192.168.10.10-192.168.10.254
/ip dhcp-server add address-pool=dhcp interface=bridge name=defconf

/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings set discover-interface-list=LAN

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard-inet list=WAN

/interface wireguard peers
add allowed-address=192.168.10.13/32,192.168.10.12/32,192.168.10.14/32 endpoint-address=66.90.82.26 endpoint-port=51820 interface=wireguard-inet persistent-keepalive=25s public-key="*****"

/ip address
add address=192.168.10.1/24 comment=defconf interface=bridge network=192.168.10.0
add address=***********/24 interface=ether1 network=***********
add address=10.2.0.2 interface=wireguard-inet network=10.2.0.0

/ip dhcp-client add comment=defconf disabled=yes interface=ether1

/ip dhcp-server lease
add address=192.168.10.18 block-access=yes client-id=************* mac-address=44:CB:8B:4B:A9:5C server=defconf
add address=192.168.10.197 client-id==************* mac-address=************* server=defconf
add address=192.168.10.196 client-id=************* mac-address=************* server=defconf
add address=192.168.10.142 client-id=************** mac-address=************* server=defconf
add address=192.168.10.15 client-id=************* mac-address************* server=defconf
add address=192.168.10.2 client-id=************* mac-address=************* server=defconf
add address=192.168.10.12 client-id=************* mac-address=************* server=defconf
add address=192.168.10.13 client-id=************* mac-address=************* server=defconf

/ip dhcp-server network add address=192.168.10.0/24 comment=defconf dns-server=192.168.10.1 gateway=192.168.10.1 netmask=24
/ip dn set allow-remote-requests=yes servers=10.2.0.1,1.1.1.1
/ip dns static add address=192.168.10.1 comment=defconf name=router.lan

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=nvalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=wireguard-inet src-address=192.168.10.13
add action=masquerade chain=srcnat out-interface=wireguard-inet src-address=192.168.10.12
add action=masquerade chain=srcnat out-interface=wireguard-inet src-address=192.168.10.14

/ip route add disabled=no distance=1 dst-address=66.90.82.26/32 gateway=10.2.0.1 pref-src="" routing-table=main suppress-hw-offload=no

/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6 

/ipv6 firewall filter
add action=accept chain=input comment= "defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1"  hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN

/system clock set time-zone-name=America/Bogota
/system routerboard settings set auto-upgrade=yes
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN

My network is very basic but I have a lot of devices. A cablemodem in bridge mode with static IP —> Mikrotik router → Unmanaged Switch ----> Wireless AP

anav · May 19, 2024, 11:16am

Wont look at it unless you post complete config

/export file=anynameyouwish ( minus router serial number, any public WANIP information or keys etc. )

Use notepadd++ to open and edit and then paste here.

infabo · May 19, 2024, 11:50am

If you followed the official protonvpn mikrotik guide you posted the link to: remove the default routes (you added by 7. redirect all traffic) and use /routing/rule with src-address. more info https://help.mikrotik.com/docs/display/ROS/Policy+Routing

jigzat · May 19, 2024, 3:20pm

Thank you both taking the time to reply. I updated the original post with the configuration code.

anav · May 19, 2024, 8:30pm

(1) Okay the issue is in allowed IPs at least for starters.
The allowed IPs is to identify REMOTE traffic that is coming in, aka external users visiting your device, or local users visiting REMOTE device (for config, subnets or internet ).
It is NOT to idenitfy any local users!!!

Since you are going out the internet of the proton server, the only entry required is 0.0.0.0/0 as this covers every possible ip address.
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=66.90.82.26 endpoint-port=51820
interface=wireguard-inet persistent-keepalive=25s public-key="*"

(2) SourceNAT is wrong, YOu have inclulded the wireguard in the WAN interface list, which is a good idea.
This means that the default rule works fine for you and you should remove the others:

/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN

Proton is only expecting to see th assigned Wireguard IP address and thats why sourcenat is important to include the wireguard, so that all LAN traffic gets natted to that address.

(3) Speaking of address, it needs to be fixed to:
add address=10.2.0.2**/24** interface=wireguard-inet network=10.2.0.0

(4) You need to allow users to enter the tunnel so lets do this:

/ip firewall address-list
add address=192.168.10.12/32 list=ToProton
add address=192.168.10.13/32 list=ToProton
add address=192.168.10.14/32 list=ToProton

/ip firewall filter ( WE ARE GOING TO REPLACE DEFAULT RULE WITH 3 RULES )
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

WITH:

add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“allow to wireguard” in-interface-list=LAN src-address-list=ToProton out-interface=wireguard-inet
add action=accpt chain=forward comment=“port forwarding” connection-nat-state=dstnat disabled=yes { enabled if required or remove }
add action=drop chain=forward comment= “drop all else”

(5) Now we have to force that traffic out wireguard. THe simplest way is using routing rules and another table.
/routing table
add fib name=via-PROT

/ip route
add dst-address=0.0.0.0/0 gateway=wireguard-inet routing-table=via-PROT

/routing rules
add action=lookup-only-in-table min-prefix=0 src-address=192.168.10.0/24 table=main comment=“ensures local traffic from proton devices is possible”
add src-address=192.168.10.12 action=lookup table=via-PROT
add src-address=192.168.10.13 action=lookup table=via-PROT
add src-address=192.168.10.14 action=lookup table=via-PROT

NOTE: if you never want those addresses to use the local WAN, if proton for some reason is not available, then change the action in the three rules to lookup-only-in table.

jigzat · May 21, 2024, 5:12pm

Thank you very much for having the patience to give such clear instructions, I haven’t tried them yet. I will post the outcome here.