Archives
/
opensense-docs
mirror of https://github.com/opnsense/docs
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
dashboard
BGP_ASN_Alias_FR5913
rss
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '64c73024ed'
${ noResults }
opensense-docs/source/manual/how-tos/wireguard-client-proton.rst

200 lines
8.8 KiB
ReStructuredText
Raw Blame History

=======================================
WireGuard ProtonVPN Road Warrior Setup
=======================================
------------
Introduction
------------
ProtonVPN is a cloud-based VPN provider, offering secure tunneling with respect to privacy.
To set up a WireGuard VPN to ProtonVPN we assume you are familiar with the concepts of WireGuard that
you have read the basic howto :doc:`wireguard-client`.
-----------------------------------------
Step 1 - Download ProtonVPN configuration
-----------------------------------------
The configuration is available in the ProtonVPN website.
The `landing page <https://account.protonvpn.com/dashboard>`__ appears after signing in.
Click on Downloads from the left hand panel or go to the `downloads page <https://account.protonvpn.com/downloads>`__ and
scroll down to the `WireGuard configuration <https://account.protonvpn.com/downloads#wireguard-configuration>`__
The existing WireGuard configurations appear first with their expiration dates and following are the options to generate new ones.
.. image:: images/proton_wireguard_configuration.png
:width: 100%
- Select a name for the generated configuration
.. Note::
If a name is not provided a unique ID will be generated by ProtonVPN
- Select Router as a platform
- Select VPN options
- There are 3 options for NetShield blocker filtering
- No filtering
- Block malware
- Block malware, ads and trackers
- There are also options to enable Moderate NAT, NAT-PMP (Port Forwarding) and VPN accelerator as well. The features are documented in the ProtonVPN website.
- Pick the options that satisfy your requirements and move on to the next section.
- Select a server to connect to
- ProtonVPN proposes the best server or allows the user to select manually.
- When selecting manually there are 2 main choices:
- Standard vs Secure Core configuration
- Exit country
- Pick the one that satisfies your requirements and click on `Create` to generate the configuration.
- Upon successful completion a window like the following will appear on the screen.
.. image:: images/proton_configuration_1.png
:width: 100%
The full configuration looks like this:
.. code-block:: none
[Interface]
# Bouncing = 0
# NetShield = 1
# Moderate NAT = off
# NAT-PMP (Port Forwarding) = off
# VPN Accelerator = on
PrivateKey = 2Kh7TlGz+7PCFa0jEHat8IWkYZgPmDLAiagGq+dyLks=
Address = 10.2.0.2/32
DNS = 10.2.0.1
[Peer]
# NO#21
PublicKey = KOITt3KQ72LHPbpVp7kp4cQo/qw2qvKPrN732UTWWFw=
AllowedIPs = 0.0.0.0/0
Endpoint = 146.70.170.18:51820
.. Note::
The private key disappears after creating the configuration so it must be stored. It will be used in the following
section to generate the public key. Both are needed for successful configuration.
.. Warning::
**Do not re-use the private keys in these examples**
---------------------------------------------
Step 2 - Generate public key from private key
---------------------------------------------
ProtonVPN, unlike Mullvad or other WG implementations, only provides a private key. The private key appears briefly when generating the configuration in the web UI.
The public key will be derived from the private key with the "wg pubkey" command.
