Community discussions

MikroTik App
 
LNDmouse
just joined
Topic Author
Posts: 3
Joined: Sun Jul 03, 2022 6:02 pm

Mikrotik WireGuard setup for Protone VPN

Sun Jul 03, 2022 6:30 pm

Hi, I'm a noob and I'm trying to configure my Mikrotic hAP ac2 router to be VPN client using WireGuard VPN protocol for Proton VPN. After I'm using commands from Proton VPN Mikrotik router setup tutorial my router stops responding and internet is not working any more.

My setup:
I have Mikrotic hAP ac2 (RouterOS v7.3.1) connected via ethernet cable to the router from my Internet Provider.

Instructions that I use:
I have setup instruction and WireGuard configuration file from Protone VPN web page.

Setup instruction: https://protonvpn.com/support/wireguard ... k-routers/

My WireGuard configuration:
[Interface]
# Key for MikroTik Germany (via Switzerland)
# NetShield = 1
# Moderate NAT = off
# VPN Accelerator = on
PrivateKey = *****
Address = 10.2.0.2/32
DNS = 10.2.0.1

[Peer]
# CH-DE#1
PublicKey = *****
AllowedIPs = 0.0.0.0/0
Endpoint = 185.159.157.184:51820

What I do:
I use next commands to configure my router:

Route all internet traffic through a VPN server:
/ip firewall address-list add address=192.168.88.0/24 list=under_protonvpn
/ip firewall mangle add action=mark-connection chain=prerouting src-address-list=under_protonvpn new-connection-mark=under_protonvpn passthrough=yes

Create WireGuard configurations:
/interface/wireguard/add name=protonwg01 private-key="*****" comment="ProtonVPN interface"
/interface/wireguard/peers/add endpoint-address=185.159.157.184 endpoint-port=51820 public-key="*****" allowed-address=0.0.0.0/1,128.0.0.0/1 interface=protonwg01
/ip/address/add address=10.2.0.2/32 interface=protonwg01
/ip/dns/set servers=10.2.0.1 allow-remote-requests=yes
/routing/table/add name=protonvpn_wg fib
/ip/firewall/mangle/add chain=prerouting src-address-list=under_protonvpn action=mark-routing new-routing-mark=protonvpn_wg passthrough=yes
/ip/route/add routing-table=protonvpn_wg dst-address=0.0.0.0/0 gateway=protonwg01 comment="ProtonVPN Wireguard default route"
After last command my router stops responding and internet stops working. I can't access router web interface by http://192.168.88.1 any more. In order to access router I need press physical reset button on the router to set it to default.

I very appreciate if anyone can help me to solve my problem
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik WireGuard setup for Protone VPN

Sun Jul 03, 2022 8:55 pm

Add one more match condition, dst-address-type=!local, to the action=mark-routing rule and you should be good. The Proton instruction for doesn't yet take into account the recent surprising changes implemented by Mikrotik.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Mikrotik WireGuard setup for Protone VPN

Sun Jul 03, 2022 9:14 pm

I personally would NOT follow protons VPN suggestions for MT, I would follow MTs and folks here advice for setting up WG with Proton.

To do so successfully means you have a clear idea of what you would like to accomplish vis-a-vis use cases.
How many users or groups of users (device or groups of devices) do you have,
What would you like the users to be able to do and not be able to do....

It may be as simple as I have two LANS and one LAN I want to use through wireguard for all internet.
It may be as simple as I have a firewall address list of users that I want to go through wireguard for internet
It may be as clear as for certain Public IPs I want to go through proton vpn.............

Without knowing the use cases designing a config is not possible.
The actual parameters of wg are not complicated.
Assuming proton gave you
a. an endpoint address to connect to
b. an endpoint port to connect to
c. a wireguard public key to put in your MT peer settings for proton VPN.
d. they may request a public key from your MT to put on their peer settings but most dont/
e. A WIREGUARD IP Address, this is in the form of a single IP address or a subnet, most probably give out a single IP.

