Community discussions

MikroTik App
 
greybeered
just joined
Topic Author
Posts: 2
Joined: Sat Apr 01, 2023 7:43 pm

ProtonVPN Wireguard config on RC5009 by newb

Sat Apr 01, 2023 8:23 pm

ProtonVPN directions for configuring WireGuard on a Mikrotik router include statement that "Your WireGuard private key ... can be found by opening the configuration file ..." downloaded from the ProtonVPN site. However, when I look at the WireGuard config file that I downloaded from the ProtonVPN site, the config file does not include an actual private key string. Instead the ProtonVPN WireGuard config file includes what looks like a masked string "*****" [See below]. So the question for me is how I determine the private key string that I should be inputting via CLI when configuring a Mikrotik router to use the ProtonVPN Wireguard protocol. Helpful tips and suggestions much appreciated.

For reference, I have attached a copy of the ProtonVPN directions for configuring WireGuard on a Mikrotik router (or at least what think are the correct directions). And below is a copy of the related config file that I downloaded from the ProtonVPN website that includes the public key to use, but not the private key.

[Interface]
# Key for Proton_Wireguard_CA1
# Bouncing = 3
# NetShield = 1
# Moderate NAT = off
# NAT-PMP (Port Forwarding) = off
# VPN Accelerator = on
PrivateKey = *****
Address = 10.2.0.2/32
DNS = 10.2.0.1

[Peer]
# CA#80
PublicKey = 6HjO6c8QsOqJpmfM6V5VYxU/r6lCv9lHztZkD014Yy4=
AllowedIPs = 0.0.0.0/0
Endpoint = 66.115.146.167:51820
You do not have the required permissions to view the files attached to this post.
 
greybeered
just joined
Topic Author
Posts: 2
Joined: Sat Apr 01, 2023 7:43 pm

Re: ProtonVPN Wireguard config on RC5009 by newb

Sat Apr 01, 2023 8:36 pm

Well I solved the question. Root cause was that I didn't wait long enough before downloading the ProtonVPN WireGuard config file. So my learning was to give the ProtonVPN website 5+ seconds to finish creating the config file before downloading it.

I confirmed this by re-performing the process of creating a config file on the ProtonVPN website, and now have a new config file that includes a private key string. So all good until next bump in the road/process. Thx.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: ProtonVPN Wireguard config on RC5009 by newb

Sat Apr 01, 2023 9:36 pm

I will amend their directive as I certainly would not follow it to the letter.....

How to setup Proton VPN WireGuard on MikroTik routers

1. Download a WireGuard configuration file -Learn how to download a WireGuard configuration file from Proton VPN

4. Route all internet traffic through a VPN server. We will use subnet A 192.168.50.0/24 If it is the entire LAN, substitute with BRIDGE!!

/ip routing table
add name=USEproton fib


/ip route
add dst-address=0.0.0.0/0 gateway=protonwg01 table=USEproton


/routing rule
Add action=lookup src-address=192.168.50.0/24 table=USEproton.


Note1: if you don’t want the subnet (or entire bridge) to use local WAN if proton vpn is not working then change action to action=lookup-only-in-table
Note2. If subnet A needs to reach other subnets behind router then add FIRST, dst0-address routing rules to prevent such traffic from being forced out tunnel

/routing rule
Add action=lookup-only-in-table dst-address=subnetB table=main
Add action=lookup src-address=192.168.50.0/24 table=USEproton.


5. Create WireGuard configurations

/interface/wireguard/add name=protonwg01 private-key="<your private key>" comment="ProtonVPN interface"

/interface/wireguard/peers/add endpoint-address=37.120.217.82 endpoint-port=51820 public-key="<your peer public key>" allowed-address=0.0.0.0/0 interface=protonwg01 persistent-keep-alive=35s

/ip address
add address=10.2.0.2/30 interface=protonwg01

/ip dns
Allow remote servers=YES, set servers=1.1.1.1,8.8.8.8


/ip dhcp-server network
add address=192.168.50.0/24 dns-server=10.2.0.1 gateway=192.168.50.1


/ip firewall nat
Add action=masquerade chain=srcnat out-interface=protonwg01


6. Ensure firewall rule exist to permit subnet or bridge to enter the tunnel.

/ip firewall filter
Add action=accept chain=forward src-address=192.168.50.0/24 out- interface=protonwg01



7. IF some websites are slow loading or don’t; load could be an MTU issue.
a. Solution 1: TRY

/ip firewall mangle
add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu out-interface=protonwg01 passthrough=yes protocol=tcp tcp-flags=syn

If no joy:
b. TRY

/ip firewall mangle
add action=change-mss chain=forward new-mss=1360 out-interface=protonwg01
passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1375


DONE

Who is online

Users browsing this forum: Amazon [Bot] and 12 guests