mirror of https://github.com/opnsense/docs
Add a ProtonVPN Road Warrior setup page (#521)
* Add ProtonVPN WireGuard page --------- Co-authored-by: Dimitris Paraskevopoulos <dimitris.paraskevopoulos@u-blox.com>pull/523/head
parent
ec65e88fb9
commit
64c73024ed
Binary file not shown.
After Width: | Height: | Size: 303 KiB |
Binary file not shown.
After Width: | Height: | Size: 209 KiB |
@ -0,0 +1,199 @@
|
||||
=======================================
|
||||
WireGuard ProtonVPN Road Warrior Setup
|
||||
=======================================
|
||||
|
||||
------------
|
||||
Introduction
|
||||
------------
|
||||
|
||||
ProtonVPN is a cloud-based VPN provider, offering secure tunneling with respect to privacy.
|
||||
To set up a WireGuard VPN to ProtonVPN we assume you are familiar with the concepts of WireGuard that
|
||||
you have read the basic howto :doc:`wireguard-client`.
|
||||
|
||||
-----------------------------------------
|
||||
Step 1 - Download ProtonVPN configuration
|
||||
-----------------------------------------
|
||||
|
||||
The configuration is available in the ProtonVPN website.
|
||||
The `landing page <https://account.protonvpn.com/dashboard>`__ appears after signing in.
|
||||
Click on Downloads from the left hand panel or go to the `downloads page <https://account.protonvpn.com/downloads>`__ and
|
||||
scroll down to the `WireGuard configuration <https://account.protonvpn.com/downloads#wireguard-configuration>`__
|
||||
|
||||
The existing WireGuard configurations appear first with their expiration dates and following are the options to generate new ones.
|
||||
|
||||
.. image:: images/proton_wireguard_configuration.png
|
||||
:width: 100%
|
||||
|
||||
- Select a name for the generated configuration
|
||||
|
||||
.. Note::
|
||||
If a name is not provided a unique ID will be generated by ProtonVPN
|
||||
|
||||
- Select Router as a platform
|
||||
- Select VPN options
|
||||
|
||||
- There are 3 options for NetShield blocker filtering
|
||||
|
||||
- No filtering
|
||||
- Block malware
|
||||
- Block malware, ads and trackers
|
||||
|
||||
- There are also options to enable Moderate NAT, NAT-PMP (Port Forwarding) and VPN accelerator as well. The features are documented in the ProtonVPN website.
|
||||
- Pick the options that satisfy your requirements and move on to the next section.
|
||||
|
||||
- Select a server to connect to
|
||||
|
||||
- ProtonVPN proposes the best server or allows the user to select manually.
|
||||
- When selecting manually there are 2 main choices:
|
||||
|
||||
- Standard vs Secure Core configuration
|
||||
- Exit country
|
||||
|
||||
- Pick the one that satisfies your requirements and click on `Create` to generate the configuration.
|
||||
- Upon successful completion a window like the following will appear on the screen.
|
||||
|
||||
.. image:: images/proton_configuration_1.png
|
||||
:width: 100%
|
||||
|
||||
The full configuration looks like this:
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
[Interface]
|
||||
# Bouncing = 0
|
||||
# NetShield = 1
|
||||
# Moderate NAT = off
|
||||
# NAT-PMP (Port Forwarding) = off
|
||||
# VPN Accelerator = on
|
||||
PrivateKey = 2Kh7TlGz+7PCFa0jEHat8IWkYZgPmDLAiagGq+dyLks=
|
||||
Address = 10.2.0.2/32
|
||||
DNS = 10.2.0.1
|
||||
|
||||
[Peer]
|
||||
# NO#21
|
||||
PublicKey = KOITt3KQ72LHPbpVp7kp4cQo/qw2qvKPrN732UTWWFw=
|
||||
AllowedIPs = 0.0.0.0/0
|
||||
Endpoint = 146.70.170.18:51820
|
||||
|
||||
.. Note::
|
||||
The private key disappears after creating the configuration so it must be stored. It will be used in the following
|
||||
section to generate the public key. Both are needed for successful configuration.
|
||||
|
||||
.. Warning::
|
||||
**Do not re-use the private keys in these examples**
|
||||
|
||||
---------------------------------------------
|
||||
Step 2 - Generate public key from private key
|
||||
---------------------------------------------
|
||||
|
||||
ProtonVPN, unlike Mullvad or other WG implementations, only provides a private key. The private key appears briefly when generating the configuration in the web UI.
|
||||
The public key will be derived from the private key with the "wg pubkey" command.
