I will show you how to set up Proton VPN on OPNSense 24.1 or higher using the WireGuard VPN protocol in this guide. This will enable your router to provide Proton VPN protection to all connected devices.
** Note:
- This tutorial does not cover DNS leaks, as each user may have a different setup for their DNS service. I’ll cover this in another tutorial. Link: Coming soon…
- Alternatively, you can follow my tutorial to set up DNS over TLS using NextDNS. With NextDNS, you have the option to disable the log or set the log retention from 1 hour to up to 2 years. Here is the link to the tutorial: https://bit.ly/3rWVDwz.
Check out my YouTube channel if you prefer video content over written posts. Here’s the link to the video:
Step 1. Create a WireGuard configuration
- Sign in to Proton VPN using your Proton Account username and password at account.protonvpn.com, go to Downloads → WireGuard configuration, and download a WireGuard configuration file. Be sure to select Platform: Router.
- Device/certificate name: Country_State_Server# (You can use whatever format, but ensure the server location is easy to identify).
- Select platform: Router.
- Select VPN options (This depends on your use case; select what applies to you)
- Moderate NAT: If you’re having trouble connecting during online gaming, enabling moderate NAT settings can help resolve the issue.
- NAT-PMP (Port Forwarding): It is useful for those using P2P protocols like BitTorrent and can also improve online gaming performance.
- VPN Accelerator: VPN Accelerator improves VPN connection stability and can increase our VPN speeds.
- Select VPN Options: by default, ProtonVPN will recommend the fastest and closest server based on your current location. Select Create, or manually select a server location, then select Create.
- Download the config file. In steps 3 and 4, you will need the PrivateKey, PublicKey, Address, DNS, and End Point.
Step 2. Create a Backup of System Configuration
It’s essential to create a backup of your system configuration. If anything happens unexpectedly, having a backup file lets you quickly restore your settings. You should consider automating this process using the Google Drive API for seamless automatic backups. I have provided a step-by-step tutorial on how to back up your configuration in case of a system failure or if you need to restore your settings. Check it out here: https://sysadmin102.com/2024/03/opnsense-automatic-configuration-backup-with-google-drive/.
- Go to System ‣ Configuration ‣ Backup
Step 3. Create a WireGuard Peer
- Go to VPN ‣ WireGuard ‣ Peers
- Click + to add a new Peer
- Configure the Peer as follows (if an option is not mentioned below, leave it as the default):
- Public Key: Obtain and insert this key from Step 1. You can get it from the config file by using the cat command.
- Allowed IPs: 0.0.0.0/0
- Endpoint Address: provided by Proton Config.
- Endpoint Port: 51820 (default port for WireGuard).
- Instances: Nothing selected.
- Keepalive interval: 25
- Save.
Step 4. Create a WireGuard Instance
- Go to VPN ‣ WireGuard ‣ Settings ‣ Instances
- Click + to add a new Instance
- Configure the Instance as follows (if an option is not mentioned below, leave it as the default):
- Advance Mode: Toggled.
- Name: WG_ProtonVPN (or whatever you choose).
- PublicKey: Leave Blank. It will be generated based on your PrivateKey, not to be confused with the PublicKey in the config file.
- PrivateKey: Obtain from step 1 or the downloaded config file.
- MTU: 1420 (WireGuard default) or 1412 when connecting to a PPPoE network (like most DSL connections).
- DNS Servers: Obtain from step 1 or the downloaded config file.
- Tunnel Address: Obtain from step 1 or the downloaded config file.
- Peers: Select the peer that you created in step 3.
- Gateway: any unused IP within the tunnel address. For instance, the tunnel address is 10.2.0.2/32. we can use 10.2.0.3 as the Gateway IP address.
Step 5. Assign an interface to WireGuard
- Go to Interfaces ‣ Assignments
- Select the WireGuard – WG_ProtonVPN (wg0 if this is your first one) in the dropdown.
- Add a description (ex WG_ProtonVPN).
- Click Add to add it, then click Save.
- Configure it as follows (if an option is not mentioned below, leave it as the default):
- Then, select your new interface under the Interfaces menu.
- Enable Interface: checked.
