You can set-up VPN for Linux by using the ‘openvpn’ package and with the appropriate config files of the ProtonVPN servers.
As an example, the below Linux VPN setup guide shows how to configure a connection on Ubuntu 16.04LTS.
We strongly recommend using our Linux VPN command-line tool which makes it easy to connect on Linux machines
Note: To address frequent DNS leaks on Linux, we’ve updated this guide with new Linux specific config files and new instructions to connect via CLI (see option B below)
Preparation for the Linux VPN setup:
1. Install the necessary packages:
Install the OpenVPN package by opening a terminal (press Ctrl + Alt + T) and entering:
sudo apt-get install openvpn
- It will prompt you for your password to allow installation, enter it to proceed
- When it prompts you to confirm the installation, press ‘y’ and hit ‘[Enter]’
- If it’s installed already, it will look like this:
Note: if you do not have administrator privileges on your machine, please contact your system administrator and ask them to perform the installation for you.
Install the ‘network-manager-openvpn-gnome’ package, for easier use and compatibility with the Ubuntu Network Manager GUI, by entering:
sudo apt-get install network-manager-openvpn-gnome
And pressing [Y] and then [Enter] to confirm the installation.
Also, ensure that the resolvconf is installed:
sudo apt install resolvconf
2. Get the ProtonVPN config files:
-
Download the desired configuration files
- Log into your ProtonVPN dashboard at account.protonvpn.com/login
- Select Downloads on in the left navigation bar
- Find the OpenVPN configuration files section and chose
- Platform: Linux
- Protocol: UDP (recommended) / TCP if you experience slow VPN speeds (this utilizes port 443)
- Click the download icons for the server you wish to download
If you selected “Download All configurations”, extract the zip file to your desired location
3. Find your OpenVPN credentials:
For increased security, ProtonVPN is set-up with two separate credentials to authenticate a connection.
Learn more about how two pairs of credentials increase the security of ProtonVPN.
Log in to the ProtonVPN dashboard and click on Account tab. Here you will see your two type of credentials.
The credentials ProtonVPN Login are used in our applications. OpenVPN / IKEv2 Username is used on manual connections. So please configure the OpenVPN credentials to your preference as you will need to use them to establish a Linux VPN connection.
Usage
Option A: Linux VPN setup using the Network Manager
Attention: At this point, there is a known issue with DNS Leaks on distributions up to Ubuntu 16.04LTS (and its dependencies and parents). If you find that you too are affected by DNS leaks, we recommend you to use Option B below.
A1. Adding a new connection
-
Click on your connection symbol, in the system menu on the top right and select ‘Edit connections’.
Click ‘Add’ in the new window to create a new connection. Select ‘Import a saved VPN configuration…’ in the drop-down menu and click “Create…”
Import the config file of the server you want to connect to, by navigating to the location where you downloaded the configuration file OR extracted the ProtonVPN_config.zip and selecting the desired file.
The files are named with a two-letter abbreviation of the destination country and a number to show which server in that country. For example: de-01 is the first server in Germany; ca-04 is the fourth server in Canada, see this article for a list of abbreviations. Files with two country abbreviations are secure core servers, for example: is-us-01 is the secure core connection over Iceland to the USA. Learn more about our Secure Core feature.
-
Enter the OpenVPN credentials from step 3 in the ‘username‘ and ‘password‘ field of the new window and hit save.
For Ubuntu 14.04 LTS: there is an issue specific to 14.04 where importing the configuration that does not read all settings automatically. If you are experiencing issues with the auto-import feature with the network manager, please drop us a line at this link for further instructions.
A2. Establish the Linux VPN connection
Click on your connection symbol in the system menu. Select ‘VPN Connections’, click the entry of your newly added config and it will automatically connect to your chosen ProtonVPN server.
You will see a popup confirming the VPN connection has been established and a lock next to your connection symbol. Congratulations, you’ve just successfully connected to ProtonVPN!
A3: Optional: To add more connections, simply repeat step A1 with a different configuration file(s).
Option B: VPN setup for Linux using the Terminal (CLI)
Note: if you do not have administrator privileges on your machine, please contact your system administrator and ask them to perform the connection for you
Open a terminal (press Ctrl+Alt+T) and navigate to the folder where you unzipped the config files using cd <path> . In our example, they are located in ~/Downloads so we enter:
cd ~/Downloads
If you find it hard to navigate using CD command line, you can open the folder that the file is located in using any file manager and right click > Open in terminal
Enter the following to initialize a new connection :
sudo openvpn <config.ovpn>
Where <config.ovpn> is the config file name of the server you want to connect to, e.g. de-03.protonvpn.com.udp1194.ovpn for Germany #3 server. Enter your PC’s administrator password to execute (openvpn will modify your network adapters and needs root privileges)
Subsequently, you will be prompted for your OpenVPN credentials from step 3, enter your credentials to authenticate
- You have finished the Linux VPN setup and successfully connected to the ProtonVPN servers once you see Initialization Sequence Completed
- Keep this Terminal open, to stay connected to ProtonVPN. If you close the terminal, the VPN connection will disconnect.
Click here if you’d like to ensure that the connection is successfully established and there are no leaks.
To disconnect your Linux VPN connection, press Ctrl+C and/or close the Terminal.
- Additional Ressources
Download Linux config files via the Dashboard
- Related articles
Does ProtonVPN store user information?
Does ProtonVPN have bandwidth limit?
Is it possible to activate the 7 day free trial using the linux command line tool?
If yes, how? I tried to use the plus option, but I cannot connect to italian servers.
0
Hello. The first connection has to be made to the Free servers, upon that, your trial will activate and you will be able to connect to the Plus servers for 7 days. If you encounter any issues, feel free to let our customer support team know! https://protonvpn.com/support-form
0
I just connect a VPN on linux machine using proton Free VPN plan, looks great, but after checking my ip on ipleak.net . it just shows my real IP along and my VPN Server IP, It says because of WebRTC detection, and also it guides how to stop on browsers ,and my question is 🙁 Still how many traps on the internet to reveal our Real IP like this,
I need answers !
Thank You!
0
Hello. You should contact our CS team for detailed investigation. As for the traps, the question is a bit undefined and there are many ways of answering it, but basically you could leak your information with IP, DNS, WEBRTC and browser Fingerprint. We take care of first 3 but fingerprint is not in VPN power to protect, so you can look up some add-ons or extensions to hide that.
0
Hi there,
I followed the step by step tutorial for Linux installation, and when I finished, everything was working fine and I connected to the VPN. But then, I decided to reboot my computer and now I tried everything but can’t connect again on the VPN. Even my wlan0 is connected and wifi seems to be working, but I can’t access internet on Firefox anymore.
Help please
Thks
0
Hello Vince, please contact our customer support team as we need the connection logs and your DNS settings. https://protonvpn.com/support-form
0
Good afternoon, great work, fedora 28 everything works out of the box, downloaded ovpn, opened in networkmanager, + vpn, turned on and everything works, only webrts turned off in browsers, there are no dns leaks, thanks to the fastest and most convenient bypass of Belarusian censorship for me present day.
0
Hello,
Bit of a newbie to this but does anyone know if you can use the server script to setup openVPN inside an untangle box? I am currently trying to figure out how to get this working with my untangle Environment. Thank you.
0
Linux pc 4.9.124-nrj-desktop-1rosa-x86_64 #1 SMP PREEMPT Tue Sep 4 09:48:32 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
Connecting…
[!] Error connecting to VPN.
[!] Reason: Authentication failed. Please check your ProtonVPN OpenVPN credentials.
[!] There are issues in managing IPv6 in the system. Please test the system for the root cause.
Not being able to manage IPv6 by protonvpn-cli might cause issues in leaking the system’s IPv6 address.
0
Hello. Please try installing open-resolv and updating the client using pvpn -update. After doing so, re-initiate the client using pvpn -init and make sure you enter OpenVPN credentials and not ProtonVPN credentials.
0
Hey can you break this down and explain what you are talking about instead of giving a five second answer? I am not a LInux guru. Tell me what tot ype.
0
Hello, please enter these commands:
sudo apt-get update
sudo apt-get install openresolv
0
Do you have any plans to release your own GUI client for linux?
0
Hey Andrew, currently we do not have any plans for that as we are still polishing the cli.
0
“Click here if you’d like to ensure that the connection is successfully established and there are no leaks.” FYI, that link doesn’t work anymore.
0
Hey, thanks for the heads up, seems that the link was not working with www. and now we fixed it.
0
I am trying to use Option B on Lubuntu 16.04 LTS. When I invoke openvpn I get this:
paul@len780:~/Downloads/ProtonVPN$ sudo openvpn jp-free-02.protonvpn.com.udp1194.ovpn
[sudo] password for paul:
Options error: –up script fails with ‘/etc/openvpn/update-resolv-conf’: No such file or directory
Sure enough, there is no file in /etc/openvpn. Your recipe seems to be missing something. Yes, I checked via Synaptic that I have openvpn, network-manager-openvpn-gnome, and resolvconf installed. I got update-resolv-conf from github, and did a chmod to 744. That allowed me to get the tunnel working and google maps showed me as being in Japan, as expected. However the DNS is leaking, and invoking openvpn gives me this error message:
Mon Sep 10 20:11:02 2018 /etc/openvpn/update-resolv-conf tun0 1500 1637 10.8.8.36 255.255.255.0 init
dhcp-option DNS 10.8.8.1
resolvconf: Error: Command not recognized
Synaptic shows resolvconf as being installed. Apparently the update-resolv-conf script uses the command improperly?
Anyway for me, ProtonVPN is not ready for prime time.
0
Hello Paul, may we ask have you tried using our cli tool that we made for linux? https://protonvpn.com/support/linux-vpn-tool/ any feedback is greatly appreciated to our support team here – https://protonvpn.com/support-form
0
Hi, I’ve been using ProtonVPN on a new installation of Linux Mint for the last week or so, I had initially configured the VPN using method A, and although it was connecting without any issue it was constantly producing DNS leaks. Since configuring the VPN using method B, the VPN connects and no longer produces any DNS leaks.
I wanted to ask though, how do you go about ensuring the client is always kept up to date as you guys release new versions?
Thanks
0
Hello Scotus. None of the methods included in this article are build by us. All of them just use our generated server configuration files, so we are not in control of that software. Network manager is known to have bugs and issues for many distributions, thus we suggest registering them on appropriate community forums for them to be fixed. We always recommend using our ProtonVPN linux command line interface that has no leaks of any sorts.
0
Installation on Ubuntu 18.04 was easy. Yet that seemed to me “core” and “country” config tabs were a little misleading.
0
A couple of days ago I got the ‘plus’ package with (5) VPN connection. Installed it without any problems on my Win based Notebook and it’s doing really fine there…
But I have got real problems with my two other PC’s, which are running on Linux Mint Cinnamon. Followed all the instructions on your site and after switching to VPN connection it tells me correctly that the connection is successfully established. But then it kills any streams in my browser and it’s impossible to connect any new sites. ‘timeout error’.
After a while I get the message ‘…connection failed’.
Any idea what I did wrong there?
