mirror of https://github.com/opnsense/docs
Add a ProtonVPN Road Warrior setup page (#521)
* Add ProtonVPN WireGuard page --------- Co-authored-by: Dimitris Paraskevopoulos <dimitris.paraskevopoulos@u-blox.com>pull/523/head
parent
ec65e88fb9
commit
64c73024ed
Binary file not shown.
After Width: | Height: | Size: 303 KiB |
Binary file not shown.
After Width: | Height: | Size: 209 KiB |
@ -0,0 +1,199 @@
|
|||||||
|
=======================================
|
||||||
|
WireGuard ProtonVPN Road Warrior Setup
|
||||||
|
=======================================
|
||||||
|
|
||||||
|
------------
|
||||||
|
Introduction
|
||||||
|
------------
|
||||||
|
|
||||||
|
ProtonVPN is a cloud-based VPN provider, offering secure tunneling with respect to privacy.
|
||||||
|
To set up a WireGuard VPN to ProtonVPN we assume you are familiar with the concepts of WireGuard that
|
||||||
|
you have read the basic howto :doc:`wireguard-client`.
|
||||||
|
|
||||||
|
-----------------------------------------
|
||||||
|
Step 1 - Download ProtonVPN configuration
|
||||||
|
-----------------------------------------
|
||||||
|
|
||||||
|
The configuration is available in the ProtonVPN website.
|
||||||
|
The `landing page <https://account.protonvpn.com/dashboard>`__ appears after signing in.
|
||||||
|
Click on Downloads from the left hand panel or go to the `downloads page <https://account.protonvpn.com/downloads>`__ and
|
||||||
|
scroll down to the `WireGuard configuration <https://account.protonvpn.com/downloads#wireguard-configuration>`__
|
||||||
|
|
||||||
|
The existing WireGuard configurations appear first with their expiration dates and following are the options to generate new ones.
|
||||||
|
|
||||||
|
.. image:: images/proton_wireguard_configuration.png
|
||||||
|
:width: 100%
|
||||||
|
|
||||||
|
- Select a name for the generated configuration
|
||||||
|
|
||||||
|
.. Note::
|
||||||
|
If a name is not provided a unique ID will be generated by ProtonVPN
|
||||||
|
|
||||||
|
- Select Router as a platform
|
||||||
|
- Select VPN options
|
||||||
|
|
||||||
|
- There are 3 options for NetShield blocker filtering
|
||||||
|
|
||||||
|
- No filtering
|
||||||
|
- Block malware
|
||||||
|
- Block malware, ads and trackers
|
||||||
|
|
||||||
|
- There are also options to enable Moderate NAT, NAT-PMP (Port Forwarding) and VPN accelerator as well. The features are documented in the ProtonVPN website.
|
||||||
|
- Pick the options that satisfy your requirements and move on to the next section.
|
||||||
|
|
||||||
|
- Select a server to connect to
|
||||||
|
|
||||||
|
- ProtonVPN proposes the best server or allows the user to select manually.
|
||||||
|
- When selecting manually there are 2 main choices:
|
||||||
|
|
||||||
|
- Standard vs Secure Core configuration
|
||||||
|
- Exit country
|
||||||
|
|
||||||
|
- Pick the one that satisfies your requirements and click on `Create` to generate the configuration.
|
||||||
|
- Upon successful completion a window like the following will appear on the screen.