Based on your requirements and the what proton gave you/asks for, the config can be put together fairly easily.
IN my opinion, you should try to avoid mangling if possible. This could be as simple as one specific IP route and many route rules.......
Again your requirements will point to the optimal solution
 
LNDmouse
just joined
Topic Author
Posts: 3
Joined: Sun Jul 03, 2022 6:02 pm

Re: Mikrotik WireGuard setup for Protone VPN

Mon Jul 04, 2022 12:42 pm

Add one more match condition, dst-address-type=!local, to the action=mark-routing rule and you should be good. The Proton instruction for doesn't yet take into account the recent surprising changes implemented by Mikrotik.
Unfortunately this doesn't help.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik WireGuard setup for Protone VPN

Mon Jul 04, 2022 1:10 pm

In that case, enter all commands (including my modification) except the last one (/ip/route/add ...), then post the file you obtain using /export file=somefilename command (see my automatic signature below for obfuscation hints).
 
LNDmouse
just joined
Topic Author
Posts: 3
Joined: Sun Jul 03, 2022 6:02 pm

Re: Mikrotik WireGuard setup for Protone VPN

Mon Jul 04, 2022 3:53 pm

In that case, enter all commands (including my modification) except the last one (/ip/route/add ...), then post the file you obtain using /export file=somefilename command (see my automatic signature below for obfuscation hints).
I hope this export file helps better then my novels)))
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik WireGuard setup for Protone VPN

Mon Jul 04, 2022 5:05 pm

Well, maybe "doesn't help" is a too wide description? Adding dst-address-type=!local to the rule should have fixed the issue that you could not configure your router any more. Did it or not? Because there is yet another missing item, which prevents internet access via the tunnel, but it has nothing to do with managing the router itself.

Hint, before adding the route, store a backup of the configuration into a file whose name starts with flash/. If you have to reset the router configuration to factory default, you'll be able to restore it, instead of setting it up manually from scratch.

If you use Winbox, you can also connect to MAC address of the router rather than its IP address, so whatewer you break in the IP part doesn't prevent you from configuring it.

Also "safe mode" helps - enter safe mode before adding the route, and if you lose access to the router by adding it, the configuration will roll back to the one before safe mode has been activated (well, at least it should, therefore the backup still makes sense).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Mikrotik WireGuard setup for Protone VPN

Mon Jul 04, 2022 8:48 pm

You should also provide a network diagram.

Comments on your config...........
(1) If you want to allow users to go out proton VPN then
0.0.0.0/0 makes sense as this will permit all outgoing internet traffic to enter the tunnel to proton! ( as sindy noted you should have fixed this why is the 1 still there ?? )

(2) Also what is the purpose of this entry 128.0.0.0/1 ???????
0.0.0.0/0 includes all entries so NO OTHERS ARE REQUIRED!!

(3) As for IP address I would state it as such proper notation....
From
/ip address
add address=10.2.0.2 interface=protonwg01 network=10.2.0.2

TO
add address=10.2.0.2/24 interface=protonwg01

(4) Why is your dns server setting do this.
/ip dns
set allow-remote-requests=yes servers=10.2.0.1 ??
Just ensure you have something like 1.1.1.1 or 9.9.9.9 which is usuable through local router or far site internet provider.
Unless there is something I don't know about the limitations of third party VPN providers ???

(5) What is the purpose of the firewall address list?? /ip firewall address-list
add address=192.168.88.0/24 list=under_protonvpn
??????????????

Remember there is no point in making a firewall address list of a single subnet, especially if its the only one behind the router.
A firewall address list is really suited for something less than a full subnet, like a subset of IPs of a subnet or picking various IPs across subnets OR a mix of various IPs with anything else such as whole subnets.
Other wise simply use the address of a subnet or its interface name etc...................

src or dst address=192.168.88.0/24
in-interface=bridge etc...

(6) Missing source nat rule for proton VPN to accept your local traffic. Anything other than 10.2.0.2/32 will be rejected!!

IN CONCLUSION YOU DONT NEED MANGLING or anything complicated.

(7) Remove the following
/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=\
under_protonvpn passthrough=yes src-address-list=under_protonvpn
add action=mark-routing chain=prerouting dst-address-type=!local \
new-routing-mark=protonvpn_wg passthrough=yes src-address-list=\
under_protonvpn


(8) ADD to sourc nat the following
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=protonwg01

Another option is to make the protonwg01 part of the WAN interface list and then it would be auto included in the existing first rule........... up to you./
I prefer to state it explicitly myself.


(9) Missing keep alive settings anywhere around 40 seconds is good on your wireguard peer settings.

(10) Lastly lets look at routes info.......

WELL WTF you have no routes info??
The only thing I see is the following
/routing table
add fib name=protonvpn_wg


So typically if you have added deafult route on your IP DHCP setting this would equate to (which is not visible on the config for some reason)
add dst-address=0.0.0.0/0 gwy=ISPgateway table=main.