0
Hello Pete, it could be that the method you did has some issues on your specific distribution. Thus we would suggest to try our linux client tool. https://protonvpn.com/support/linux-vpn-tool/
0
Hi
To the question activate Kill Switch, do you choose Y or N ?
Following your link, I use Chalet Os Distro
Here is what I get :
Connecting…
[!] Error connecting to VPN.
[!] There are issues in managing IPv6 in the system. Please test the system for the root cause.
Not being able to manage IPv6 by protonvpn-cli might cause issues in leaking the system’s IPv6 address.
thank you
0
Hello. Please update the linux cli since we removed killswitch because it had too many issues for now. You need openresolv to run the vpn. Check if your distro has this as a package and install it.
0
After switching from Linux Mint 19 Tara (base: Ubuntu Bionic 18.4.x) with the MATE desktop to Cinnamon in late Aug. 2018, I also lost the ability to use the Proton-CLI tool, which works excellently on MATE. Thanks!
0
Hello Osten, please contact our team here and we will do our best to investigate your issues. https://protonvpn.com/support-form
0
About option A and B
For DNS leaks you can edit the .ovpn file and and add at the bottom:
block-outside-dns
that is a new option introduced from OpenVPN v2.3.9
check your version using : openvpn –version
in my case
OpenVPN 2.3.10 x86_64-pc-linux-gnu
I would like to advice you to always change your default ISP dns servers and setup OpenNIC or whatever Dns service you prefer, if you have the possibility to do it.
0
Apparently, block-outside-dns is only effective in Windows (from what I’ve read).
0
VERY EASY
0
Am I able to use two-factor authentication using the command line process? I’m having difficulty authenticating.
0
Hello Sean, VPN does not have 2FA at all for now, using linux connection method, you have to use your OpenVPN credentials that you can find in your ProtonVPN dashboard on our website.
0
I constantly have problems with dns leaks :/ leak tests always show my real ip address, no matter what i do. Using linux, ubuntu based distribution. Currently on openvpn configuration, i was used your script from github too, but i have problems with it all the time, when it can’t connect properly and it’s always warning me about dns leaks when it connects.
0
Hello! Please contact our customer support team for detailed investigation.
https://protonvpn.com/support-form
0
do you log which device i have used to create an account or which device i have used to log in to protonmail
0
No, the devices are not logged, if you want to log IP addresses that log in to your protonmail account, you can do so on Protonmail mail dashboard -> security and switch logging to highest.
0
Hello
As “KDE user” posted on June 1 2018
On Ubuntu 18.04.1 LTS
If you follow step by step
– 1. Install the necessary packages
– 2. Get the ProtonVPN config files
– 3. Find your OpenVPN credentials
And next:
– Option A: Linux VPN setup using the Network Manager
It work greats
=====================================================
just for the image:
https://protonvpn.com/support/wp-content/uploads/2018/03/Screenshot_9-3.png
User name: IS NOT Protonvpn.user BUT OpenVPN/IKEv2 Username
=====================================================
Sorry i am new in linux
yesterday night on my windows 10 on my laptop lenovo yoga x1, some windows process were duplicate with a _f4rtn something like that, so i dowloaded a fresch instal from microsoft and i instal new clean, and when the computer restart the same process where duplicate, and i never creat an microsoft account.
As you known the serial key of windows 10 is include in the intel inside… when i start windows store i saw some app i had instal last year, so microsoft keep in mind all what you do with your serial number (i had put tool to stop telemetry)
so i go subito presto on ubuntu and creat a usb boot, and erase all partions on my M.2 2280 (new hard disk on laptop like ssd)
AND i am very happy, everything work great, ubuntu recognize all my hardware (last time i used linux was in 2001, and this time i need to compile the kernel, too lazy i was!)
viva linux
have a nive time to all
sorry for my english
0
Hello Sedax, we appreciate the heads up on the little mistake, which we have corrected thanks to you, and we are happy to hear that you are satisfied with the services!
0
Is it possible to use proton vpn on amazon fire tv? if not could you please suggest a router that support vpn connections.
0
Hello Michal,For now, the application is in testing period, but for recommended routers we think that ASUS are the best ones, since they are easy to configure with sleek UI.
Asus: RT-AC88U, RT-AC3100, RT-AC5300
0
I used the terminal and am connected to NL, but see my AU ISP address (WebRTC detection & DNS Address).
How to stop the leak?
Cheers
0
Hello Jane, it would be the best if you contacted our customer support team for detailed investigation and instructions on what to do in your case. https://protonvpn.com/support-form
0
I’m really grateful for this guide. Running Debian stretch on my Planet Gemini pda means no network-manager and the nifty looking tool you provided didn’t work, but option B runs perfectly.
0
Hello Peter, we are happy to hear that you`ve found a way to connect!
0
After playing around a little more, I discovered that using Option B over a cellular connection produces a DNS leak. It’s easily corrected by modifying the interface settings, but perhaps at some point the config files could be updated to include either OpenDNS or Google DNS by default.
Should I relay this observation / request to Customer Support?
0
Hello Peter, thank you for feedback. There is no need to relay it to our support team, we will manage to consult with our developers on this aspect. 🙂
0
Great!
0
I have been using Debian 9 and ProtonVPN for some time. Today I was searching for something else and found this page, so tried it out. I works quite well. I like the ipleak.net link, I hadn’t tried that before and confirmed with other non ProtonVPN options. I’m very happy with the way ProtonVPN works and recommend it to my friends.
Thanks for your work to get this working and to maintain it.
0
Hi Proton Team,
Any plans to release TLS/SSL based VPN?
Some countries just block the other options.
Thanks
0
Hello. Honestly speaking, we haven`t thought about it yet, so there are no plans for now as we need to prioritize other more important factors for stability and accessibility.
0
You guys might want to add auth-nocache to your config files, also, comp-lzo is deprecated and may be removed in future OpenVPN versions, compress is the replacement.
0
Hello, thank you for the tips! Yes, we are aware of the situation and we are preparing the changes.
0
Hi! I tested all 3 VPN connection methods in Kubuntu 18.04 LTS.
This is a clean install of Kubuntu 18.04 LTS with all updates.
I did about 100 tests.
—————————————————————-
TESTS:
1. Connect with standard OpenVPN client.
RESULT: Permanent DNS leaks. GoogleDNS servers.
Screenshot: https://i.imgur.com/qrjeTXr.png
2. Connect with ProtonVPN Linux client tool.
RESULT: No DNS leaks.
Screenshot: https://i.imgur.com/PfwI8Wq.png
3. Connect with KDE NetworkManager.
RESULT: Permanent DNS leaks. GoogleDNS servers + 1 ProtonDNS server.
Screenshot: https://i.imgur.com/0Zbk0RU.png
—————————————————————-
You can see all 3 methods show 3 different results.
2 with DNS leaks (a bit different) and 1 with no DNS leaks.
In Kubuntu 16.04 LTS I had DNS leaks only sometimes. But all 3 methods worked fine for me most of time. But in 18.04 something has changed. I have no leaks only with ProtonVPN client.
0
Hello Protonvpn Support,
I am using Protonvpn FREE on Ubuntu 18 Gnome3 and connect using (Option B: VPN setup for Linux using the Terminal (CLI). Is there a way to configure the VPN to automatically connect when Ubuntu starts?
Thanks in advance for any help you can offer.
0
Hello Daryle, Please contact our customer support team and we will investigate the possibilities for your OS to start the terminal cli on boot since for now we do not have an official one as there are too many different linux distributions to make one available for all. https://protonvpn.com/support-form
0
IMPORTANT: For all KDE and Kubuntu users!!!
I tested ProtonVPN with NM in Kubuntu 18.04 LTS.
Same problem as in all previous releases – YOU CAN’T CONNECT to OpenVPN without “network-manager-openvpn” package (not installed by default). I DON’T KNOW WHY, but this package is not included by default in all versions of Kubuntu. So NetworkManager DOESN’T ALLOW YOU to press the “Connect” button in it’s applet and connect to OpenVPN.
https://i.imgur.com/p6oTaoc.png
You must install “network-manager-openvpn” package for NM.
> sudo apt-get install network-manager-openvpn
I just don’t understand the logic of Kubuntu devs – NM allows user to CREATE an OpenVPN connection, but doesn’t allow to connect to it without additional packages that is not installed by default. Moreover – NM doesn’t show any errors or hints! This is sucks.
I hope this post will help. 🙂
0
Hello. Thank you for the valuable information provided, we hope this helps for the users facing similar issues. 🙂
0
vpn bağlantısı kuruluyor, ancak bağlantı kurulduktan sonra hiç bir uygulama internete bağlanamıyor. Android uygulamasında sorun yok, Widows ile denemedim.
The vpn connection is being established, but no application can connect internete after the connection is established. No problem with Android application, I did not try it with Widows.
0
Hello. Seems like you are in a restricted network country. Could you please contact our customer support team and we will do our best to help you out! https://protonvpn.com/support-form
0
Hello ProtonVPN Team! I followed the Linux ProtonVPN installation process above and I verified if my connection was successful but it turns out my personal ip address has not been masked. I can clearly see my Internet Provider name, city/state/country, and my personal ip address. I don’t feel safe/secure on the web unless I have my ProtonVPN active. I would appreciate any help to resolve this issue, thank you!
0
Hello Murray. Thank you for reporting this to us. May we know, what Linux distribution did you install, what servers have you tried connecting to and where did you check the IP address data? It could be cache too, dont forget to refresh the browser cache after each connection. Please contact our customer support team with all this information and we will do our best to help you out! https://protonvpn.com/support-form
0
Hi, I can connect to the Swiss server (no DNS leak! but no Ipv6 test or Ipv4 for that matter possible. I cannot connect with the Netherlands server, which is the one I would like to, if possible. Thanks
0
Hello Adrian, could you please contact our customer support team? We will do our best to help you out! https://protonvpn.com/support-form
0
Im running proton VPN using option A, not from terminal. Is there any way to check if VPN is connected and running using terminal?
Programmatically I want to keep an eye whenever it gets disconnected.
0
Hello Richie. You can check your IP address online on the http://www.ipleak.net website, as for terminal, you should always see Initialization Sequence Completed at the end of the connection log , it means that you are connected but keep an eye if you get any errors on the terminal window. Other than that, there is no way to constantly check your connection.
0
In Ubuntu (17 in my case), you upgrade your service from free to (I guess) any other payment plan (I went to basic) don’t forget to reinitialise the Linux client protonvpn-cli (Ubuntu terminal is “sudo protonvpn-cli -init” then “Y” then choose the new plan when prompted). I didn’t do this and ended up hassling support wondering why I couldn’t see all the extra servers promised. Actually, the first time I reinitialised, I saw all the extra servers but couldn’t connect to any, including the free servers I had previously been connecting to. I reinitialised again and this time I saw the servers and could connect (in both cases I attempted multiple servers).
0
Fedora 27. I see “Initialization Sequence Completed” but no network until I hit CTRL C.
