Taylor TR Blog

Welcome to Taylor's Tech Blog

General | K8s

Proton VPN via Wireguard on Mikrotik

 March 12, 2024

After updating to the latest routerOS on my mikrotik, I found that there's now Wireguard options available. Also having recently been trying out Protons services, I was pleased to discover they offer a free VPN. The free plan is not fast by any means... But the nice part is just being able to test out the features before making any subscription commitments.

I've been wanting to find a VPN service I can integrate directly on my router. While this doesn't offer all of the best features and functionalities, for basic VPN use, its good enough. The key part of my network setup I'm experimenting with is isolating unknown devices from my main IP. The goal is to reduce the spread of my home location to services that don't really need to know. Whether this is the end solution I'll stick with or not, only time will tell. At the least this is a fun experiment with getting this specific VPN working.

Some of these steps are quite similar to Protons own guide on setting up Wireguard in Mikrotik. The key deviation is that I don't want to tunnel my entire network at this point. I want to selectively route certain ips or subnets thru.

For this demo, I have an ubuntu instance running in Proxmox that's pulling it's own IP on my network. Lets say it's 192.168.50.2. By the end of these steps, this instance will use the VPN for all of it's outbound internet use. Local traffic still functions as normal. I'm also going to start out assuming you've already downloaded the WireGuard configuration file, and that you're in the Mikrotik configuration panel. The steps will often include the command line versions of the configruation, as I find it more readable and to the point of the options needed for each step. The nice thing about Mirkotik, is whether you use command line or the gui, all the same items are named the same

  1. Create a new WireGuard interface Find your private key, by looking for the line starting with PrivateKey= in the WireGuard config file.

/interface wireguard add listen-port=13231 mtu=1420 name=wireguard-inet private-key="your private key"

  1. Add an IP address to the interface you just created: /ip address add address=10.2.0.2/30 interface wireguard-inet network=10.2.0.0

  2. Add a WireGuard server as a peer

Add the endpoint address, endpoint port, and public key from the Wireguard config file. Look for the lines starting with PublicKey= and Endpoint=. For example, if the config says Endpoint=103.107.197.2:51820, enter endpoint-address=103.107.197.2 and endpoint-port=51810

/interface wireguard peers add allowed-address=0.0.0.0/0 endpoint-address=x.x.x.x endpoint-port=xxxxx interface=wireguard-inet persistent-keepalive=25s public-key="your public key"

  1. Enable masquerade for that interface NOTE: I found that I didn't have to do this step, so I'm going to skip it. The default configuration for Mikrotik includes a masquerade rule for your subnet. Since I'm planning on having the network function as normal, and selectively route traffic through the VPN, this step doesn't seem necessary, and I worried it would cause problems with my non-vpn network

  2. Create a new route table This is where the configuration really starts to deviate from Protons guide. We need to create a new route table for our VPN traffic. This way, we can create a routing rule along with some IP Firewall Mangle rules to change the destination of our selected traffic.

/routing table add name=proton_vpn fib

  1. Add a routing rule When we later add our Firewall mangle rule, it is only marking that the traffic should go to the vpn route table. This routing rule ties the new routing mark to the actual vpn route table. Without it, all traffic goes to the main routing pool by default (since that's technically where it originated from).

/routing rule add routing-mark=proton_vpn action=lookup-only-in-table table=proton_vpn

  1. Add an IP Firewall Mangle rule This is the piece that allows us to select which IPs or other criterea to route the packets through the vpn. You can create additional mangle rules when you want additional packets to go through the VPN connection.

/ip firewall mangle add chain=prerouting src-address=192.168.50.2 action=mark-routing new-routing-mark=proton_vpn

  1. Direct all traffic destine for the "proton_vpn" routing table through WireGuard

/ip route add distance=1 dst-address=0.0.0.0/0 gateway=10.2.0.1 pref-src="" routing-table=proton_vpn scope=30 target-scope=10

  1. Direct the WireGuard IP address through your main gateway

/ip route add dst-address=x.x.x.x/32 gateway=[your gateway ip] routing-table-main

  1. Restart your router

After all this, our test ubuntu instance on 192.168.50.2 will be routing its public traffic through the vpn! You can do a curl command to confirm

curl icanhazip.com

If you have any questions or comments, leave them for me on threads