|
||||
|
||||
`Windows`
|
||||
|
||||
.. code-block:: sh
|
||||
|
||||
echo wgPrivateKey | wg pubkey
|
||||
|
||||
`Linux`
|
||||
|
||||
.. code-block:: sh
|
||||
|
||||
wg pubkey < wgPrivateKey
|
||||
|
||||
----------------------------------
|
||||
Step 3 - Setup WireGuard Instance
|
||||
----------------------------------
|
||||
|
||||
- Go to :menuselection:`VPN --> WireGuard --> Settings --> Instances`
|
||||
- Click **+** to add a new Instance configuration
|
||||
- Turn on “advanced mode"
|
||||
- Configure the Instance from the downloaded ProtonVPN configuration as follows (if an option is not mentioned below, leave it as the default):
|
||||
|
||||
===================== ===============================================================================================
|
||||
**Enabled** *Checked*
|
||||
**Name** *Call it whatever you want (eg* :code:`ProtonVPN-ExitCountry` *)*
|
||||
**Public Key** *Insert the derived public key from the previous step*
|
||||
**Private Key** *Insert the* :code:`PrivateKey` *field from the* :code:`\[Interface\]` *section*
|
||||
**Listen Port** *51820 or a higher numbered unique port*
|
||||
**MTU** *Needs to be 80 bytes shorter than normal MTU. Default 1420*
|
||||
**DNS Server** *Insert the* :code:`DNS` *field from the* :code:`\[Interface\]` *section as is (without subnet mask)*
|
||||
**Tunnel Address** *Insert the* :code:`Address` *field from the* :code:`\[Interface\]` *section` in CIDR format, eg 10.2.0.2/32*
|
||||
**Peers** *Leave blank for now*
|
||||
**Disable Routes** *Checked*
|
||||
**Gateway** *Insert the same address as in the DNS Server field above*
|
||||
===================== ===============================================================================================
|
||||
|
||||
- **Save** the Instance configuration, and then click **Apply**
|
||||
|
||||
-------------------------------
|
||||
Step 4 - Configure the peer
|
||||
-------------------------------
|
||||
|
||||
- Go to :menuselection:`VPN --> WireGuard --> Settings --> Peers`
|
||||
- Click **+** to add a new Peer
|
||||
- Configure the Peer from the downloaded ProtonVPN configuration as follows (if an option is not mentioned below, leave it as the default):
|
||||
|
||||
====================== ====================================================================================================
|
||||
**Enabled** *Checked*
|
||||
**Name** *Call it whatever you want (eg* :code:`ProtonVPN_Location` *)*
|
||||
**Public Key** *Insert the* :code:`PublicKey` *field from the* :code:`\[Peer\]` *section*
|
||||
**Allowed IPs** *0.0.0.0/0*
|
||||
**Endpoint Address** *Insert the IP address from the* :code:`Endpoint` *field in the* :code:`\[Peer\]` *section*
|
||||
**Endpoint Port** *Insert the port number from the* :code:`Endpoint` *field in the* :code:`\[Peer\]` *section*
|
||||
**Instances** *Select the instance configured in the previous step*
|
||||
**Keepalive** *25*
|
||||
====================== ====================================================================================================
|
||||
|
||||
- **Save** the Peer configuration, and then click **Apply**
|
||||
|
||||
.. Note::
|
||||
The UI for configuring the Instances and Peers changed with OPNsense verion 23.7.9 so some of the fields may be in different
|
||||
places.
|
||||
|
||||
--------------------------
|
||||
Step 5 - Turn on WireGuard
|
||||
--------------------------
|
||||
|
||||
Turn on WireGuard under :menuselection:`VPN --> WireGuard --> Settings --> General` if it is not already on
|
||||
|
||||
----------------------------------------------------
|
||||
Step 6 - Configure assignments, gateways and routing
|
||||
----------------------------------------------------
|
||||
|
||||
The rest of the steps are mostly the same as described in the how-to on selective routing :doc:`wireguard-selective-routing`
|
||||
|
||||
-------------------
|
||||
ProtonVPN DNS leaks
|
||||
-------------------
|
||||
Since ProtonVPN provides a DNS server an extra firewall rule may be required to route the DNS traffic to the
|
||||
WireGuard gateway.
|
||||
|
||||
- Go to :menuselection:`Firewall --> Rules --> [Name of interface for network in which hosts/network resides, eg LAN for LAN hosts]`
|
||||
- Click **Add** to add a new rule
|
||||
- Configure the rule as follows (if an option is not mentioned below, leave it as the default):
|
||||
|
||||
============================ ====================================================================================================================
|
||||
**Action** *Pass*
|
||||
**Quick** *Checked*
|
||||
**Interface** *Whatever interface you are configuring the rule on*
|
||||
**Direction** *in*
|
||||
**TCP/IP Version** *IPv4*
|
||||
**Protocol** *TCP/UDP*
|
||||
**Source / Invert** *Unchecked*
|
||||
**Source** *IP of your DNS server*
|
||||
**Destination / Invert** *Checked*
|
||||
**Destination** *Select the* :code:`RFC1918_Networks` *Alias you created above in the dropdown*
|
||||
**Destination port range** *DNS - DNS*
|
||||
**Description** *Add one if you wish to*
|
||||
**Gateway** *Select the WireGuard gateway created according to the selective routing how-to page (eg* :code:`WAN_ProtonVPN` *)*
|
||||
============================ ====================================================================================================================
|
||||
|
||||
- **Save** the rule, and then click **Apply Changes**
|
||||
- Then make sure that the new rule is **above** any other rule on the interface that would otherwise interfere with its operation. For example, you want your new rule to be above the “Default allow LAN to any rule”
|
||||
|
||||
In layman terms if the DNS server makes any requests to a non-local address it will go through the VPN gateway.
|
||||
|
||||
|
||||
All images from `ProtonVPN` website are the property of `ProtonVPN` and are used with written permission.
|
||||
|
Loading…
Reference in New Issue