0
Hello Rob, does the same happen while using our linux client tool? It looks like there is something wrong with your DNS addresses in /etc/resolv.conf
0
I have had protonVPN, using openVPN working on Linux mint, and it has been fine. But, I just got a new machine (very similar to the first one), and installed a fresh copy of the same operating system. It is slightly newer (Linux Mint 18.3 Cinnamon 64-b, versus, Linux Mint 18.2 Cinnamon 64-b). I am connecting to the same VPN server, and all of the settings are the same (at least that is my intent). But, the new machine doesn’t connect. Instead, it fails complaining of a timeout.
Is there any reason that version 18.3 might have a problem, but 18.2 does not? Or, could it be that it does not connect because of the 2 device limit in the Basic subscription? I did connect using my phone once a while ago, but I don’t wish to use this device normally. If so, how to dis-enable that one?
Thanks, Robert
0
Hello Robert, We have tested Linux mint 18.3 with our cli-tool and it connects like it should without any timeouts. Have you tried a few different servers and different protocol (UDP/TCP) ?
Please contact our customer support team and we will do our best to help you out! https://protonvpn.com/support-form
0
Ok, I managed to get a bit further and downloaded this file ProtonVPN_server_configs.zip
so whenever I choose a file at random, for instance jp-01.protonvpn.com.udp1194.ovpn,
the outcome is that my system pop up says that the connection fails to the server because the time of connection is out ?
it seems that any server is out of reach ??
thank you
0
Hello Daniel, we had some short server maintenance yesterday. If you still face the same issue, please contact our support team here : https://protonvpn.com/support-form
0
Thanks for this! Works beautifully
0
Just a heads up. Simply closing the terminal window does not close the vpn connection. You should kill the processes. Using the gui option you don’t need to do so, but as pointed out in the article, you will be leaking your DNS on Ubuntu variants.
0
Hello Podesta,
Thank you for the heads up!
Please try our new tool and contact our support if you have any issues. https://protonvpn.com/support/linux-vpn-tool/
Support link : https://protonvpn.com/support-form
0
Hello, I just a question. Are all the DNS queries made through the VPN tunnel? And if they are, the DNS used is the one configured in my machine or the one used in the VPN?
Great services, ProtonMail, ProtonVPN! I wish the best for all the Proton community!
0
Hello Andre,
All of our VPN servers run DNS servers on them too, so your IP and DNS queries go trough it and the perfect connection is when you have the same DNS addresses as the IP.
Thank you for your great feedback! Wish the best for you too!
0
I’m running the Canada (via Iceland) config on Linux CLI. ipleak.net is showing DNS leaks.
0
Hello Matt,
Please contact our customer support team with provided details of your resolv.conf file and screenshots of leaks. https://protonvpn.com/support-form
0
I keep recieving this message when trying to install. can you help?
E: dpkg was interrupted, you must manually run ‘sudo dpkg –configure -a’ to correct the problem.
thank you
0
Hello Jonathan,
Could you please contact our support team with all of the detailed information?
https://protonvpn.com/support-form
0
That script works, but it only lets you see the country list. No secure core. Are you going to fix that?
0
Hello,
Secure core servers are in the list if you scroll down. The right side column says what specialty the server has, for example, P2P or Secure core.
0
i connected via CLI and i still get dns leaks when i check ipleak.net. it shows one server in my vpn country and like 6 or 7 in my native country. How do i fix this?
0
Hello,
Could you please contact our support team with all of the detailed information that you can provide?
https://protonvpn.com/support-form
0
Hello Proton team,
Well, the problem is solved.
After reading about similar problems on the internet i stumbled across “https://unix.stackexchange.com/questions/423140/dns-settings-not-working-on-lubuntu-17-10”. I repaired the link “/etc/resolv.conf” and added three lines to the .opvn files:
“script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf”
Now it works ok again.
Oh, and on another note, the OpenVpn on iOs works great
0
Hello,
I am experiencing DNS leaking after connecting via the CLI on ubuntu 14.04 LTS. ipleak.net shows the secure core server that I am connected to and additionally my real location/dns servers. Is there a current solution ? There are people commenting who seem to have found a solution but I have not seen protonvpn staff recommend anything. Thanks
0
Hello,
Please try out our new Linux client guide and let our support know how it goes. 🙂
https://protonvpn.com/support/linux-vpn-tool/
0
Hello
I use QubesOS and i cant fix dns leak, any idea?
0
Hello,
Could you please contact our support team with all detailed information about the connection method used and DNS leak?
https://protonvpn.com/support-form
0
Ubuntu 17.10
I’ve tried to connect via terminal:
Options error: In [CMD-LINE]:1: Error opening configuration file: nl-free-02.protonvpn.com.udp1194.ovpn
It doesn’t work as well on Ubuntu 16.04.
0
Hello,
Please try using our latest Linux client and follow this guide for the installation :
https://protonvpn.com/support/linux-vpn-tool/
0
Protonvpn stopped working yesterday (17 february 2018). No problems before that.
I am using Opera, Firefox and Thunderbird. After the CLI-client starts DNS does not seem to work. Ping does work.
Anybody else got this problem? Any idea how to fix it?
0
Hello, we will need more details in order to detect what might’ve caused the issue for you. Also, we need the account username. Please open a ticket through the following link, and let us know your username so we can check if everything is in order:
https://protonvpn.com/support-form
0
Works great on Souls. No DNS leals, no issues. I only had to block ipv6.
# sysctl -w net.ipv6.conf.all.disable_ipv6=1
# sysctl -w net.ipv6.conf.default.disable_ipv6=1
0
https://aaronhorler.com/articles/openvpn-17.10-dns-leak.html
The above works for Ubuntu 17:10
Need to use the command line to start.
0
This method works also on Ubuntu 18:04
That is no DNS leaks.
Cheers
0
For the DNS leak, just type in the Terminal:
For Debian/Ubuntu/LinuxMint, etc.
# sudo apt-get install unbound
For Fedora/OpenSUSE/CentOS, etc.
# sudo dnf/yum install unbound
For ArchLinux/Manjaro/Antergos, etc.
# sudo pacman -Syu unbound
‘unbound’ comes with a lot of dependencies, so it’s not just a script. But it resolves at %1200 percentages the DNS Leak. I’ll try ProtonVPN for a month at the Pro plan, and who knows?… I enjoy the project and I think it deserves a hand, as so, as I’m for 5 years on Paid OpenVPN providers, anyways 🙂 They became rich and ProtonMail had never failed me from an year, so… Lets push that new startup from Switzerland, with their superb innovative Core futures!… The only scary think is, that, since the company is incorporated in an Offshore Zone, with such a lows, you never knows, who owns it… It could be the FSB from Russia (the successors of KGB) – like it is for some Paid OpenVPN providers, who started with huge capitals and built their VPN empires, and the one, incorporated in the Isle of Man – for sure – is a Russian Governmental Project to spy on people – that’s why they give the hugest Affiliates Marketing commissions, and so, they are everywhere at the first place, when it’s about third party classification of “the Top VPNs” 🙂 ЕxprеssVРN.com – the KGB’s one 🙂
But ProtonVPN are starting slowly – even ProtonMail had started slowly… So… I trust them, that they are really private company – but shall they be in one-two years? I put trust on them.
Proper A.A.S.R.F. Mason
0
Respect!
0
Installing Unbound seems to have fixed the issue with DNS leaks. Thanks for sharing.
0
Just upgraded to ProtonVPN Plus and followed the instructions for 16.04 LTS, Everything went without a hitch. Appears well done so far.
Regards
0
hello I finally managed to use free ProtonVPN
for that I had to change configuration on my Rpi 2
In fact the LibreELEC Kodi Krypton configuration does not allow to install resolvconf because I have never found the .zip package and especially because the console is blocked in LE: can not use the command “sudo” and the command “install” is blocked also with “root”. a warning message is also presented after entering the username and password.
So I reinstalled completely another system that allows me to use the command “install”
I chose “OSMC-Kodi-17.6” And I followed the tutorial of the site by adapting it to my situation.
After launching VPN Manager for openvpn I followed the installation wizard and the VPN immediately started.
I configured the 5 .vpn available for my country (France) and they all work.
Obviously the connection speed has been divided by 10 (from 10 I go to 1Mb / s).
I will do other tests at other times of the day and other days to see if the transfer rate is higher.
Of course I realized this installation with the free version of ProtonVPN. And I’m not yet ready to pay to use a raspberry whose first vocation is freedom.
I made a tutorial (pdf) but I can not put it in this message. I will send it directly to ProtonVPN asking them, after their validation, to communicate it to you.
sparetacus @ sfr . fr
0
DNS Leak FIX for Linux *AND* NetworkManager:
It finally seems that I stombled across a decent as well as fairly simple solution (as for now) to FIX the DNS leak issues I’ve had – it might just have the potential to help others as weel.
If you continue reading to the end of my post, I will show 2 other actions I took before the actual FIX – *if* these actions somehow relate so that they will be needed for the FIX to work (I dont think so though).
Creddit goes to nightguest posting on a thread about similar DNS leak issues:
https://bbs.archlinux.org /viewtopic.php?pid=1702174#p1702174
– he again refferes to this link for additional info:
https://bugzilla.gnome.org/show_bug.cgi?id=758772
The final SOLUTION/FIX:
Add this line:
dns-priority=-1
– to the [ipv4] section in your individual NetworkManager VPN connection configuration files located in:
/etc/NetworkManager/system-connections/
– so that the [ipv4] section looks like this:
[ipv4]
dns-search=
dns-priority=-1
method=auto
For my specifik ProtonVPN connection I edited:
/etc/NetworkManager/system-connections/se-fr-01.protonvpn.com.udp1194
The RESULT:
This is my /etc/resolv.conf after I applied the FIX and restarted NetworkManager – BUT *before* I connect to ProtonVPN server (showing my ISP’s DNS servers as it is supposed to):
# Using the vi editor
[root@localhost ]# vi /etc/NetworkManager/system-connections/se-fr-01.protonvpn.com.udp1194
# Restarting NatworkManager via systemctl
[root@localhost ]# systemctl restart NetworkManager
# The content of my resolv.conf:
[root@localhost ]# cat /etc/resolv.conf
# Generated by NetworkManager
search lan
nameserver 10.0.0.1
nameserver 212.242.40.3
nameserver 212.242.40.51
Connected to ProtonVPN then /etc/resolv.conf gives me this (wich I belive is what it is supposed to as well):
[root@localhost ]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 10.8.8.1
Extended test @ https://www.dnsleaktest.com :
185.94.189.190 none M247 Ltd France
Now /etc/NetworkManager/system-connections/se-fr-01.protonvpn.com.udp1194 looks like this:
[@localhost ~]$ sudo cat /etc/NetworkManager/system-connections/se-fr-01.protonvpn.com.udp1194
[sudo] password for :
[connection]
id=se-fr-01.protonvpn.com.udp1194
uuid=17c58937-fbc5-4fa7-bb1e-b639097eca2c
type=vpn
permissions=
timestamp=1517269370
[vpn]
auth=SHA512
ca=/home//.cert/nm-openvpn/se-fr-01.protonvpn.com.udp1194-ca.pem
cipher=AES-256-CBC
comp-lzo=adaptive
connection-type=password
dev=tun
mssfix=yes
password-flags=1
ping=15
ping-restart=0
remote=185.159.156.15:1194, 185.159.156.16:1194
remote-cert-tls=server
remote-random=yes
reneg-seconds=0
ta=/home//.cert/nm-openvpn/se-fr-01.protonvpn.com.udp1194-tls-auth.pem
ta-dir=1
tunnel-mtu=1500
username=MyUserName
service-type=org.freedesktop.NetworkManager.openvpn
[ipv4]
dns-search=
# Added dns-priority=-1 to avoid DNS-leaks: https://bbs.archlinux.org/viewtopic.php?pid=1702174#p1702174
dns-priority=-1
method=auto
[ipv6]
addr-gen-mode=stable-privacy
dns-search=
method=ignore
***************
As mentioned in the beginning here ia hat I did before this FIX:
First installed this script from github (if I remember correct I did it in an attempt to solve the issues I was having connecting via the given DNS leak solution from this page using CLI/terminal):
https://github.com/jonathanio/update-systemd-resolved
– and following the given instructions I added these lines to the *.ovpn configuration for the connections I am using (The comment is taken from the github page):
# https://github.com/jonathanio/update-systemd-resolved:
# update your OpenVPN configuration file and set the up and down options to point to the script,
# and down-pre to ensure that the script is run before the device is closed:
script-security 2
setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
up /etc/openvpn/scripts/update-systemd-resolved
down /etc/openvpn/scripts/update-systemd-resolved
down-pre
That’s it – have a good day y’all.