`Windows`
.. code-block:: sh
echo wgPrivateKey | wg pubkey
`Linux`
.. code-block:: sh
wg pubkey < wgPrivateKey
----------------------------------
Step 3 - Setup WireGuard Instance
----------------------------------
- Go to :menuselection:`VPN --> WireGuard --> Settings --> Instances`
- Click **+** to add a new Instance configuration
- Turn on “advanced mode"
- Configure the Instance from the downloaded ProtonVPN configuration as follows (if an option is not mentioned below, leave it as the default):
===================== ===============================================================================================
**Enabled** *Checked*
**Name** *Call it whatever you want (eg* :code:`ProtonVPN-ExitCountry` *)*
**Public Key** *Insert the derived public key from the previous step*
**Private Key** *Insert the* :code:`PrivateKey` *field from the* :code:`\[Interface\]` *section*
**Listen Port** *51820 or a higher numbered unique port*
**MTU** *Needs to be 80 bytes shorter than normal MTU. Default 1420*
**DNS Server** *Insert the* :code:`DNS` *field from the* :code:`\[Interface\]` *section as is (without subnet mask)*
**Tunnel Address** *Insert the* :code:`Address` *field from the* :code:`\[Interface\]` *section` in CIDR format, eg 10.2.0.2/32*
**Peers** *Leave blank for now*
**Disable Routes** *Checked*
**Gateway** *Insert the same address as in the DNS Server field above*
===================== ===============================================================================================
- **Save** the Instance configuration, and then click **Apply**
-------------------------------
Step 4 - Configure the peer
-------------------------------
- Go to :menuselection:`VPN --> WireGuard --> Settings --> Peers`
- Click **+** to add a new Peer
- Configure the Peer from the downloaded ProtonVPN configuration as follows (if an option is not mentioned below, leave it as the default):
====================== ====================================================================================================
**Enabled** *Checked*
**Name** *Call it whatever you want (eg* :code:`ProtonVPN_Location` *)*
**Public Key** *Insert the* :code:`PublicKey` *field from the* :code:`\[Peer\]` *section*
**Allowed IPs** *0.0.0.0/0*
**Endpoint Address** *Insert the IP address from the* :code:`Endpoint` *field in the* :code:`\[Peer\]` *section*
**Endpoint Port** *Insert the port number from the* :code:`Endpoint` *field in the* :code:`\[Peer\]` *section*
**Instances** *Select the instance configured in the previous step*
**Keepalive** *25*
====================== ====================================================================================================
- **Save** the Peer configuration, and then click **Apply**
.. Note::
The UI for configuring the Instances and Peers changed with OPNsense verion 23.7.9 so some of the fields may be in different
places.
--------------------------
Step 5 - Turn on WireGuard
--------------------------
Turn on WireGuard under :menuselection:`VPN --> WireGuard --> Settings --> General` if it is not already on
----------------------------------------------------
Step 6 - Configure assignments, gateways and routing
----------------------------------------------------
The rest of the steps are mostly the same as described in the how-to on selective routing :doc:`wireguard-selective-routing`
-------------------
ProtonVPN DNS leaks
-------------------
Since ProtonVPN provides a DNS server an extra firewall rule may be required to route the DNS traffic to the
WireGuard gateway.
- Go to :menuselection:`Firewall --> Rules --> [Name of interface for network in which hosts/network resides, eg LAN for LAN hosts]`
- Click **Add** to add a new rule
- Configure the rule as follows (if an option is not mentioned below, leave it as the default):
============================ ====================================================================================================================
**Action** *Pass*
**Quick** *Checked*
**Interface** *Whatever interface you are configuring the rule on*
**Direction** *in*
**TCP/IP Version** *IPv4*
**Protocol** *TCP/UDP*
**Source / Invert** *Unchecked*
**Source** *IP of your DNS server*
**Destination / Invert** *Checked*
**Destination** *Select the* :code:`RFC1918_Networks` *Alias you created above in the dropdown*
**Destination port range** *DNS - DNS*
**Description** *Add one if you wish to*
**Gateway** *Select the WireGuard gateway created according to the selective routing how-to page (eg* :code:`WAN_ProtonVPN` *)*
============================ ====================================================================================================================
- **Save** the rule, and then click **Apply Changes**
- Then make sure that the new rule is **above** any other rule on the interface that would otherwise interfere with its operation. For example, you want your new rule to be above the “Default allow LAN to any rule”
In layman terms if the DNS server makes any requests to a non-local address it will go through the VPN gateway.
All images from `ProtonVPN` website are the property of `ProtonVPN` and are used with written permission.
Reference in New Issue View Git Blame Copy Permalink