Hello everyone!
I would like to know if someone here tried to configure/run ProtonVPN on Mikrotik routers.
According to ProtonVPN team it is not possible because most of Mikrotik routers support only PPTP connection protocol, which is not supported by ProtonVPN.
Have a great day!
Thank you.
That’s just wrong. They say on their website:
We use only VPN protocols which are known to be secure - IKEv2/IPSec
RouterOS does support that: https://wiki.mikrotik.com/wiki/Manual:IP/IPsec
@normis: I agree with you. I will send to ProtonVPN’s Team the link that you posted.
Normis, can you/we test to see how it works and what problems can arise, if they occur?
Thank you for your answer.
By looking at this example:
https://protonvpn.com/support/linux-ikev2-protonvpn/
it is very similar to nordvpn config, so you can use NordVPN RouterOS setup example as a reference:
https://wiki.mikrotik.com/wiki/IKEv2_EAP_between_NordVPN_and_RouterOS
Thank you mrz. I’ll read the links you posted and test it.
I’m posting the answer that I received from ProtonVPN:
We use only the highest strength encryption to protect your Internet connection. This means all your network traffic is encrypted with AES-256, key exchange is done with 4096-bit RSA, and HMAC with SHA384 is used for message authentication.
We have carefully selected our encryption cipher suites to only include ones that have Perfect Forward Secrecy. This means that your encrypted traffic cannot be captured and decrypted later if the encryption key from a subsequent session gets compromised. With each connection, we generate a new encryption key, so a key is never used for more than one session.
We use only VPN protocols which are known to be secure - IKEv2/IPSec and OpenVPN. ProtonVPN does not have any servers that support PPTP and L2TP/IPSec, even though they are less costly to operate. By using ProtonVPN, you can be confident that your VPN tunnel is protected by the most reliable protocol.
For more information, please refer to the following page: > https://protonvpn.com/secure-vpn
Unfortunately, Mikrotik routers do not support OpenVPN client connection, therefore, it is not possible to set up a ProtonVPN connection on it. We’re sorry for the inconveniences.
Please do not hesitate to contact us again if any additional information or assistance is needed.
Regards,
[Removed the name of the person that answered]
ProtonVPN.com
Thank you.
Sad to see that such a reputable company has no understanding of their own products 
MikroTik doesn’t force anyone to use legacy insecure PPTP. We support IPsec. You can tell them that, looks like it’s news for them.
Normis,
Maybe they do not know how to configure Mikrotik routers 
, although I doubt it.
I already sent them a message with the links that you and mrz posted as a reply to my questions.
I will test on a Mikrotik router that I have and I will write, maybe, a tutorial on how to do it.
Thank you.
BTW OVPN is also supported, maybe they require some specific OVPN feature?
Maybe. However, below is the content of one of their config files:
client
dev tun
proto udpremote server-name1 port1
remote server-name2 port2
remote server-name3 port3
remote server-name4 port4
remote server-name5 port5remote-random
resolv-retry infinite
nobind
cipher AES-256-CBC
auth SHA512
comp-lzo no
verb 3tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tunreneg-sec 0
remote-cert-tls server
auth-user-pass
pull
fast-ioscript-security 2
-----BEGIN CERTIFICATE----- [removed certificate] -----END CERTIFICATE-----
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-confkey-direction 1
2048 bit OpenVPN static key
-----BEGIN OpenVPN Static key V1-----
[removed key]
-----END OpenVPN Static key V1-----
Maybe you can spot some OVPN feature that is not yet implemented in ROS, although I doubt it.
Thank you
SHA512 is not supported and UDP is supported only in ROS v7
mrz,
You can connect using tcp protocol, but if they use in the config file the SHA512 then it’s the same story.
However, if the SHA512 and UDP is not available in the current version of ROS and only in the v7 then in theory they are right.
Please correct me if I’m wrong.