0
I can confirm that all three actions from above seems to be needed to achieve the given result.
The result *with* the FIX *without* the “update-systemd-resolved” edit from the end of my post above – followed by result including “update-systemd-resolved” edit (and restart NetworkManager – AND if you chose to test via your browser – remember to shut down all browser windows to make sure that browser clears its DNS cache):
[@localhost ~]$ cat /etc/resolv.conf
# Generated by NetworkManager
search lan
nameserver 10.8.8.1
nameserver 10.0.0.1
nameserver 212.242.40.3
# NOTE: the libc resolver may not support more than 3 nameservers.
# The nameservers listed below may not be recognized.
nameserver 212.242.40.51
[@localhost ~]$ cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 10.8.8.1
0
i took a vpn (5€ per months), the config was ok after 5 minutes of work.
i have been trying ti install protonvpn for 3 days… and never finish good.
why to do simple things when it’s so easy to do complicated things ?????
even the documentation is hugly…
definitively, protonvpn is not for me.
0
Hey, can you please tell us what exactly is not working for you? Which method have you tried to setup?
0
Using option A and using DNSCrypt-proxy as the VPN DNS appears to have stopped the leak.
0
I’m having issues on Linux. Your example is using ubuntu. I’m on Debian GNOME. I tried to use the Network Settings to set it up, but it’s so damned complex. I also tried cli and I received a message saying “too many arguments” when trying to access the folder with config files.
0
Hello,
1) When will we see a native Linux client, please? It’s been quite some time since, and I quote, “we do plan to support mac and linux natively and development is currently in the early stages. no release date set yet. stay tuned”. Considering the amount of different ways (and bugs) I don’t really expect to see a unified client installer, but rather a good way to choose which VPN server/country/config files to use in a graphical manner once installed properly.
2) No other comments since July 23rd, 2017?
0
Hello John, we are currently working on our macOS client which is being tested in closed beta. Cannot tell much about a Linux client at the moment, currently macOS and iOS are our highest priority.
We didn’t have enough hands to moderate the comments, but now we do and it will be monitored on a daily basis.
0
I’m struggling to setup protonvpn on my ubuntu touch device. Any advice on settting up manually?
0
Hey, please send us an e-mail via https://protonvpn.com/support-form and our support team will help you out!
0
How can I know if my connection to a ProtonVPN server is trough a tunnel? Like stunnel or something like that, in Linux. I don’t know if my connection is under a tunnel or not. With the tunnel mode, all the traffic is encrypted before outgoing from my pc to the isp. When the ISP are receiving my data traffic, they can’t see anyway that this is going to a vpn server. How can I look for it? And in the case of not connected through tunnel, how can I configure to get it? Should be there a another config file for stunnel plus the existent opvn configs files?
0
Hello,
Whenever you connect to a VPN server, all traffic that leaves your computer gets encrypted with AES-256-CBC w/ a 2048bit Diffie-Hellman key. All your ISP can see is that you are connected to a VPN server, but they cannot see any of your original internet traffic. You can see encryption cipher / other information in the OpenVPN log if you are connecting via Terminal. Also, the best way to make sure that you are connected to a VPN server is to simply check http://ipleak.net – both your IP address and DNS should not show any of your original information.
0
Hello to everyone!!
I’m using OpenSUSE Leap 42,3 right now (I use W10 too). I’ve tried to connect a server via cli with openvpn command line, but it come back an error, telling me that there is no file about openresolv-config. I’ve tried to search through my repos and as result I couldn’t find the package.
In other hand, I’ve configured the connection using the Network Manager (Import VPN config), in the KDE desktop (not the GNOME one like shown here above), and once set it with success, I’ve checked the “dnsleakstest” to see if there is a DNS leak. As result: there is no DNS leak. In the web (dnsleakstest) only appears one server which I’m connected to VPN (so it means that is everything ok).
Another question: suppose that there is a dns leak. What about if a set the Public DNS of Google?? May that help to get more privacy while using PVN avoiding the leak?? https://developers.google.com/speed/public-dns/
0
Hello Dave, please write us an e-mail for further troubleshooting regarding connection via Terminal. Using Google DNS along with a VPN connection won’t leak your real information, DNS queries will be resolved along with the VPN IP address. However, if you are concerned using Google DNS, OpenDNS is another alternative. At the moment we do not have our dedicated Domain Name Servers (they are all integrated with the VPN server), but we are planning to have them in the near future.
0
Be sure to have the /sbin/resolvconf if you want OpenVPN to update your DNS entries.
On debian9 => apt install resolvconf
If you don’t have this bin, you will get DNS leaks.
0
The protocol described in option B doesnt prevent from random DNS leak in my case (Mint 18)
0
Hi to all,
Here is my homemade solution for the DNS and IPv6 leaks issue on Ubuntu 16.04 and surely other Debian ditrib.
1/ get the VPN server IP instead of its domain name (simply using a ping command) : x.x.x.x instead of xx.protonvpn.com
2/ modify the .ovpn config file of your server choice by replacing the xx.protonvpn.com by the ip you got step 1/
3/ open the network manager (edit connections after clicking on the network icon in the status bar)
4/ delete the old VPN setting, and recreate one using option A with the new .ovpn config file (or simply double click on it and modify the gateaway the same way as above – do not erase the port x.x.x.x:X)
4 / for all your connections, but not the VPN profile: go to the IPv4 tab: set it to IP adress only (DHCP) and let the DNS server adress blank, in order to have no DNS resolver (think about saving your preexistent ones in .txt if there are)
5/ for all your connections and the VPN profile: set IPv6 tab to ignore (so you avoid ipv6 hazardous leaks)
5 / deactivate – reactivate your network adapter in order to have to new setting applied
6/ test you have no DNS resolver by checking ipleak.net (if it doesnt work it’s nice)
7/ connect to the VPN (you will automatically be using the VPN DNS server)
8/ test with ipleak.net
9/ don’t forget to deactivate the WebRTC interface in your web browsers (and do not use chromium instead of chrome !)
Waiting for a real patch, it will do the job !
And let me know if it does work for you 😉
0
do use chromium / firefox instead of chrome *
0
voxit, your method works fine for me with Linux kernel 4.13.0-31-generic x86_64 on a Debian based distribution.
Note that for secure_core configs, no need replacing xx.protonvpn.com by anything after disabling automatic DNS.
0
Wow 4 leaks with the second method, what am I paying for here?
0
I consider this product to be still a beta version.
Too bad. I’ll have to check back next year. In a few weeks I’m due to renew my existing VPN subscription with another company and I’ll have to stick with them.
I’m running Linux Mint 17.3 (~= Ubuntu 14.04LTS), and ProtonVPN does not work for me. I tried installing the explicitly beta version, failed, updated/edited the config files on my own, failed, tried the ProtonVPN support’s fix, failed again.
And now, with the “production” version, it looks like we’re still where we were what was it – three months ago?
My existing VPN setup took about 5 minutes, works, and I have no problems with it. I don’t have a Ph.D. in EE, and am not a system administrator, so ProtonVPN is complex and confusing at best. And, in addition, does not work.
OK. In six or eight months I’ll give you one more try when I get a new laptop and install an updated OS, but that’s it.
0
Hi !
I just bought the ProtonVPN (plus) subscription plan for 1 year on Linux Mint 17.2 (Rafaela) (MATE)
I followed the instructions here :
https://protonvpn.com/support/linux-vpn-setup
Using the console setup. And i only get this message :
Thu Jul 13 04:55:57 2017 write UDPv4: Operation not permitted (code=1)
Repeated over and over.
So far i tried with two different ProtonVPN servers, this one :
ch-ca-01.protonvpn.com.udp1194.ovpn
And this one :
ch-us-01.protonvpn.com.tcp443.ovpn
Using this command line :
sudo openvpn ch-us-01.protonvpn.com.udp1194.ovpn
I am already using another VPN and wanted to switch to ProtonVPN before my previous suscription ends.
What am i doing wrong please ?
Thank you.
0
Please submit a support request to
https://protonvpn.com/support-form
so that we can look into it.
0
Can I pay in bitcoin? If yes how to proceed? Thank you.
0
Yes, you can, you have to do it through ProtonMail: https://protonmail.com/support/knowledge-base/paying-with-bitcoin/
0
need it
0
Openvpn does not come with the script update-resolv-conf by default, so the current configuration files are broken for a pure openvpn installation, which is what happens on most of the linux distributions. For instance, my phone, on SailfishOS.
I would suggest, you protonvpn guys, to also provide that script. In addition, security is weakened by “script-security 2”.
There is a situation in which normal users, namely all those not having a nickname rooted on a particle from the Standard Model, and not finding the update-resolv-conf script could try to download that script from the internet without really knowing what it does thereby opening an easy security hole.
My 2 cents 🙂
Tauvpn, the heaviest of all.
0
The script can be found here:
https://github.com/masterkorp/openvpn-update-resolv-conf
It comes standard with alotof/most linux distros.
0
I could not agree more.
0
Hey !
Thx for your job Proton, I’m glad to use your VPN as a privacy guard of my life on internet.
By the way, is there any official way to correct the DNS and ipv6 leak i’m experiencing on Linux ?
On Fedora, some websites still do know where I’m living. I can’t bear it 🙂
Cheers
0
hi, currently our servers do not yet support ipv6. we recommend users to disable ipv6 networking capabilities while we are working on adding this feature.
0
re: vpn services generally:
what ports open on the machine could be visible at the other end of the vpn?
can the user restrict what ports are visible to only what is needed?
also can I install it on freeBSD? ..
(maybe could try compiling the linux version?)
0
How can i have the pem files please ?