So you need to add
add dst-address=0.0.0.0/0 gwy=protonvpn_wg table=protonvpn_wg

and one final entry is the Route Rule to match the existing table.
/routing rule add src-address=192.168.88.0/24 action=lookup table=protonvpn_wg

In this regard if the tunnel is up users will go through proton, if not up, will go to main table and pickup the local WAN.
If you never want users to go out local WAN, then change setting to lookup-only-in-table
 
flood9
just joined
Posts: 1
Joined: Thu Jan 05, 2023 9:00 pm

Re: Mikrotik WireGuard setup for Protone VPN

Thu Jan 05, 2023 9:15 pm

Hello, new to routeros, and just stumbled upon this thread. I tried following ProtonVPN's instructions, and like the OP, ran into the same issue. my setup is USB tether from android phone to a hEX rb750gr3. Plan to hook up an access point later, but trying to get everything else working first. I managed to set mangle to change tll value, which seems to be working correctly, so my last remaining remaining issue is setting up protonvpn... I read through suggestions in this thread, and my lack of experience and understanding have kept me from implementing them. What about the last step kills my working lte wan setup, and what can I do instead (in the simplest terms possible =P)?

Rob
 
teleport
newbie
Posts: 43
Joined: Mon Sep 07, 2020 11:51 pm

Re: Mikrotik WireGuard setup for Protone VPN

Thu Jan 19, 2023 4:48 am

Command line:
Setup Interface
/interface/wireguard/add name=protonwg00 private-key="<private Key>" comment="ProtonVPN interface"
Add peer
/interface/wireguard/peers/add endpoint-address=<IP> endpoint-port=51820 public-key="<public_key>" allowed-address=0.0.0.0/0 interface=protonwg00
setup Ip Address for interface
/ip/address/add address=10.2.0.2/30 interface=protonwg00
Keep DNS as Public DNS for now. we will tweak it to protonVPN DNS later
/ip/dns/set servers=1.1.1.1 allow-remote-requests=yes
add new routing table
/routing/table/add name=protonvpn_wg fib
add default route for the new routing table
/ip/route/add routing-table=protonvpn_wg dst-address=0.0.0.0/0 gateway=protonwg00 comment="ProtonVPN Wireguard default route"
(Note: above setup is best done via command line (preferred over winbox). also if you mess up configuration later, its better to use a new interface name than try to reconfigure with same interface name)
Reboot Router.
Once it reboots, check the logs. you should see that RouterOS has detected that protonwg00 has internet and protonwg00 will be added to WAN interface list dynamically (/interface/interfacelist under winbox)
this means that the protonVPN interface is working correctly.

Next we need to move traffic into the tunnel.
use /Routing/Rules(in winbox or command line) to make specific traffic to use protonvpn_wg routing table (which in turn is setup to use VPN connection as default route)
ex: srcaddress: 0.0.0.0/0 dstaddress=0.0.0.0/0 interface ="LAN1/VLAN1 example" Action=lookup-only-in-table table="protonvpn_wg"

Now to send DNS traffic to ProtonVPN DNS use /ip/firewall/NAT add a dst-nat with 'action' as dst-nat (for protocol udp port 53 and your interface list 'ex: LAN' - your criteria for VPN DNS traffic ) and ip as 10.2.0.1 (DNS of ProtonVPN) and port 53.
you can add one rule for tcp too.

thats it. this will push all traffic for above criteria into the Tunnel and DNS traffic to ProtonVPN DNS
above type of configuration gives you flexibility to push only certain traffic(defined by you) to VPN tunnel and others via ISP.

check public ip of a device in LAN/VLAN1 and it will show up as protonVPN IP.
check ipleak sites and you should see protonVPN Ip again (not your ISP DNS or 1.1.1.1. if you see ISP DNS then under /ip/dhcpclient uncheck 'usepeer DNS' for the wan connection )
Last edited by teleport on Thu Jan 19, 2023 7:34 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Mikrotik WireGuard setup for Protone VPN

Thu Jan 19, 2023 2:00 pm

Does proton provide a private key for you to use in the WG interface?
If not, then proton will need the public key generated by the private key provided by the MT router.
 
