Community discussions

MikroTik App
 
tandrot8
just joined
Topic Author
Posts: 16
Joined: Thu Feb 23, 2017 10:33 am

ProtonVPN on Mikrotik

Mon Mar 02, 2020 10:28 am

Hello everyone!

I would like to know if someone here tried to configure/run ProtonVPN on Mikrotik routers.
According to ProtonVPN team it is not possible because most of Mikrotik routers support only PPTP connection protocol, which is not supported by ProtonVPN.
Have a great day!

Thank you.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24560
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: ProtonVPN on Mikrotik

Mon Mar 02, 2020 10:57 am

That's just wrong. They say on their website:
We use only VPN protocols which are known to be secure - IKEv2/IPSec

RouterOS does support that: https://wiki.mikrotik.com/wiki/Manual:IP/IPsec
No answer to your question? How to write posts
 
tandrot8
just joined
Topic Author
Posts: 16
Joined: Thu Feb 23, 2017 10:33 am

Re: ProtonVPN on Mikrotik

Mon Mar 02, 2020 12:13 pm

@normis: I agree with you. I will send to ProtonVPN's Team the link that you posted.
Normis, can you/we test to see how it works and what problems can arise, if they occur?

Thank you for your answer.
That's just wrong. They say on their website:
We use only VPN protocols which are known to be secure - IKEv2/IPSec

RouterOS does support that: https://wiki.mikrotik.com/wiki/Manual:IP/IPsec
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 6013
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: ProtonVPN on Mikrotik

Mon Mar 02, 2020 12:26 pm

By looking at this example:
https://protonvpn.com/support/linux-ikev2-protonvpn/

it is very similar to nordvpn config, so you can use NordVPN RouterOS setup example as a reference:
https://wiki.mikrotik.com/wiki/IKEv2_EA ... d_RouterOS
 
tandrot8
just joined
Topic Author
Posts: 16
Joined: Thu Feb 23, 2017 10:33 am

Re: ProtonVPN on Mikrotik

Mon Mar 02, 2020 12:43 pm

Thank you mrz. I'll read the links you posted and test it.
 
tandrot8
just joined
Topic Author
Posts: 16
Joined: Thu Feb 23, 2017 10:33 am

Re: ProtonVPN on Mikrotik

Mon Mar 02, 2020 1:02 pm

Hi @normis,
Hi @mrz,

I'm posting the answer that I received from ProtonVPN:
We use only the highest strength encryption to protect your Internet connection. This means all your network traffic is encrypted with AES-256, key exchange is done with 4096-bit RSA, and HMAC with SHA384 is used for message authentication.

We have carefully selected our encryption cipher suites to only include ones that have Perfect Forward Secrecy. This means that your encrypted traffic cannot be captured and decrypted later if the encryption key from a subsequent session gets compromised. With each connection, we generate a new encryption key, so a key is never used for more than one session.

We use only VPN protocols which are known to be secure - IKEv2/IPSec and OpenVPN. ProtonVPN does not have any servers that support PPTP and L2TP/IPSec, even though they are less costly to operate. By using ProtonVPN, you can be confident that your VPN tunnel is protected by the most reliable protocol.

For more information, please refer to the following page: https://protonvpn.com/secure-vpn

Unfortunately, Mikrotik routers do not support OpenVPN client connection, therefore, it is not possible to set up a ProtonVPN connection on it. We're sorry for the inconveniences.

Please do not hesitate to contact us again if any additional information or assistance is needed.