0
hi please drop us a line via protonvpn.com/support-form
0
DNS AND IPv6-address leak fix
Recently I reported several leak issues and now I have a fix that works at least on my system
To get rid of DNS and IP6-address leakage from IPv6 the following procedure
has resolved the leaking (Verified on several proton-servers)
Install network-manager-openvpn and its dependencies
=============================================
sudo apt-get install network-manager-openvpn network-manager network-manager-gnome network-manager-openvpn-gnome
add the following to your .opvn configuration file at the end, but before
the certificates
##################################
block-outside-dns
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
##################################
Import this configuration file into the networkmanager
To disable leaks (IP and DNS) from IPv6 do the following:
1 Enter gksudo gedit /etc/sysctl.conf and open the configuration file and
2 add the following lines at the end
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
3 After that run $ cat /proc/sys/net/ipv6/conf/all/disable_ipv6
If it reports ‘1′ means you have disabled IPV6. If it reports ‘0‘ then please follow Step 4 and Step 5.
4 Type command sudo sysctl -p you will see this in terminal:
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
5 Repeat above “Step 3” and it will now report 1.
Open /etc/NetworkManager/NetworkManager.conf in an editor and change
dns=dnsmasq
to this:
#dns=dnsmasq
Don’t forget to comment out any IPv6 hosts in your /etc/hosts file
Disable all IP6 in the networkmanager in the IP6 tab
reboot the – works for me!
0
works great,
ProtonVPN should hire you
0
Ubuntu 16.04 openvpn:
IP address from IP4 is hidden but ipleak.net detects my IP6 ISP IP address. So openvpn does not only leak DNS but also real IP6 IP!
I can prevent DNS leak when I do the following:
Open /etc/NetworkManager/NetworkManager.conf in an editor and change
dns=dnsmasq
to this:
#dns=dnsmasq
0
Solution DNS leak linux via networkmanager: go to system > etc. > networkmanager > networkmanager.config > and than change ‘dns=dnsmasq’ into ‘#dns=dnsmasq’. Tested on ubuntu 16.04.2 LTS and worked. Let me know in the comments if it solved your DNS leak with OS info.
0
SOLUTION DNS LEAK LINUX Networkmanager
wget https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1639776/+attachment/4780245/+files/dnsmasq-base_2.76-4ubuntu1FIX1639776ubuntu1_amd64.deb
sudo dpkg -i dnsmasq-base_2.76-4ubuntu1FIX1639776ubuntu1_amd64.deb
0
works for me (Mint 18). Thanks
0
I’m trying to set up my Netgear R8000 router which I’m running LEDE on. Using this as a rough guide [https://help.my-private-network.co.uk/support/solutions/articles/24000005597-openwrt-lede-openvpn-setup] and the config .ovpn file settings obtained via ProtonVPN Downloads for DD-WRT UDP, I saved tls-auth & ca.crt files as suggested, added the missing fields and completed all fields except for ‘mssfix 1450’ as I couldn’t locate that anywhere. When I click start in the OpenVPN instance, nothing happens. I don’t have logs set up as that looks all too hard (andsomething to read up on way later). Can anyone suggest what I may have done wrong.
0
Bonjour, i’am working on Microsoft Windows 10 and this tutorial not working on VirtualBox Kali Linux …no internet connection. Pleaz need your help
0
This helped resolve my DNS leaking and IP leaking. I am new to VPNs but this patch for network-manager helped
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1624317/comments/71
He released a fix for Ubuntu 17.04 (perhaps it applies to earlier versions) that resolved an issue with network-manager leaking DNS with VPNs. Please check out the comments further down the page written by Stommel. https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1624317
He later links to this page. https://bugzilla.gnome.org/show_bug.cgi?id=783569
it fixed my issues.
0
How does the device count (in terms of pricing plan) work if I use ProtonVPN on my router (OpenWRT)? Are all traffic going out from the same router treated as one “device”?
0
What login vpn for linux?
0
please use your openvpn credentials to log in (not your account credentials)
0
This doesn’t work
0
I suggest to check out the airvpn client for Linux. It is easy to use and have a lot of features.
0
Can this be incorporated into ddwrt?
0
yes, we’ll be updating with guides in the near future
0
As well as PfSense?
0
DNS leaks with new settings, how would I protect against this?
0
hi John, please drop us a line at https://protonvpn.com/support-form with a detailed description of your setup and how you connect (cli vs nm)
0
Thank you for your continued efforts to support the Linux community. I just created a VMWare virtual machine Ubuntu Mate 16.04 + current updates + openvpn packages per your instructions. I configured a vpn connection using is-03-protonvpn.com.udp1194.ovpn from your Linux config files collection using network manager – again per your instructions. When I connect with the vpn I observe that my assigned address is 185.159.158.50 which appears to be in Iceland. So far, so good.
I accessed a DNS leak check site (https://hidester.com/dns-leak-test/) and ran a test. It confirms my address but the leak test results are:
Real DNS IP: 162.210.192.160
DNS Host: 162.210.192.160
Country: United States
City: Manassas LeaseWeb USA Inc.
162.210.192.160 is in fact the address of my router/gateway computer which provides Internet access to my LAN. It is running CentOS 7.3 and is accessing your US vpn server us-04.protonvpn.com.udp1194.ovpn file. Openvpn is run from the command line and uses my home made DNS leakage mitigation process.
I further observe that your Linux .ovpn file has these lines added to the end. These scripts are SUPPOSED to address DNS leakage on Linux.
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
With the vpn connected I observe tthat
/etc/resolv.conf is linked to /run/resolvconf/resolv.conf
the latter file contains:
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND — YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.1.1
Disconnecting the vpn make no change to the link nor to the target resolve.conf file. the nameserver is still 127.0.1.1
Perhaps I have made an error in configuring the test machine or perhaps there is some more work to do (or perhaps it is an issue with the Mate desktop.) Please let me know if I can provide some additional information or do some additional testing for you.
Issue #2 – Openvpn when used via network manager does NOT fail in a safe direction. By that I mean that when the vpn connection drops – either by user action or some network anomaly/blip etc. – the computer will continue to access the Internet WITHOUT the benefit/protection of the vpn.
0
Hi Ken, we’ve submitted a ticket for you via the support form, our support team should get back to you with detailed instructions soon.
0
I’m using RHEL 7 and tried to use the latest config files adjusted for linux from CLI, but still DNS leaks. Is there any reliable solution? Thanks
0
hi it could be that the required files for resolf-config (last three lines in linux config files) are located in a different directory for you. can you verify that these exist or alternatively adapt the path to the location on your machine?
0
Is there a reason why the file “is-us-01.protonvpn.com.udp1194.ovpn”, which was included in the zip of ovpn files a couple months ago, is no longer included in the most recent download? Does this mean it’s no longer safe to use that particular configuration file?
0
We just brought our Swiss Secure core servers online and shifted the US connection to go via CH. the IS-US connection is depreciated and will be taken offline in the future, hence we removed it from zip file. Recommend to use the CH-US one instead
0
Systemd has a bug in Ubuntu 17.04 which prevents DNS leak prevention ( https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1624317 ). But following the instructions in this comment fixed it for me:
[admin edit: removed quote due to length. It can be found in link below]
Source: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1624317/comments/42
0
thanks for the suggestion. We’ll introduce platform specific config files soon which will have the necessary script security lines included to run without DNS leak from CLI
0
Glad to hear it!
0
Notice that, currently, Ubuntu 17.04 suffers from a bug in network-manager-openvpn which prevents the import of .ovpn config files: https://bugs.launchpad.net/ubuntu/+source/network-manager-openvpn/+bug/1677198
I found that using the terminal works with the following command: sudo openvpn –config /path/to/protonvpn/configfile.ovpn
0
Any chance that the issue has been solved in the new version of Network Manager 1.8? (https://github.com/NetworkManager/NetworkManager)
0
Any setup examples for tomato router? Thanks!
0
Following the instructions I complete the installation successfully for Linux, Mac, iOS. Only iOS changes my IP address. The Mac warns of the IP address being unchanged. Linux doesn’t warn and isn’t behaving as intended.
0
For getting ProtonVPN to work on Linux, Step 4 (Configure a VPN connection), the end of the paragraph reads:
In the editing page, enter the OpenVPN credentials from step 3 in the ‘username’ and ‘password’ field respectively, and hit save.
But, when I enter my ProtonVPN username and password, the “Save” button remains grey/dis-abled. There is no way to save. How can I continue?
0
This sounds like you might need separate OpenVPN cert and key files because your network manager doesn’t recognize the ovpn config file properly (similar to Ubuntu 14.04LTS issue). Please contact us at support@ and let us know your OS version.
0
I’m glad to see from a comment above that you are working on a native Linux client. In the interim, would it be possible to provide user-friendly guides on how to configure/test the built in networking tools & OpenVPN for:
> how to protect against DNS/IP leaks + verification process
> how to prevent any outbound connections that aren’t going through the VPN + verification process
My biggest issue with VPN services (and self-described secure services generally) is a lack of transparency about how their technologies function and what their weak points can be, and without making verification processes (and notifications) clear, the essential element of trust is compromised to some degree.
In any case, speeds are looking great compared to my previous provider and I intend on sticking with you guys. Thank you for your work!
(I am currently using Antergos+KDE)
0
Thanks for the suggestions and encouraging words. We’ll be adding details to our guides and publish more technical details about our configurations as we get closer to launch. Our goal is to be as transparent as possible so that you know whom you’re trusting with your VPN connection.
0
Comment by Ken Taylor (Mar 19): “Network Manager tends to simply switch to an direct Internet connection in the case of a VPN disconnect.”
If true, this is unacceptable, and this procedure should be re-written to not use Network Manager.
I am using Lubuntu 16.04LTS. I failed to connect with this procedure. At the end of step 4, a window popped up saying, “Enter password for keyring ‘Default keyring’ to unlock”. It is unclear what password is wanted, I tried every one I could think of. In fact that is another problem, entirely too many passwords and it is unclear which is wanted where, or whether they might be stored in some password manager or have to be manually entered every time (the discussion at the end of step 3 was not clear about this).
“Click on your connection symbol, in the system menu on the top right” This had me going for a while. My menu bar is at the bottom, and I finally understood you wanted to enter the Network Manager. You should say so (although again, maybe we should not use Network Manager for vpn).
0
I am currently using ProtonVPN on my Ubuntu workstation using the setup steps outlined above. My ISP is Spectrum, previously known as Time Warner Cable (I’m in the US).
My question is, do my outbound requests go from my ISP’s DNS server to ProtonVPN’s servers, or does ProtonVPN circumvent my ISP’s DNS server? The latter would be ideal for privacy purposes.
Also, how would I be able to test this out? I’m a novice Linux user with knowledge of basic everyday terminal commands, so please be as specific as possible.
Thank you!
0
Our exit nodes are set up as their own DNS, therefore if everything is running correctly, you will not have to rely on the DNS of your ISP.
0
Do you plan to release a Linux application similar to the Windows application, or will Linux users just use OpenVPN?
0
we do plan to support mac and linux natively and development is currently in the early stages. no release date set yet. stay tuned
0
For anyone running this from shell or terminal in a Unix environment this is how to set it up.
My example is running on a DD-WRT router with a usb thumb drive mounted at /opt. My working directory is /opt/openvpncl/proton/. You can put it wherever you want, just make sure to change all paths in the following to suite your needs.