|
||||||
|
|
||||||
|
.. image:: images/proton_configuration_1.png
|
||||||
|
:width: 100%
|
||||||
|
|
||||||
|
The full configuration looks like this:
|
||||||
|
|
||||||
|
.. code-block:: none
|
||||||
|
|
||||||
|
[Interface]
|
||||||
|
# Bouncing = 0
|
||||||
|
# NetShield = 1
|
||||||
|
# Moderate NAT = off
|
||||||
|
# NAT-PMP (Port Forwarding) = off
|
||||||
|
# VPN Accelerator = on
|
||||||
|
PrivateKey = 2Kh7TlGz+7PCFa0jEHat8IWkYZgPmDLAiagGq+dyLks=
|
||||||
|
Address = 10.2.0.2/32
|
||||||
|
DNS = 10.2.0.1
|
||||||
|
|
||||||
|
[Peer]
|
||||||
|
# NO#21
|
||||||
|
PublicKey = KOITt3KQ72LHPbpVp7kp4cQo/qw2qvKPrN732UTWWFw=
|
||||||
|
AllowedIPs = 0.0.0.0/0
|
||||||
|
Endpoint = 146.70.170.18:51820
|
||||||
|
|
||||||
|
.. Note::
|
||||||
|
The private key disappears after creating the configuration so it must be stored. It will be used in the following
|
||||||
|
section to generate the public key. Both are needed for successful configuration.
|
||||||
|
|
||||||
|
.. Warning::
|
||||||
|
**Do not re-use the private keys in these examples**
|
||||||
|
|
||||||
|
---------------------------------------------
|
||||||
|
Step 2 - Generate public key from private key
|
||||||
|
---------------------------------------------
|
||||||
|
|
||||||
|
ProtonVPN, unlike Mullvad or other WG implementations, only provides a private key. The private key appears briefly when generating the configuration in the web UI.
|
||||||
|
The public key will be derived from the private key with the "wg pubkey" command.
|
||||||
|
|
||||||
|
`Windows`
|
||||||
|
|
||||||
|
.. code-block:: sh
|
||||||
|
|
||||||
|
echo wgPrivateKey | wg pubkey
|
||||||
|
|
||||||
|
`Linux`
|
||||||
|
|
||||||
|
.. code-block:: sh
|
||||||
|
|
||||||
|
wg pubkey < wgPrivateKey
|
||||||
|
|
||||||
|
----------------------------------
|
||||||
|
Step 3 - Setup WireGuard Instance
|
||||||
|
----------------------------------
|
||||||
|
|
||||||
|
- Go to :menuselection:`VPN --> WireGuard --> Settings --> Instances`
|
||||||
|
- Click **+** to add a new Instance configuration
|
||||||
|
- Turn on “advanced mode"
|
||||||
|
- Configure the Instance from the downloaded ProtonVPN configuration as follows (if an option is not mentioned below, leave it as the default):
|
||||||
|
|
||||||
|
===================== ===============================================================================================
|
||||||
|
**Enabled** *Checked*
|
||||||
|
**Name** *Call it whatever you want (eg* :code:`ProtonVPN-ExitCountry` *)*
|
||||||
|
**Public Key** *Insert the derived public key from the previous step*
|
||||||
|
**Private Key** *Insert the* :code:`PrivateKey` *field from the* :code:`\[Interface\]` *section*
|
||||||
|
**Listen Port** *51820 or a higher numbered unique port*
|
||||||
|
**MTU** *Needs to be 80 bytes shorter than normal MTU. Default 1420*
|
||||||
|
**DNS Server** *Insert the* :code:`DNS` *field from the* :code:`\[Interface\]` *section as is (without subnet mask)*
|
||||||
|
**Tunnel Address** *Insert the* :code:`Address` *field from the* :code:`\[Interface\]` *section` in CIDR format, eg 10.2.0.2/32*
|
||||||
|
**Peers** *Leave blank for now*
|
||||||
|
**Disable Routes** *Checked*
|
||||||
|
**Gateway** *Insert the same address as in the DNS Server field above*
|
||||||
|
===================== ===============================================================================================
|
||||||
|
|
||||||
|
- **Save** the Instance configuration, and then click **Apply**
|
||||||
|
|
||||||
|
-------------------------------
|
||||||
|
Step 4 - Configure the peer
|
||||||
|
-------------------------------
|
||||||
|
|
||||||
|
- Go to :menuselection:`VPN --> WireGuard --> Settings --> Peers`
|
||||||
|
- Click **+** to add a new Peer
|
||||||
|
- Configure the Peer from the downloaded ProtonVPN configuration as follows (if an option is not mentioned below, leave it as the default):
|
||||||
|
|
||||||
|
====================== ====================================================================================================
|
||||||
|
**Enabled** *Checked*
|
||||||
|
**Name** *Call it whatever you want (eg* :code:`ProtonVPN_Location` *)*
|
||||||
|
**Public Key** *Insert the* :code:`PublicKey` *field from the* :code:`\[Peer\]` *section*
|
||||||
|
**Allowed IPs** *0.0.0.0/0*
|
||||||
|
**Endpoint Address** *Insert the IP address from the* :code:`Endpoint` *field in the* :code:`\[Peer\]` *section*
|
||||||
|
**Endpoint Port** *Insert the port number from the* :code:`Endpoint` *field in the* :code:`\[Peer\]` *section*
|
||||||
|
**Instances** *Select the instance configured in the previous step*
|
||||||
|
**Keepalive** *25*
|
||||||
|
====================== ====================================================================================================
|
||||||
|
|
||||||
|
- **Save** the Peer configuration, and then click **Apply**
|
||||||
|
|
||||||
|
.. Note::
|
||||||
|
The UI for configuring the Instances and Peers changed with OPNsense verion 23.7.9 so some of the fields may be in different
|
||||||
|
places.