Regards,
[Removed the name of the person that answered]
ProtonVPN.com
Thank you.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24560
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: ProtonVPN on Mikrotik

Mon Mar 02, 2020 1:06 pm

Sad to see that such a reputable company has no understanding of their own products :)

MikroTik doesn't force anyone to use legacy insecure PPTP. We support IPsec. You can tell them that, looks like it's news for them.
No answer to your question? How to write posts
 
tandrot8
just joined
Topic Author
Posts: 16
Joined: Thu Feb 23, 2017 10:33 am

Re: ProtonVPN on Mikrotik

Mon Mar 02, 2020 1:11 pm

Normis,
Maybe they do not know how to configure Mikrotik routers :D , although I doubt it.
I already sent them a message with the links that you and mrz posted as a reply to my questions.
I will test on a Mikrotik router that I have and I will write, maybe, a tutorial on how to do it.
Thank you.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 6013
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: ProtonVPN on Mikrotik

Mon Mar 02, 2020 1:23 pm

Unfortunately, Mikrotik routers do not support OpenVPN client connection, therefore, it is not possible to set up a ProtonVPN connection on it. We're sorry for the inconveniences.
BTW OVPN is also supported, maybe they require some specific OVPN feature?
 
tandrot8
just joined
Topic Author
Posts: 16
Joined: Thu Feb 23, 2017 10:33 am

Re: ProtonVPN on Mikrotik

Mon Mar 02, 2020 1:51 pm

Maybe. However, below is the content of one of their config files:
client
dev tun
proto udp

remote server-name1 port1
remote server-name2 port2
remote server-name3 port3
remote server-name4 port4
remote server-name5 port5

remote-random
resolv-retry infinite
nobind
cipher AES-256-CBC
auth SHA512
comp-lzo no
verb 3

tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun

reneg-sec 0

remote-cert-tls server
auth-user-pass
pull
fast-io

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

<ca>
-----BEGIN CERTIFICATE-----
[removed certificate]
-----END CERTIFICATE-----
</ca>

key-direction 1
<tls-auth>
# 2048 bit OpenVPN static key
-----BEGIN OpenVPN Static key V1-----
[removed key]
-----END OpenVPN Static key V1-----
</tls-auth>
Maybe you can spot some OVPN feature that is not yet implemented in ROS, although I doubt it.
Thank you
Unfortunately, Mikrotik routers do not support OpenVPN client connection, therefore, it is not possible to set up a ProtonVPN connection on it. We're sorry for the inconveniences.
BTW OVPN is also supported, maybe they require some specific OVPN feature?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 6013
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: ProtonVPN on Mikrotik

Mon Mar 02, 2020 2:12 pm

SHA512 is not supported and UDP is supported only in ROS v7
 
tandrot8
just joined
Topic Author
Posts: 16
Joined: Thu Feb 23, 2017 10:33 am

Re: ProtonVPN on Mikrotik

Mon Mar 02, 2020 6:22 pm

mrz,
You can connect using tcp protocol, but if they use in the config file the SHA512 then it's the same story.
However, if the SHA512 and UDP is not available in the current version of ROS and only in the v7 then in theory they are right.
Please correct me if I'm wrong.
 
newbeen
just joined
Posts: 2
Joined: Fri May 01, 2020 7:17 am

Re: ProtonVPN on Mikrotik

Fri May 01, 2020 8:03 pm

Hello Guys,

I got this to work using the nordsvpn guide, initial I got:
ipsec payload seen: NOTIFY (8 bytes)
ipsec first payload is NOTIFY
ipsec processing payloads: NOTIFY
ipsec   notify: NO_PROPOSAL_CHOSEN
ipsec peer replied: NO_PROPOSAL_CHOSEN
But after a small tweak I got this to work.
[admin@rg] /ip ipsec proposal>> /ip ipsec mode-config print  
Flags: * - default, R - responder 
 1    name="ProtonVPN" responder=no connection-mark=ProtonVPN 
[admin@rg] /ip ipsec proposal>> /ip ipsec profile print     
 1   name="ProtonVPN" hash-algorithm=sha256 enc-algorithm=aes-256 dh-group=modp4096,modp2048,modp1024 lifetime=1d proposal-check=obey nat-traversal=yes dpd-interval=disable-dpd 
[admin@rg] /ip ipsec proposal>> /ip ipsec peer print    
Flags: X - disabled, D - dynamic, R - responder 
 0     name="ProtonVPN" address=x.x.x.x/32 profile=ProtonVPN exchange-mode=ike2 send-initial-contact=yes 
[admin@rg] /ip ipsec proposal>> /ip ipsec policy print   
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 #     PEER                    TUNNEL SRC-ADDRESS                                                   DST-ADDRESS                                                   PROTOCOL   ACTION  LEVEL    PH2-COUNT
  1  DA  ProtonVPN               yes    x.x.x.x/32                                                 0.0.0.0/0                                                     all        encrypt unique           1
[admin@rg] /ip ipsec proposal>> /ip ipsec proposal  print  
Flags: X - disabled, * - default 
 1    name="ProtonVPN" auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=30m pfs-group=none 
Then was a bit of a fight in till Disney+ was working, static DNS for the rescue on that one :)
 