So you need 6 files in your working directory:
openvpn.conf
auth.conf
proton_ca.crt
proton_tls.key
route-up.sh
route-down.sh
I will now breakdown the contents of each file. Just copy and paste between the solid lines.
openvpn.conf:
note: replace (enter server address here) with the server you wish to connect to.
example: remote ca-03.protonvpn.com 1194
You can use either the domain name or ip address of the server.
__________
ca /opt/openvpncl/proton/proton_ca.crt
management 127.0.0.1 16
management-log-cache 100
verb 3
syslog
writepid /var/run/openvpncl.pid
client
resolv-retry infinite
nobind
persist-key
persist-tun
script-security 2
dev tun1
proto udp
cipher aes-256-cbc
auth sha512
auth-user-pass /opt/openvpncl/proton/auth.conf
remote (enter server address here) 1194
comp-lzo adaptive
tun-mtu 1500
mtu-disc yes
fast-io
tun-ipv6
tls-auth /opt/openvpncl/proton/proton_tls.key 1
tun-mtu-extra 32
mssfix 1450
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
remote-cert-tls server
pull
key-direction 1
__________
auth.conf
note: replace each line with your username and password respectively.
__________
username
password
__________
proton_ca.crt:
This file contains your the Certificate
__________
—–BEGIN CERTIFICATE—–
MIIFozCCA4ugAwIBAgIBATANBgkqhkiG9w0BAQ0FADBAMQswCQYDVQQGEwJDSDEV
MBMGA1UEChMMUHJvdG9uVlBOIEFHMRowGAYDVQQDExFQcm90b25WUE4gUm9vdCBD
QTAeFw0xNzAyMTUxNDM4MDBaFw0yNzAyMTUxNDM4MDBaMEAxCzAJBgNVBAYTAkNI
MRUwEwYDVQQKEwxQcm90b25WUE4gQUcxGjAYBgNVBAMTEVByb3RvblZQTiBSb290
IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAt+BsSsZg7+AuqTq7
vDbPzfygtl9f8fLJqO4amsyOXlI7pquL5IsEZhpWyJIIvYybqS4s1/T7BbvHPLVE
wlrq8A5DBIXcfuXrBbKoYkmpICGc2u1KYVGOZ9A+PH9z4Tr6OXFfXRnsbZToie8t
2Xjv/dZDdUDAqeW89I/mXg3k5x08m2nfGCQDm4gCanN1r5MT7ge56z0MkY3FFGCO
qRwspIEUzu1ZqGSTkG1eQiOYIrdOF5cc7n2APyvBIcfvp/W3cpTOEmEBJ7/14RnX
nHo0fcx61Inx/6ZxzKkW8BMdGGQF3tF6u2M0FjVN0lLH9S0ul1TgoOS56yEJ34hr
JSRTqHuar3t/xdCbKFZjyXFZFNsXVvgJu34CNLrHHTGJj9jiUfFnxWQYMo9UNUd4
a3PPG1HnbG7LAjlvj5JlJ5aqO5gshdnqb9uIQeR2CdzcCJgklwRGCyDT1pm7eoiv
WV19YBd81vKulLzgPavu3kRRe83yl29It2hwQ9FMs5w6ZV/X6ciTKo3etkX9nBD9
ZzJPsGQsBUy7CzO1jK4W01+u3ItmQS+1s4xtcFxdFY8o/q1zoqBlxpe5MQIWN6Qa
lryiET74gMHE/S5WrPlsq/gehxsdgc6GDUXG4dk8vn6OUMa6wb5wRO3VXGEc67IY
m4mDFTYiPvLaFOxtndlUWuCruKcCAwEAAaOBpzCBpDAMBgNVHRMEBTADAQH/MB0G
A1UdDgQWBBSDkIaYhLVZTwyLNTetNB2qV0gkVDBoBgNVHSMEYTBfgBSDkIaYhLVZ
TwyLNTetNB2qV0gkVKFEpEIwQDELMAkGA1UEBhMCQ0gxFTATBgNVBAoTDFByb3Rv
blZQTiBBRzEaMBgGA1UEAxMRUHJvdG9uVlBOIFJvb3QgQ0GCAQEwCwYDVR0PBAQD
AgEGMA0GCSqGSIb3DQEBDQUAA4ICAQCYr7LpvnfZXBCxVIVc2ea1fjxQ6vkTj0zM
htFs3qfeXpMRf+g1NAh4vv1UIwLsczilMt87SjpJ25pZPyS3O+/VlI9ceZMvtGXd
MGfXhTDp//zRoL1cbzSHee9tQlmEm1tKFxB0wfWd/inGRjZxpJCTQh8oc7CTziHZ
ufS+Jkfpc4Rasr31fl7mHhJahF1j/ka/OOWmFbiHBNjzmNWPQInJm+0ygFqij5qs
51OEvubR8yh5Mdq4TNuWhFuTxpqoJ87VKaSOx/Aefca44Etwcj4gHb7LThidw/ky
zysZiWjyrbfX/31RX7QanKiMk2RDtgZaWi/lMfsl5O+6E2lJ1vo4xv9pW8225B5X
eAeXHCfjV/vrrCFqeCprNF6a3Tn/LX6VNy3jbeC+167QagBOaoDA01XPOx7Odhsb
Gd7cJ5VkgyycZgLnT9zrChgwjx59JQosFEG1DsaAgHfpEl/N3YPJh68N7fwN41Cj
zsk39v6iZdfuet/sP7oiP5/gLmA/CIPNhdIYxaojbLjFPkftVjVPn49RqwqzJJPR
N8BOyb94yhQ7KO4F3IcLT/y/dsWitY0ZH4lCnAVV/v2YjWAWS3OWyC8BFx/Jmc3W
DK/yPwECUcPgHIeXiRjHnJt0Zcm23O2Q3RphpU+1SO3XixsXpOVOYP6rJIXW9bMZ
A1gTTlpi7A==
—–END CERTIFICATE—–
__________
proton_tls.key:
This file contains the TLS Key.
__________
—–BEGIN OpenVPN Static key V1—–
6acef03f62675b4b1bbd03e53b187727
423cea742242106cb2916a8a4c829756
3d22c7e5cef430b1103c6f66eb1fc5b3
75a672f158e2e2e936c3faa48b035a6d
e17beaac23b5f03b10b868d53d03521d
8ba115059da777a60cbfd7b2c9c57472
78a15b8f6e68a3ef7fd583ec9f398c8b
d4735dab40cbd1e3c62a822e97489186
c30a0b48c7c38ea32ceb056d3fa5a710
e10ccc7a0ddb363b08c3d2777a3395e1
0c0b6080f56309192ab5aacd4b45f55d
a61fc77af39bd81a19218a79762c3386
2df55785075f37d8c71dc8a42097ee43
344739a0dd48d03025b0450cf1fb5e8c
aeb893d9a96d1f15519bb3c4dcb40ee3
16672ea16c012664f8a9f11255518deb
—–END OpenVPN Static key V1—–
__________
route-up.sh:
This file contains iptables for routing.
__________
#!/bin/sh
iptables -D POSTROUTING -t nat -o tun1 -j MASQUERADE
iptables -I POSTROUTING -t nat -o tun1 -j MASQUERADE
iptables -D INPUT -i tun1 -j ACCEPT
iptables -D FORWARD -i tun1 -j ACCEPT
iptables -D FORWARD -o tun1 -j ACCEPT
iptables -I INPUT -i tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -j ACCEPT
iptables -I FORWARD -o tun1 -j ACCEPT
stopservice dnsmasq -f
startservice dnsmasq -f
cat /tmp/resolv.dnsmasq > /tmp/resolv.dnsmasq_isp
env | grep ‘dhcp-option DNS’ | awk ‘{ print “nameserver ” $3 }’ > /tmp/resolv.dnsmasq
cat /tmp/resolv.dnsmasq_isp >> /tmp/resolv.dnsmasq
__________
route-down.sh
This file deletes the iptables that were created in the above file and is used when shutting down the VPN connection.
__________
#!/bin/sh
iptables -D INPUT -i tun1 -j ACCEPT
iptables -D POSTROUTING -t nat -o tun1 -j MASQUERADE
__________
Now that your working directory is populated with the above files all that’s needed is to run the following command from the terminal to start the connection:
__________
openvpn –config /opt/openvpncl/proton/openvpn.conf –route-up /opt/openvpncl/proton/route-up.sh –route-pre-down /opt/openvpncl/proton/route-down.sh –daemon
__________
To check if your connected run the following from a terminal:
__________
curl -s ipinfo.io
__________
This will give you your ip address and location information to verify you’re connected to the VPN.
__________
Next step would be to setup a startup script to start the VPN on startup. I’ll leave that up to you.
Hope this helps. Took me a while to figure it all out! 😛
0
Thanks for sharing all your hard work and knowledge!
0
You can make it run on startup by un-commenting the line “AUTOSTART=”all”” in “/etc/default/openvpn”, though this may require your files to be in “/etc/openvpn” rather than “/etc/opnvpn/protonvpn”.
0
Ok Here’s how you get this setup on DD-WRT via the GUI:
-Login to the router’s web GUI. In my case, http://192.168.1.1/
-Navigate to Services Tab
-Navigate to VPN sub Tab
-Scroll down OpenVPN Client click Enable
-Set the following settings:
Server IP/NAME: us-04.protonvpn.com #Change to whatever server you’d like to connect to
Port: 1194
Tunnel Device: TUN
Tunnel Protocol: UDP
Encryption Cipher: AES-256 CBC
Hash Algorithm: SHA512
User Pass Authentication: Enable
Username: yourusername
Password: yourpassword
Advanced Options: Enable
TLS Cipher: None
LZO Compression: Adaptive
NAT: Enable
Firewall Protection: Enable
IP Address: Leave Blank
Subnet Mask: Leave Blank
Tunnel MTU Setting: 1500
Tunnel UDP Fragment: Leave Blank
Tunnel UDP MSS-Fix: Disable
nsCertType verification: Leave Un-Checked
TLS Auth KEY: Insert Auth Key here
Additional Config: tun-mtu-extra 32
mssfix 1450
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
remote-cert-tls server
pull
key-direction 1
Policy based Router: Leave Blank
PKCS12 Key: Leave Blank
Static Key: Leave Blank
CA Cert: Insert CA Certificate here
Public Client Cert: Leave Blank
Private Client Key: Leave Blank
-Click Apply Settings
-Now give it a few seconds then navigate to Status Tab
—Navigate to VPN Sub Tab
You should see “Client: CONNECTED SUCCESS” along with Local Address and Remote address.
Fire-up a browser and google “what’s my ip”. You should be up and running.
Cheers!
0
Worked like a charm! Appreciate it!
0
Some progress.
Firstly, I noticed the default tunnel device is tun0 and so I changed my route-up and route-down scripts to reflect that.
Log files indicate
“WARNING: Failed running command (–up/–down): external program fork failed”
This is due to script-security being set too high. And so I added script-security 2 to the openvpn.conf file in order to allow running of external scripts.
Ran it again and BAM just like that I was connected and traffic was being routed through the tunnel.
