Community discussions

MikroTik App
 
teleport
newbie
Topic Author
Posts: 48
Joined: Mon Sep 07, 2020 11:51 pm

Mikrotik ProtonVPN Wireguard Setup

Sun Jul 17, 2022 9:55 pm

Hello: protonvpn has provided steps to configure Mikrotik for wireguard.

https://protonvpn.com/support/wireguard ... k-routers/

Question:
1. if i have multiple VLAN's and i want only one of them to access internet using ProtonVPN, how would the instructions change?
--especially around DNS where i have NextDNS DoH already configured.
-- ensuring that traffic across VLANs/to the router are not scooped up by the VPN link.
any pointers on tweaking of the instructions is appreciated.

thanks
 
teleport
newbie
Topic Author
Posts: 48
Joined: Mon Sep 07, 2020 11:51 pm

Re: Mikrotik ProtonVPN Wireguard Setup

Sun Jul 24, 2022 12:11 am

Here is a working setup. please comment on shortcomings/optimizations/embedded questions.
Route all internet traffic through a VPN server

Enter the following in the command line (hitting enter after each line):
/ip firewall address-list add address=192.168.88.0/24 list=under_protonvpn
Above line Not used. instead created an interface list called ProtonVPNInternet and added the VLAN(VLAN1) that needs to be part of it. create an address list called LAN_NETWORK and place different VLAN(typically these are part of LAN interface list) network address inside it. did not use dst-type!=local(let me know Pros/Cons)

/ip firewall mangle add action=mark-connection chain=prerouting dst-address-list!=LAN_NETWORK in-interface-list=ProtonVPNInternet new-connection-mark=under_protonvpn passthrough=yes
5. Create WireGuard configurations

Enter the following in the command line (hitting enter after each line). Your WireGuard private key, endpoint port, and public key can be found by opening the configuration file you downloaded in step 2 with any text editor.
/interface/wireguard/add name=protonwg01 private-key="<your private key>" comment="ProtonVPN interface"
/interface/wireguard/peers/add endpoint-address=37.120.217.82 endpoint-port=51820 public-key="<your peer public key>" allowed-address=0.0.0.0/1,128.0.0.0/1 interface=protonwg01
changed allowed address to 0.0.0.0.Since routing table routes will decide where packet goes and no special representation needed to make all non local packets to go via wireguard
/interface/wireguard/peers/add endpoint-address=37.120.217.82 endpoint-port=51820 public-key="<your peer public key>" allowed-address=0.0.0.0/0 interface=protonwg01
/ip/address/add address=10.2.0.2/30 interface=protonwg01
ip/dns/set servers=10.2.0.1 allow-remote-requests=yes
DNS step not done since if you already have DoH setup with nextDNS then there is no way to ask it to use 10.2.0.1 for DNS related to VLAN1 clients(attached to ProtonVPNInternet interface list) . let me know if there is a way to do that
/routing/table/add name=protonvpn_wg fib
/ip/firewall/mangle/add chain=prerouting src-address-list=under_protonvpn action=mark-routing new-routing-mark=protonvpn_wg passthrough=yes
change to
/ip/firewall/mangle/add chain=prerouting in-interface-list=ProtonVPNInternet connection-mark=under_protonvpn action=mark-routing new-routing-mark=protonvpn_wg passthrough=yes

/ip/route/add routing-table=protonvpn_wg dst-address=0.0.0.0/0 gateway=protonwg01 comment="ProtonVPN Wireguard default route"
7. Exclude VPN traffic from FastTrack (important!)

Start by listing all firewall rules:

/ip firewall filter print
Remove the two FastTrack rules (the default rule and dummy rule). To do this, enter the following command twice, using the numbers shown then you listed all the firewall rules.

/ip firewall filter remove <number>
i do not want to remove fasttrack all together (as only some VLANs go via VPN). is there a way to apply it to only for VPN connections where needed. let me know how firewall rule needs to look like.
 
teleport
newbie
Topic Author
Posts: 48
Joined: Mon Sep 07, 2020 11:51 pm

Re: Mikrotik ProtonVPN Wireguard Setup

Thu Jul 28, 2022 7:00 am

Update:
Removed all mangle rules.
made only changes in /routing/rules.
(3 Vlans total and 2 of them go through protonVPN)
for DNS: made NAT setting to forward DNS traffic to protonVPN DNS for the 2 VLan's

Question:
1.how important is changeMSS for protonVPN. have skipped that setting(as i have removed all Mangle rules). let me know
2. how should fasttrack be set as i am not setting explicitly any connection/routing marks to exclude VPN connections?
can i just say 'forward filter set fastrack where established,related and routing mark!=protonVPNRoutingTable ? (implicit routing mark by RouterOS?)
i do not see any hangs when fasttrack routingmark set to !=protonVPNRoutingTable
is that the correct way to do that?

also is there a way to see routing marks via torch/sniffer etc.please let me know
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: No registered users and 23 guests