Baikan4ik
just joined
Posts: 2
Joined: Sun May 03, 2020 10:54 pm

Re: ProtonVPN on Mikrotik

Sun May 03, 2020 11:00 pm

Hello. Could you upload your config for protonvpn? With NordVpn no troubles. But with proton...even with your tricks. Trying to connect, for several seconds active peer appear and disappear with eap error
 
newbeen
just joined
Posts: 2
Joined: Fri May 01, 2020 7:17 am

Re: ProtonVPN on Mikrotik

Thu May 07, 2020 8:15 pm

Hello,

This is the full export of my IPSec setup, you have to have a paid protonvpn account to be able to do this.
# may/07/2020 17:11:44 by RouterOS 6.46.6
/ip ipsec mode-config add connection-mark=ProtonVPN name=ProtonVPN responder=no
/ip ipsec policy group add name=ProtonVPN
/ip ipsec profile add dh-group=modp4096,modp2048,modp1024 dpd-interval=disable-dpd enc-algorithm=aes-256 hash-algorithm=sha256 name=ProtonVPN
/ip ipsec peer add address=193.148.18.40/32 exchange-mode=ike2 name=ProtonVPN profile=ProtonVPN
/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ProtonVPN pfs-group=none
/ip ipsec identity add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=ProtonVPN password=<password> peer=ProtonVPN policy-template-group=ProtonVPN username=<username>
/ip ipsec policy add dst-address=0.0.0.0/0 group=ProtonVPN proposal=ProtonVPN src-address=0.0.0.0/0 template=yes
 
Baikan4ik
just joined
Posts: 2
Joined: Sun May 03, 2020 10:54 pm

Re: ProtonVPN on Mikrotik

Thu May 07, 2020 9:02 pm

thank you very much) Are you sure that only paid? Because from official site I can download configs fo free using like Free USA and Free Netherland
 
User avatar
sigmasquared
just joined
Posts: 22
Joined: Tue Sep 04, 2012 2:55 pm
Location: South Africa

Re: ProtonVPN on Mikrotik

Thu May 21, 2020 10:21 am

I'm trying this, but I'm getting "EAP Failed" in logs, have I missed a step somewhere?
Hello,

This is the full export of my IPSec setup, you have to have a paid protonvpn account to be able to do this.
# may/07/2020 17:11:44 by RouterOS 6.46.6
/ip ipsec mode-config add connection-mark=ProtonVPN name=ProtonVPN responder=no
/ip ipsec policy group add name=ProtonVPN
/ip ipsec profile add dh-group=modp4096,modp2048,modp1024 dpd-interval=disable-dpd enc-algorithm=aes-256 hash-algorithm=sha256 name=ProtonVPN
/ip ipsec peer add address=193.148.18.40/32 exchange-mode=ike2 name=ProtonVPN profile=ProtonVPN
/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ProtonVPN pfs-group=none
/ip ipsec identity add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=ProtonVPN password=<password> peer=ProtonVPN policy-template-group=ProtonVPN username=<username>
/ip ipsec policy add dst-address=0.0.0.0/0 group=ProtonVPN proposal=ProtonVPN src-address=0.0.0.0/0 template=yes

Who is online

Users browsing this forum: Egert143, eworm, Lemahasta, msatter, Onigma, Shalom and 115 guests