Running “curl -s ident.me” revealed 162.210.192.157 confirming my ip address was that of the vpn server.
Something is still wrong with the routing however. The router itself is connect to the VPN. I can ping google.ca and get a response. However all devices on the network are dead in the water. No WAN access. ping google.ca returns no response.
That’s as far as I got so far with DD-WRT.
0
So I wanted to start simple. Run openvpn using one of protonvpn’s config files. I created my openvpn.conf file to be verbatim from us-01.protonvpn.com.udp1194.ovpn.
Then ran the following command:
openvpn –config /opt/openvpncl/proton/openvpn.conf –route-up /opt/openvpncl/proton/route-up.sh –route-pre-down /opt/openvpncl/proton/route-down.sh
Log File:
___________
Apr 2 18:41:36 router daemon.notice openvpn[21675]: OpenVPN 2.3.8 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Oct 24 2015
Apr 2 18:41:36 router daemon.notice openvpn[21675]: library versions: OpenSSL 1.0.2d 9 Jul 2015, LZO 2.09
Apr 2 18:42:04 router daemon.warn openvpn[21698]: WARNING: –ping should normally be used with –ping-restart or –ping-exit
Apr 2 18:42:04 router daemon.warn openvpn[21698]: NOTE: starting with OpenVPN 2.1, ‘–script-security 2’ or higher is required to call user-defined scripts or executables
Apr 2 18:42:04 router daemon.notice openvpn[21698]: Control Channel Authentication: tls-auth using INLINE static key file
Apr 2 18:42:04 router daemon.notice openvpn[21698]: Outgoing Control Channel Authentication: Using 512 bit message hash ‘SHA512’ for HMAC authentication
Apr 2 18:42:04 router daemon.notice openvpn[21698]: Incoming Control Channel Authentication: Using 512 bit message hash ‘SHA512’ for HMAC authentication
Apr 2 18:42:04 router daemon.notice openvpn[21698]: Socket Buffers: R=[180224->131072] S=[180224->131072]
Apr 2 18:42:04 router daemon.notice openvpn[21698]: UDPv4 link local: [undef]
Apr 2 18:42:04 router daemon.notice openvpn[21698]: UDPv4 link remote: [AF_INET]162.210.192.157:1194
Apr 2 18:42:04 router daemon.notice openvpn[21698]: TLS: Initial packet from [AF_INET]162.210.192.157:1194, sid=e4a59209 aefffd23
Apr 2 18:42:04 router daemon.warn openvpn[21698]: WARNING: this configuration may cache passwords in memory — use the auth-nocache option to prevent this
Apr 2 18:42:05 router daemon.notice openvpn[21698]: VERIFY OK: depth=2, C=CH, O=ProtonVPN AG, CN=ProtonVPN Root CA
Apr 2 18:42:05 router daemon.notice openvpn[21698]: VERIFY OK: depth=1, C=CH, O=ProtonVPN AG, CN=ProtonVPN Intermediate CA 1
Apr 2 18:42:05 router daemon.notice openvpn[21698]: Validating certificate key usage
Apr 2 18:42:05 router daemon.notice openvpn[21698]: ++ Certificate has key usage 00a0, expects 00a0
Apr 2 18:42:05 router daemon.notice openvpn[21698]: VERIFY KU OK
Apr 2 18:42:05 router daemon.notice openvpn[21698]: Validating certificate extended key usage
Apr 2 18:42:05 router daemon.notice openvpn[21698]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Apr 2 18:42:05 router daemon.notice openvpn[21698]: VERIFY EKU OK
Apr 2 18:42:05 router daemon.notice openvpn[21698]: VERIFY OK: depth=0, CN=us-01.protonvpn.com
Apr 2 18:42:05 router daemon.notice openvpn[21698]: Data Channel Encrypt: Cipher ‘AES-256-CBC’ initialized with 256 bit key
Apr 2 18:42:05 router daemon.notice openvpn[21698]: Data Channel Encrypt: Using 512 bit message hash ‘SHA512’ for HMAC authentication
Apr 2 18:42:05 router daemon.notice openvpn[21698]: Data Channel Decrypt: Cipher ‘AES-256-CBC’ initialized with 256 bit key
Apr 2 18:42:05 router daemon.notice openvpn[21698]: Data Channel Decrypt: Using 512 bit message hash ‘SHA512’ for HMAC authentication
Apr 2 18:42:05 router daemon.notice openvpn[21698]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Apr 2 18:42:05 router daemon.notice openvpn[21698]: [us-01.protonvpn.com] Peer Connection Initiated with [AF_INET]162.210.192.157:1194
Apr 2 18:42:07 router daemon.notice openvpn[21698]: SENT CONTROL [us-01.protonvpn.com]: ‘PUSH_REQUEST’ (status=1)
Apr 2 18:42:08 router daemon.notice openvpn[21698]: PUSH: Received control message: ‘PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.8.8.1,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,route-gateway 10.8.8.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.8.8
Apr 2 18:42:08 router daemon.notice openvpn[21698]: OPTIONS IMPORT: timers and/or timeouts modified
Apr 2 18:42:08 router daemon.notice openvpn[21698]: OPTIONS IMPORT: explicit notify parm(s) modified
Apr 2 18:42:08 router daemon.notice openvpn[21698]: OPTIONS IMPORT: –sndbuf/–rcvbuf options modified
Apr 2 18:42:08 router daemon.notice openvpn[21698]: Socket Buffers: R=[131072->360448] S=[131072->360448]
Apr 2 18:42:08 router daemon.notice openvpn[21698]: OPTIONS IMPORT: –ifconfig/up options modified
Apr 2 18:42:08 router daemon.notice openvpn[21698]: OPTIONS IMPORT: route options modified
Apr 2 18:42:08 router daemon.notice openvpn[21698]: OPTIONS IMPORT: route-related options modified
Apr 2 18:42:08 router daemon.notice openvpn[21698]: OPTIONS IMPORT: –ip-win32 and/or –dhcp-option options modified
Apr 2 18:42:08 router daemon.notice openvpn[21698]: OPTIONS IMPORT: peer-id set
Apr 2 18:42:08 router daemon.notice openvpn[21698]: OPTIONS IMPORT: adjusting link_mtu to 1637
Apr 2 18:42:08 router daemon.notice openvpn[21698]: TUN/TAP device tun0 opened
Apr 2 18:42:08 router daemon.notice openvpn[21698]: TUN/TAP TX queue length set to 100
Apr 2 18:42:08 router daemon.notice openvpn[21698]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Apr 2 18:42:08 router daemon.notice openvpn[21698]: /sbin/ifconfig tun0 10.8.8.51 netmask 255.255.255.0 mtu 1500 broadcast 10.8.8.255
Apr 2 18:42:08 router daemon.notice openvpn[21698]: /sbin/route add -net 162.210.192.157 netmask 255.255.255.255 gw 50.70.176.1
Apr 2 18:42:08 router daemon.notice openvpn[21698]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.8.1
Apr 2 18:42:08 router daemon.notice openvpn[21698]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.8.1
Apr 2 18:42:08 router daemon.warn openvpn[21698]: WARNING: External program may not be called unless ‘–script-security 2’ or higher is enabled. See –help text or man page for detailed info.
Apr 2 18:42:08 router daemon.warn openvpn[21698]: WARNING: Failed running command (–route-up): external program fork failed
Apr 2 18:42:08 router daemon.notice openvpn[21698]: Initialization Sequence Completed
Apr 2 18:44:02 router daemon.err openvpn[21640]: event_wait : Interrupted system call (code=4)
Apr 2 18:44:02 router daemon.err openvpn[21698]: event_wait : Interrupted system call (code=4)
Apr 2 18:44:02 router daemon.notice openvpn[21698]: SIGTERM received, sending exit notification to peer
Apr 2 18:44:02 router daemon.notice openvpn[21640]: SIGTERM[hard,] received, process exiting
Apr 2 18:44:03 router daemon.notice openvpn[21698]: /opt/openvpncl/proton/route-down.sh tun0 1500 1637 10.8.8.51 255.255.255.0 init
Apr 2 18:44:03 router daemon.err openvpn[21698]: WARNING: Failed running command (–up/–down): external program fork failed
Apr 2 18:44:03 router daemon.notice openvpn[21698]: Exiting due to fatal error
______________________________________
Here’s my route-up.sh script:
______________________________________
#!/bin/sh
iptables -D POSTROUTING -t nat -o tun1 -j MASQUERADE
iptables -I POSTROUTING -t nat -o tun1 -j MASQUERADE
iptables -D INPUT -i tun1 -j ACCEPT
iptables -D FORWARD -i tun1 -j ACCEPT
iptables -D FORWARD -o tun1 -j ACCEPT
iptables -I INPUT -i tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -j ACCEPT
iptables -I FORWARD -o tun1 -j ACCEPT
stopservice dnsmasq -f
startservice dnsmasq -f
cat /tmp/resolv.dnsmasq > /tmp/resolv.dnsmasq_isp
env | grep ‘dhcp-option DNS’ | awk ‘{ print “nameserver ” $3 }’ > /tmp/resolv.dnsmasq
cat /tmp/resolv.dnsmasq_isp >> /tmp/resolv.dnsmasq
_________________________________
Here’s my route-down.sh script
_________________________________
#!/bin/sh
iptables -D INPUT -i tun1 -j ACCEPT
iptables -D POSTROUTING -t nat -o tun1 -j MASQUERADE
_________________________________
0
Still need to get up and running DD-WRT.. Anyone out there experimenting with this? I’d love to compare notes. I’m running OpenVPN 2.3.8. I can get the tunnel up but for some reason the routing is all messed up and all devices have no wan access. I’ll keep working on it and post my progress. Any help from the Proton team and the community would be greatly appreciated. DD-WRT via shell would be most useful to me. But via the GUI would also help and be more user friendly for the general population.
0
On currently trying <out ProtonVPN on Ubuntu 16;04(I'll try it on my Windows 10 PC later) and so far I'm trying to figure where I messed up,because I've tried 2 servers,but the connecttion fails.
AFAIK,I got steps 1 and 2 correct,so that only leaves step 3.I imported a vpn connection,entered a server,plus my OpenVPN ID and password from my ProtonMail backoffice,so I can't figure out what I've missed.
Any ideas?
Android app?
0
Looks like there are no name servers set. Connected using the command line on Ubuntu 16.10. You can ping a specific address, but I had to manually edit /etc/resolv.conf in order to get name resolution working.
Any chance this will be fixed on PM’s side?
0
Found the answer here. Not sure why this is not part of the downloaded config files, Proton, can you answer?
https://protonvpn.com/support/prevent-dns-leak/
add the following to the end of the .ovpn file
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
0
I’m using Mint 17 and am trying to get the connection manager to work.
I go through the procedure listed above and select the .ovpn config file. Then I change the authentication type to password, but it wont let me save it without a CA Certificate file, which it says needs to be .pem, .crt, .key, or .cer. Is there a way to convert the .ovpn file to the appropriate file type? Thanks!
0
Mint17’s network manager has an issue with importing integrated config files (where the ca is in the ovpn file) similar to Ubuntu 14.04. Upgrading to a later Mint version should solve this problem. Alternatively drop us a line and we’ll send you the necessary files.
