ProtonVPN Wireguard config on RC5009 by newb

greybeered · April 1, 2023, 5:23pm

ProtonVPN directions for configuring WireGuard on a Mikrotik router include statement that "Your WireGuard private key ... can be found by opening the configuration file ..." downloaded from the ProtonVPN site. However, when I look at the WireGuard config file that I downloaded from the ProtonVPN site, the config file does not include an actual private key string. Instead the ProtonVPN WireGuard config file includes what looks like a masked string "*****" [See below]. So the question for me is how I determine the private key string that I should be inputting via CLI when configuring a Mikrotik router to use the ProtonVPN Wireguard protocol. Helpful tips and suggestions much appreciated.

For reference, I have attached a copy of the ProtonVPN directions for configuring WireGuard on a Mikrotik router (or at least what think are the correct directions). And below is a copy of the related config file that I downloaded from the ProtonVPN website that includes the public key to use, but not the private key.

[Interface]

Key for Proton_Wireguard_CA1

Bouncing = 3

NetShield = 1

Moderate NAT = off

NAT-PMP (Port Forwarding) = off

VPN Accelerator = on

PrivateKey = *****
Address = 10.2.0.2/32
DNS = 10.2.0.1

[Peer]

CA#80

PublicKey = 6HjO6c8QsOqJpmfM6V5VYxU/r6lCv9lHztZkD014Yy4=
AllowedIPs = 0.0.0.0/0
Endpoint = 66.115.146.167:51820
How to setup Proton VPN on MikroTik routers using WireGuard.pdf (77.9 KB)
Proton_Wireguard_CA-80.conf.txt (335 Bytes)

greybeered · April 1, 2023, 5:36pm

Well I solved the question. Root cause was that I didn’t wait long enough before downloading the ProtonVPN WireGuard config file. So my learning was to give the ProtonVPN website 5+ seconds to finish creating the config file before downloading it.

I confirmed this by re-performing the process of creating a config file on the ProtonVPN website, and now have a new config file that includes a private key string. So all good until next bump in the road/process. Thx.

anav · April 1, 2023, 6:36pm

I will amend their directive as I certainly would not follow it to the letter…

How to setup Proton VPN WireGuard on MikroTik routers

Download a WireGuard configuration file -Learn how to download a WireGuard configuration file from Proton VPN
Route all internet traffic through a VPN server. We will use subnet A 192.168.50.0/24 If it is the entire LAN, substitute with BRIDGE!!

/ip routing table
add name=USEproton fib

/ip route
add dst-address=0.0.0.0/0 gateway=protonwg01 table=USEproton

/routing rule
Add action=lookup src-address=192.168.50.0/24 table=USEproton.

Note1: if you don’t want the subnet (or entire bridge) to use local WAN if proton vpn is not working then change action to action=lookup-only-in-table
Note2. If subnet A needs to reach other subnets behind router then add FIRST, dst0-address routing rules to prevent such traffic from being forced out tunnel

/routing rule
Add action=lookup-only-in-table dst-address=subnetB table=main
Add action=lookup src-address=192.168.50.0/24 table=USEproton.

Create WireGuard configurations

/interface/wireguard/add name=protonwg01 private-key=“” comment=“ProtonVPN interface”

/interface/wireguard/peers/add endpoint-address=37.120.217.82 endpoint-port=51820 public-key=“” allowed-address=0.0.0.0/0 interface=protonwg01 persistent-keep-alive=35s

/ip address
add address=10.2.0.2/30 interface=protonwg01
/ip dns
Allow remote servers=YES, set servers=1.1.1.1,8.8.8.8

/ip dhcp-server network
add address=192.168.50.0/24 dns-server=10.2.0.1 gateway=192.168.50.1

/ip firewall nat
Add action=masquerade chain=srcnat out-interface=protonwg01

Ensure firewall rule exist to permit subnet or bridge to enter the tunnel.

/ip firewall filter
Add action=accept chain=forward src-address=192.168.50.0/24 out- interface=protonwg01

7. IF some websites are slow loading or don’t; load could be an MTU issue.
a. Solution 1: TRY

/ip firewall mangle
add action=change-mss chain=forward comment=“Clamp MSS to PMTU for Outgoing packets” new-mss=clamp-to-pmtu out-interface=protonwg01 passthrough=yes protocol=tcp tcp-flags=syn
If no joy:
b. TRY
/ip firewall mangle
add action=change-mss chain=forward new-mss=1360 out-interface=protonwg01
passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1375

DONE

fedex03 · February 25, 2026, 11:13am

Hi @anav ,

I followed you instruction and everything work on my mAP Lite.

However, when I try to connect to the router with WinBox using its IP address, the connection fails, whereas if I use the router's MAC address, I can connect.

What could I have missed?

Thank you

anav · February 25, 2026, 5:27pm

If you have mac connectivity most people dont bother with IP approach.
Remember for IP address you also need to add the port
ipaddress:winboxport