|
||||||
|
|
||||||
|
--------------------------
|
||||||
|
Step 5 - Turn on WireGuard
|
||||||
|
--------------------------
|
||||||
|
|
||||||
|
Turn on WireGuard under :menuselection:`VPN --> WireGuard --> Settings --> General` if it is not already on
|
||||||
|
|
||||||
|
----------------------------------------------------
|
||||||
|
Step 6 - Configure assignments, gateways and routing
|
||||||
|
----------------------------------------------------
|
||||||
|
|
||||||
|
The rest of the steps are mostly the same as described in the how-to on selective routing :doc:`wireguard-selective-routing`
|
||||||
|
|
||||||
|
-------------------
|
||||||
|
ProtonVPN DNS leaks
|
||||||
|
-------------------
|
||||||
|
Since ProtonVPN provides a DNS server an extra firewall rule may be required to route the DNS traffic to the
|
||||||
|
WireGuard gateway.
|
||||||
|
|
||||||
|
- Go to :menuselection:`Firewall --> Rules --> [Name of interface for network in which hosts/network resides, eg LAN for LAN hosts]`
|
||||||
|
- Click **Add** to add a new rule
|
||||||
|
- Configure the rule as follows (if an option is not mentioned below, leave it as the default):
|
||||||
|
|
||||||
|
============================ ====================================================================================================================
|
||||||
|
**Action** *Pass*
|
||||||
|
**Quick** *Checked*
|
||||||
|
**Interface** *Whatever interface you are configuring the rule on*
|
||||||
|
**Direction** *in*
|
||||||
|
**TCP/IP Version** *IPv4*
|
||||||
|
**Protocol** *TCP/UDP*
|
||||||
|
**Source / Invert** *Unchecked*
|
||||||
|
**Source** *IP of your DNS server*
|
||||||
|
**Destination / Invert** *Checked*
|
||||||
|
**Destination** *Select the* :code:`RFC1918_Networks` *Alias you created above in the dropdown*
|
||||||
|
**Destination port range** *DNS - DNS*
|
||||||
|
**Description** *Add one if you wish to*
|
||||||
|
**Gateway** *Select the WireGuard gateway created according to the selective routing how-to page (eg* :code:`WAN_ProtonVPN` *)*
|
||||||
|
============================ ====================================================================================================================
|
||||||
|
|
||||||
|
- **Save** the rule, and then click **Apply Changes**
|
||||||
|
- Then make sure that the new rule is **above** any other rule on the interface that would otherwise interfere with its operation. For example, you want your new rule to be above the “Default allow LAN to any rule”
|
||||||
|
|
||||||
|
In layman terms if the DNS server makes any requests to a non-local address it will go through the VPN gateway.
|
||||||
|
|
||||||
|
|
||||||
|
All images from `ProtonVPN` website are the property of `ProtonVPN` and are used with written permission.
|
||||||
|
|
Loading…
Reference in New Issue