teleport
newbie
Posts: 43
Joined: Mon Sep 07, 2020 11:51 pm

Re: Mikrotik WireGuard setup for Protone VPN

Thu Jan 19, 2023 4:17 pm

Does proton provide a private key for you to use in the WG interface?
If not, then proton will need the public key generated by the private key provided by the MT router.
yes proton provides private key.here is sample information generated from protonVPN:
[Interface]
# Bouncing = 0
# NetShield = 2
# Moderate NAT = off
# NAT-PMP (Port Forwarding) = off
# VPN Accelerator = on
PrivateKey = <private key>
Address = 10.2.0.2/32
DNS = 10.2.0.1

[Peer]
# US-NY#19
PublicKey = <<public key>>
AllowedIPs = 0.0.0.0/0
Endpoint = <ip>:51820
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Mikrotik WireGuard setup for Protone VPN

Thu Jan 19, 2023 5:23 pm

/interface bridge
add admin-mac=DC:2C:6E:5F:1C:87 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge ssid=MikroTik-5F1C8B wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
installation=indoor mode=ap-bridge ssid=MikroTik-5F1C8C \
wireless-protocol=802.11
/interface wireguard
add comment="ProtonVPN interface" listen-port=60085 mtu=1420 name=protonwg01

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf

/routing table
add fib name=protonvpn_wg

/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN

/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=protonServerIP \ { whatever endpoint address proton provides }
endpoint-port=51820 interface=protonwg01 public-key=\
"*****/KLlMHc="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=10.2.0.2/24 interface=protonwg01 network=10.2.0.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=10.2.0.1 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9

/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerad chain=srcnat out-interface=protonwg01
/ip route
add dst-address=0.0.0.0 gwy=ISPgatway_IP table=main
add dst-address=0.0.0.0 gwy=protonwg01 table=protonvpn_wg
/routing rule add src-address=192.168.88.0/24 action=lookup table=protonvpn_wg

set time-zone-name=Europe/Moscow
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN



Notes
1. Unsure of WANIP if it includes a default route selected or not. I assumed not and thus manually entered a table main route.
2. If the ops intent is for the subnet NEVER to use local WAN if the wireguard tunnel for some reason is down then change action to.
/routing rule add src-address=192.168.88.0/24 action=lookup-only-in-table table=protonvpn_wg
 
roberthedlund
just joined
Posts: 1
Joined: Wed Feb 01, 2023 12:54 pm

Re: Mikrotik WireGuard setup for Protone VPN

Wed Feb 01, 2023 1:02 pm

I just got an answer from ProtonVPN, see below.
"We would like to note that our team is already aware of this specific behavior happening on some Mikrotik routers and they are already working on updating our official guide. However, at this point, we will be unable to share any specific time frame for that to happen.

In the meantime, please make sure to try setting up your Wireguard connection using the instructions below:"

/interface/wireguard/add listen-port=13231 mtu=1420 name=wireguard-inet private-key="<YOUR PRIVATE KEY>"
/ip/address/add address=10.2.0.2/30 interface=wireguard-inet network=10.2.0.0
/interface/wireguard/peers/add allowed-address=0.0.0.0/0 endpoint-address=<YOUR ENDPOINT IP> endpoint-port=51820 interface=wireguard-inet persistent-keepalive=25s public-key="<YOUR PUBLIC KEY>"
/ip/firewall/nat/add action=masquerade chain=srcnat out-interface=wireguard-inet src-address=192.168.88.0/24
/ip/route/add disabled=no distance=1 dst-address=0.0.0.0/1 gateway=10.2.0.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip/route/add disabled=no distance=1 dst-address=128.0.0.0/1 gateway=10.2.0.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip/route/add disabled=no dst-address=<YOUR ENDPOINT IP>/32 gateway=[/ip dhcp-client get [find interface=ether1] gateway] routing-table=main suppress-hw-offload=no
/ip/dns/set servers=10.2.0.1
/ip/dhcp-client/set 0 use-peer-dns=no
I have tested it and it works. Does anyone have any input on the configuration?
 
abracadabricx
just joined
Posts: 4
Joined: Sun Mar 06, 2022 9:41 pm

Re: Mikrotik WireGuard setup for Protone VPN

Fri Jun 30, 2023 12:59 am

fwiw, i just setup the same configuration, with immediate success.
One change made: my router has a fixed WAN ip addres, instead of
[/ip dhcp-client get [find interface=ether1] gateway]
The setup seems (..) quite responsive, better then previous ProtonVPN instructions (and some variations of that).

Who is online

Users browsing this forum: miks, rplant, Victoravv and 75 guests