Community discussions

MikroTik App
 
sfly
just joined
Topic Author
Posts: 7
Joined: Thu Jul 15, 2021 3:25 am

ProtonVPN config routing

Thu Jul 15, 2021 3:40 am

Hi guys,

I’m using the following config based on NordVPN to connect to ProtonVPN. The connection is established. But whatsmyip shows me my provider’s ip instead of ProtonVPN ip. Can you please help me to figure this out?

/tool fetch url="https://protonvpn.com/download/ProtonVPN_ike_root.der"

/certificate import file-name=ProtonVPN_ike_root.der

/ip ipsec profile add dh-group=modp4096,modp2048,modp1024 dpd-interval=disable-dpd enc-algorithm=aes-256 hash-algorithm=sha256 name=ProtonVPN

/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ProtonVPN pfs-group=none

/ip ipsec policy group add name=ProtonVPN
/ip ipsec policy add dst-address=0.0.0.0/0 group=ProtonVPN proposal=ProtonVPN src-address=0.0.0.0/0 template=yes

/ip ipsec mode-config add connection-mark=ProtonVPN name=ProtonVPN responder=no

/ip ipsec peer add address=nl-free-01.protonvpn.com exchange-mode=ike2 name=ProtonVPN profile=ProtonVPN

/ip ipsec identity add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=ProtonVPN password=<PASSWORD> peer=ProtonVPN policy-template-group=ProtonVPN username=<LOGIN>

/ip firewall address-list add address=192.168.88.0/24 list=local

/ip firewall mangle add action=change-mss chain=forward ipsec-policy=in,ipsec new-mss=1382 passthrough=yes protocol=tcp tcp-flags=syn

/ip ipsec mode-config set [ find name=ProtonVPN ] src-address-list=local

/ip ipsec policy move *ffffff destination=0
/ip ipsec policy add action=none dst-address=192.168.88.0/24 src-address=0.0.0.0/0 place-before=1

Last step: delete the 'defconf fasttrack' rule from firewall rules.
 
User avatar
erkexzcx
Member Candidate
Member Candidate
Posts: 263
Joined: Mon Oct 07, 2019 11:42 pm

Re: ProtonVPN config routing

Thu Jul 15, 2021 5:25 pm

Can you please help me to figure this out?
Yup. viewtopic.php?f=23&t=169273
 
sfly
just joined
Topic Author
Posts: 7
Joined: Thu Jul 15, 2021 3:25 am

Re: ProtonVPN config routing

Fri Jul 16, 2021 12:55 am

Can you please help me to figure this out?
Yup. viewtopic.php?f=23&t=169273
Thank you very much for this! I have updated my config for NordVPN and created a new one for ProtonVPN.
 
sfly
just joined
Topic Author
Posts: 7
Joined: Thu Jul 15, 2021 3:25 am

Re: ProtonVPN config routing  [SOLVED]

Fri Jul 16, 2021 12:58 am

Here is WORKING ProtonVPN config as of 15.07.2021:

Preparation:
1. Get recommended ProtonVPN server from here: https://account.protonvpn.com/downloads
I have FREE account, in below steps I used "nl-free-01.protonvpn.com".
2. Get your Service Credentials from here: https://account.protonvpn.com/account#openvpn and use them for this setup.
3. Import ProtonVPN CA to your router:

/tool fetch url="https://protonvpn.com/download/ProtonVPN_ike_root.der"
/certificate import file-name=ProtonVPN_ike_root.der name="ProtonVPN CA" passphrase=""

# Mark ALL traffic that you want to route through VPN server
/ip firewall address-list add address=192.168.88.0/24 list=under_protonvpn
/ip firewall mangle add action=mark-connection chain=prerouting src-address-list=under_protonvpn new-connection-mark=under_protonvpn passthrough=yes

# IPsec/IKEv2 configuration
/ip ipsec mode-config add connection-mark=under_protonvpn name="ProtonVPN mode config" responder=no
/ip ipsec policy group add name=ProtonVPN
/ip ipsec profile add dh-group=modp4096,modp2048,modp1024 dpd-interval=disable-dpd enc-algorithm=aes-256 hash-algorithm=sha256 name="ProtonVPN profile"
/ip ipsec peer add address=nl-free-01.protonvpn.com exchange-mode=ike2 name="ProtonVPN server" profile="ProtonVPN profile"
/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=0s name="ProtonVPN proposal" pfs-group=none
/ip ipsec identity add auth-method=eap certificate="ProtonVPN CA" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config="ProtonVPN mode config" password=<PASSWORD> peer="ProtonVPN server" policy-template-group=ProtonVPN username=<USERNAME>
/ip ipsec policy add dst-address=0.0.0.0/0 group=ProtonVPN proposal="ProtonVPN proposal" src-address=0.0.0.0/0 template=yes

# In "/ip ipsec policy" you should be able to see a new dynamic rule added next to your ProtonVPN policy. It MUST exist, otherwise configuration is not working.

# (OPTIONAL) Implement a killswitch
/interface bridge add name=protonvpn_blackhole protocol-mode=none
/ip route add gateway=protonvpn_blackhole routing-mark=protonvpn_blackhole
/ip firewall mangle add chain=prerouting src-address-list=under_protonvpn action=mark-routing new-routing-mark=protonvpn_blackhole passthrough=yes

# (IMPORTANT) Exclude such VPN traffic from fasttrack
/ip firewall filter add action=accept chain=forward connection-mark=under_protonvpn place-before=[find where action=fasttrack-connection]

# Reduce MSS (should be about 1200 to 1400, but 1360 worked for me)
/ip firewall mangle add action=change-mss chain=forward new-mss=1360 passthrough=yes protocol=tcp connection-mark=under_protonvpn tcp-flags=syn tcp-mss=!0-1360

# Don't forget to disable fasttrack rule in FIREWALL RULES and reboot Mikrotik!
 
DavidPeters
just joined
Posts: 2
Joined: Thu Apr 07, 2022 11:29 am

Re: ProtonVPN config routing

Thu Apr 07, 2022 11:31 am

This worked fine until I've upgraded to ROS7, not none of the traffic goes over the VPN, I've set the blackhole and no traffic gets blackholes either

Anyone else experiencing this ?
 
sfly
just joined
Topic Author
Posts: 7
Joined: Thu Jul 15, 2021 3:25 am

Re: ProtonVPN config routing

Fri Apr 08, 2022 12:47 am

This worked fine until I've upgraded to ROS7, not none of the traffic goes over the VPN, I've set the blackhole and no traffic gets blackholes either

Anyone else experiencing this ?
Check if fasttrack rule become available, you need to disable/remove it. If not - you can notify about this issue to ProtonVPN's support.
 
DavidPeters
just joined
Posts: 2
Joined: Thu Apr 07, 2022 11:29 am

Re: ProtonVPN config routing

Sat Apr 09, 2022 3:34 pm

rule is still disabled as per version 6.x
the tunnel comes up, I can ping the other side it seems routing in Version 7 is different and no traffic gets routed over the vpn tunnel
 
sfly
just joined
Topic Author
Posts: 7
Joined: Thu Jul 15, 2021 3:25 am

Re: ProtonVPN config routing

Sat Apr 09, 2022 11:50 pm

rule is still disabled as per version 6.x
the tunnel comes up, I can ping the other side it seems routing in Version 7 is different and no traffic gets routed over the vpn tunnel
Please try to submit a ticket to Mikrotik support explaining the issue. I suppose you have a Stable version of firmware.

Who is online

Users browsing this forum: Amazon [Bot], DanMos79, Kuitz, matbcvo and 98 guests