- Prevent interface removal: checked (optional).
- Save.
- Apply chances.
Step 6. Create a Gateway
- Go to System ‣ Gateway ‣ Configuration
- Click + to add a new Gateway.
- Configure the Gateway as follows (if an option is not mentioned below, leave it as the default):
- IP Address: Endpoint IP Address from step 1 or the config file.
- Far Fateway: Checked.
- Disable Gateway Monitoring: Unchecked.
- Monitor IP: Endpoint IP Address from step 1 or the config file.
- Save.
Step 7. Create an Alias for local host(s)/net(s) that will access the tunnel and a second Alias for all local (private) networks
- Go to Firewall ‣ Alias.
- Click + to add a new alias.
- Configure the Alias as follows (if an option is not mentioned below, leave it as the default):
- Name: WG_ProtonVPN_Net (or whatever you choose).
- Type: if you select a single host or multiple hosts, then select Host(s). If you want to tunnel the whole subnet, then select Network(s).
- Description: Local hosts/nets that will access the tunnel (optional).
- Save.
- Repeat the same step to create a second Alias for all local (private) networks.
- Configure the Alias as follows (if an option is not mentioned below, leave it as the default):
- Name: RFC1918_Networks
- Type: Network(s)
- Content:
- 192.168.0.0/16
- 10.0.0.0/8
- 172.16.0.0/12
- Description: All local (RFC1918) networks
- Save.
- Apply.
Step 8. Create Firewall Rules for LAN
- Go to Firewall ‣ Rules ‣ LAN
- Click Add to add a new rule
- Configure the LAN Rule as follows (if an option is not mentioned below, leave it as the default):
- Source: WG_ProtonVPN_Net (the first alias you created in step 7).
- Destination/Invert: Checked.
- Destination: RFC1918_Networks (the second alias you created in step 7).
- Set local tag: NO_WAN_EGRESS (optional for adding a VPN kill Switch).
- Save
- Firewall rules are applied by order. Make sure the newly created rule are on top of other rules.
- Clicked on the Arrow on IPv6 Protocol to disable IPv6. (As of the time this tutorial was written, ProtonVPN did not support IPv6 routing on routers). Enabling IPv6 will cause IPv6 leak.
Step 9. Create a Floating Firewall Rule to route traffic to the VPN gateway
- Go to Firewall ‣ Rules ‣ Floating
- Click Add to add a new rule
- Configure the Floating Rule as follows (if an option is not mentioned below, leave it as the default):
- Quick: Unchecked.
- Source: WG_ProtonVPN address
- Destination / Invert: Checked.
- Destination: WG_ProtonVPN net
- Gateway: WAN_ProtonVPN.
- Allow options: checked.
- Save the rule, and then click Apply changes
Step 10. Create an outbound NAT rule
- Go to Firewall ‣ NAT ‣ Outbound
- Select “Hybrid outbound NAT rule generation” If it is not already selected, click Save and then Apply changes.
- Interface: WG_ProtonVPN
- Source Address: WG_ProtonVPN_Net (the first Alias that you created.
- Description: Outbound rule for ProtonVPN (optional).
Step 11. Create a VPN Kill Switch (optional)
- Go to Firewall ‣ Rules ‣ Floating
- Click Add to add a new rule
- Configure the Floating Rule as follows (if an option is not mentioned below, leave it as the default):
- Action: Block
- Interface: WAN
- Direction: Out
- Description: VPN Kill Switch
- Match local tag: NO_WAN_EGRESS
Ways to support my channel
If you think this tutorial is helpful, please support my channel by subscribing to my YouTube channel or using the affiliated links below (Full Disclaimer). I will get a small commission from your purchase to grow my channel:
🚀 NextDNS: https://nextdns.io/?from=btsm4vsx
🚀 Things I used for my server: https://amzn.to/3hudohP
🚀 Tools I used: https://amzn.to/3uXaSUr
🚀 Devices I used: https://amzn.to/3FYlfxk
🚀 Networking/Cybersecurity/Programming Books: https://amzn.to/3HEYwb0
🚀 TrueNAS HBA SAS controller IT Mode from the Art of Server: https://ebay.us/cBWEvJ