Hello Guys,
I got this to work using the nordsvpn guide, initial I got:
ipsec payload seen: NOTIFY (8 bytes)
ipsec first payload is NOTIFY
ipsec processing payloads: NOTIFY
ipsec notify: NO_PROPOSAL_CHOSEN
ipsec peer replied: NO_PROPOSAL_CHOSEN
But after a small tweak I got this to work.
[admin@rg] /ip ipsec proposal>> /ip ipsec mode-config print
Flags: * - default, R - responder
1 name="ProtonVPN" responder=no connection-mark=ProtonVPN
[admin@rg] /ip ipsec proposal>> /ip ipsec profile print
1 name="ProtonVPN" hash-algorithm=sha256 enc-algorithm=aes-256 dh-group=modp4096,modp2048,modp1024 lifetime=1d proposal-check=obey nat-traversal=yes dpd-interval=disable-dpd
[admin@rg] /ip ipsec proposal>> /ip ipsec peer print
Flags: X - disabled, D - dynamic, R - responder
0 name="ProtonVPN" address=x.x.x.x/32 profile=ProtonVPN exchange-mode=ike2 send-initial-contact=yes
[admin@rg] /ip ipsec proposal>> /ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default
# PEER TUNNEL SRC-ADDRESS DST-ADDRESS PROTOCOL ACTION LEVEL PH2-COUNT
1 DA ProtonVPN yes x.x.x.x/32 0.0.0.0/0 all encrypt unique 1
[admin@rg] /ip ipsec proposal>> /ip ipsec proposal print
Flags: X - disabled, * - default
1 name="ProtonVPN" auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=30m pfs-group=none
Then was a bit of a fight in till Disney+ was working, static DNS for the rescue on that one
Hello. Could you upload your config for protonvpn? With NordVpn no troubles. But with proton…even with your tricks. Trying to connect, for several seconds active peer appear and disappear with eap error
Hello,
This is the full export of my IPSec setup, you have to have a paid protonvpn account to be able to do this.
# may/07/2020 17:11:44 by RouterOS 6.46.6
/ip ipsec mode-config add connection-mark=ProtonVPN name=ProtonVPN responder=no
/ip ipsec policy group add name=ProtonVPN
/ip ipsec profile add dh-group=modp4096,modp2048,modp1024 dpd-interval=disable-dpd enc-algorithm=aes-256 hash-algorithm=sha256 name=ProtonVPN
/ip ipsec peer add address=193.148.18.40/32 exchange-mode=ike2 name=ProtonVPN profile=ProtonVPN
/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ProtonVPN pfs-group=none
/ip ipsec identity add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=ProtonVPN password=<password> peer=ProtonVPN policy-template-group=ProtonVPN username=<username>
/ip ipsec policy add dst-address=0.0.0.0/0 group=ProtonVPN proposal=ProtonVPN src-address=0.0.0.0/0 template=yes
thank you very much) Are you sure that only paid? Because from official site I can download configs fo free using like Free USA and Free Netherland
I’m trying this, but I’m getting “EAP Failed” in logs, have I missed a step somewhere?
I get
Can’t verify peers certificate from store
Peer failed to authorise
Any ideas?
Have you imported the root CA certificate, using which the server’s certificate is signed, to the Mikrotik?
Well what da-ya know?!?!?
I did it!!!
Thanks Sindy. I had not done that part.
https://wiki.mikrotik.com/wiki/IKEv2_EAP_between_NordVPN_and_RouterOS
substitute for ProtonVPN, got an address (free server) in Netherlands
got my IKE details from my ProtonVPN account
Got cert from: https://protonvpn.com/download/ProtonVPN_ike_root.der
/tool fetch url=" https://protonvpn.com/download/ProtonVPN_ike_root.der"
/certificate import file-name=ProtonVPN_ike_root.der
Thanks to newbean for using his code. Think it’s the same as the wiki. Not sure. If different then I may have mixed both sources up. Anyone stuck on this then drop me an IM and I’ll post the code