0
Thanks, i got my answer for a question I posted one minute before 🙂 . But, at least, there’s a way to make it works (it works with me/Cinnamon 17.2).
1) Download and extract the zip package with the OpenVPN configuration files
2) Open Terminal and set-up OpenVpn (only if you need it) :
sudo apt-get install openvpn
sudo apt-get install network-manager-openvpn-gnomen
3) enter : sudo openvpn /[path to.Proton .ovpn file] and follow instructions (enter login and password).
You should get “Initialization Sequence Completed” if it’s working.
0
glad that it worked for you. Do note that currently, the CLI connection will per default not accept the DNS options which are pushed by our servers once you connect – hence we recommend the network manager approach.
0
Hi,
I am also having a problem when using one of the free server configuration files: the CA certificate does not appear. You mentioned on previous posts that we could be sent the necessary files?
Thank you
0
Hello, if the .pem file does not appear automatically, please check whether you will be able to connect via Terminal instead. If you need Certificate and Key files separately, please write us an e-mail via https://protonvpn.com/support-form and we will send them to you.
0
Using NetworkManager (ver. 0.9.8.8) under Linux Mint (ver. 17.3) I had a similar import problem for the CA certificate and TLS authentication key. What’s worked so far for me: In a text editor opened the desired openvpn configuration file (.ovpn) and copied the ‘—–BEGIN CERTIFICATE[…]’ section to new file saved as .pem; and the ‘—–BEGIN OpenVPN[…]’ section to a new file saved as .key. Added the .pem filename to Edit Connections>…>VPN tab>CA Certificate; then selected the Advanced button on the same tab and under the new dialog’s TLS Authentication tab checked ‘Use additional TLS authentication’; entered the .key filename for ‘key file’; and set ‘key direction’ to 1 (per the .ovpn).
0
I’m interested in having steps for configuring pfSense. I have managed to establish a connection, however I have been unable to ping the gateway address.
0
I managed to figure it out.
System -> Cert. Manager
CAs tab
Add button
Descriptive name:
Method: Import an existing Certificate Authority
Certificate data: <contents of section of ovpn file>
Save
VPN -> OpenVPN
Clients tab
Add button
Server mode: Peer to Peer (SSL/TLS)
Protocol: UDP
Device mode: tun
Interface: any
Local port:
Server host or address:
Server port: 1194
Proxy fields: blank
Server hostname Resolution: Checked
Description: Pick something
Username: OpenVPN username
Password: OpenVPN password
TLS authentication: checked
Key: < section of ovpn file>
Peer Certificate Authority:
Client Certificate: None (Username and/or Password required)
Encryption algorithm: AES-256-CBC (256bit)
Auth digest algorithm (SHA512 (512-bit)
Hardware Crypto:
IPV4 Tunnel Network: Blank
IPv6 Tunnel Network: Blank
IPv4 Remote Network(s): Blank
IPv6 Remote Network(s): Blank
Limit outgoing bandwidth:
Compression: Enabled with Adaptive Compression
Topology: Subnet
Type-of-service: Checked
Disable IPv6: Checked
Don’t pull routes: Unchecked
Don’t add/remove routes: Unchecked
Custom options: tun-mtu 1500,tun-mtu-extra 32,mssfix 1450,persist-key,persist-tun,ping 15,ping-restart 0,ping-timer-rem,reneg-sec 0,remote-cert-tls server,auth-user-pass,pull,fast-io,key-direction 1
Verbosity: 3
Interfaces -> Assign
Available network ports:
Add button
Click on new interface
Enable: Checked
Description:
IPv4 Configuration Type: None (handled by OVPN)
IPv6 Configuration type: None
MAC Address: Blank
MTU: 1500
MSS: 1450
At this point the connection is established. use NAT/firewall rules/static routes to route traffic to the VPN.
0
Hi Chris, thanks for helping out other users with details on what worked for you. Happy testing
0
This worked for me as well but I had to change my OpenVPN login from the default one to something else because auth kept failing
0
Debian Testing on KDE worked quickly and without any problems.
To get it working using the Network Manager GUI:
1.) open the connection editor (e.g. right click the wifi symbol in the tray and Configure Network Connections)
2.) Click the Connection pull-down and select Import VPN
3.) Choose the proton .ovpn file
4.) Choose whether to copy certs to ~/.local/share/networkmanagement/certificates/ (either choice works)
5.) Choose the newly imported protonVPN connection from the list and Edit it
6.) Add the correct username and password under VPN(openvpn) tab and click OK
7.) Test the connection (it should work!)
0
Hey DebKDE,
Dumb question: Did you look at the logfile to ensure that NetworkManager is doing host authentication? I checked this with Debian Jessie (stable), and it didn’t look to me like that rev of nm-openvpn-gnome did the host authentication check.
thanks!
0
Thanks! I got ProtonVPN working on Antergos/KDE with these steps.
0
Thanks, works for me as well on Fedora 25, x86_64, SELinux enabled.
0
“Click on your connection symbol, in the system tray on the top right and select ‘Edit connections’.”
Where is it? I don’t see this anywhere on Ubuntu 16.
0
Just got this up and running on Ubuntu 16. Easy setup and works great! Thank you Proton for this excellent beta.
0
Are there any official instructions or suggestions fit using ProtonVPN on a router to direct all network traffic through it?
E.g. using the OpenVPN options in an open-source firmware like dd-wrt?
0
Instructions for Fedora Linux users…
1. sudo dnf install NetworkManager-openvpn-gnome openvpn
2.a. Download ProtonVPN_config.zip file as indicated in the instructions.
2.b. …
mkdir ~/.local/share/protonvpn
cp ProtonVPN_config.zip ~/.local/share/protonvpn/
cd ~/.local/share/protonvpn
unzip ProtonVPN_config.zip
3. Follow original instructions
4. On GNOME desktop…
4.a. Upper right corner, open the System Menu (it’s not the System Tray, by the way)…
Settings icon > Network > Bottom-left, click “+” > Import from file…
(you will have to start typing “.local/” to get to the hidden .local file)
Selection a server in your region.
4.b. Input your OpenVPN login (User name) and password and click Add
4.c. Close the Settings menu dialogue
5. On GNOME Desktop, navigate to the upper right corn and open the System Menu again
Click on VPN Off and scroll/browse down to one of the newly configured VPN options.
Click the on/off slider
5.a. Alternatively, you can click on Network Settings, browse to your VPN item, click on it, and ensure the ON/OFF slider is set to ON
Done.
0
The Red Hat family? In particular… Fedora?
0
I’ve tried everything to get this to work with DD-WRT.. No dice. Via the web interface or by manually starting openvpn via ssh. Has anyone had any luck with setting this up on DD-WRT? I’m running Kong 28000M. I’d appreciate any help. Cheers!
Here’s my .conf file:
ca /opt/openvpncl/proton/proton_ca.crt
tls-auth proton_tls.key 1
management 127.0.0.1 16
management-log-cache 100
client
dev tun1
remote ca-03.protonvpn.com 1194
proto udp
remote-random
resolv-retry infinite
nobind
cipher AES-256-CBC
auth SHA512
comp-lzo
verb 3
script-security 2
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
remote-cert-tls server
auth-user-pass /opt/openvpncl/proton/auth.conf
pull
fast-io
auth-nocache
0
Thank you for the great service (and email) ! I have been testing ProtonVPN on CentOS 7.3 with the Mate desktop. So far, so good. I am running OpenVPN on a dedicated tiny PC which serves as a router and DHCP server for my home LAN.
I am testing the VPN from Network Manager and from the command line as fr..in describes above. Based on my experience with another VPN service which I use, I prefer the command line method as it will cause all Internet traffic to stop if/when the VPN connection is lost. Network Manager tends to simply switch to an direct Internet connection in the case of a VPN disconnect. Not cool!
I have also been doing some leakage testing. The only concern which I have been unable to resolve is potential DNS leakage. The command line approach does not seem to offer any way to mitigate this. Nor does Network Manager (although I read that Ubuntu is supposed to deal with DNS leakage – I will have to test). That said…
Can you provide the addresses for a ProtonVPN DNS? That would seem to be a way to partially mitigate the leakage issue. Any DNS requests would be seen only by the ProtonVPN DNS server – which we can trust.
Thanks!
0
On an up-to-date Fedora 25 Desktop with Gnome shell, OpenVPN keeps asking for and rejecting my login credentials – which have been stored and which are correct according to what is saved in my ProtonMail VPN settings – and that’s it.
Trying on command line with
sudo openvpn –openvpn {path/to/config/file.ovpn} –auth-user-pass {path/to/text/file/with/username&password}
results in failure, as well:
Sun Mar 19 12:12:03 2017 AUTH: Received control message: AUTH_FAILED
Sun Mar 19 12:12:03 2017 SIGTERM[soft,auth-failure] received, process exiting
What to do?
0
Hi Jezza, if this issue persists, please contact our support team via the form at the bottom
0
I use the Ubuntu version 16,10 and the program ProtonVPN works perfectly. I made an attempt with Win 7 but could not finalize the installation. It seems that I do not have sufficient permissions.
0
Hi, anyone tried this with DD-WRT? I’m using the latest KONG build Firmware: DD-WRT v3.0-r31520M (03/01/17)
0
Hey, I would also benefit from getting some basic dd-wrt instructions here.
0
ok may I am a complete noob problem appears to be solved here just 48 hours ago: https://protonvpn.com/support/linux-vpn-setup/#comment-250
0
See my post below. I got it up and running on DD-WRT v3.0-r28000M kongac (10/24/15).
Both GUI and Terminal write ups are below.
0
I’m unable to save the imported vpn information without a .crt file. Is there one available?
0
Hi O, reach out to the support team, they’ll be happy to supply one: https://protonvpn.com/support-form
0
this just always times out for me ;-;
0
dot / period / ” . ” in username gives auth error, thus not connecting.
Removing the dot fixes the issue, however i believe dots should be allowed!
0
Thank’s!!!! This works very well, and extremely easy to setup.
I’m using VPN from privatevpn since several years but this was far easier to set up. Im running different linux installation on desktop and laptop, e.g. siduction and kubuntu. The only problem I had was to understand which password I was suppose to enter, since there are several to chose from. ProtonVPN, openvpn within protonmail, protonmail login password etc. Also, I dont understand the difference between the different VPN-files from the same country in the zipfile, again, documentation I guess.
Overall: Well done,
Thank you
0
Question to DNS leak protection in linux.
I recognized that a dns leak test showed some non protonmail dns server. I was curious and tried out the ProtonVPN client in windows and the same dns leak test was ok (only 1 dns server from proton vpn showed up).
So is there a way to achieve this in linux too? I’m using Ubuntu 16 LTS.
0
I’m no expert, but in my experience you need openvpn .conf files with the certificates broken out into different files for VPN use within command line Linux. Having to manually break the certs out is a pain.
0
To update on this, I got the .ovpn files working via command line, but not via KDE’s NetworkManager gui.
Just note that having to manually break out the certs is a frequent complaint by ThatOnePrivacyGuy (very well respected VPN and Email reviewer for people dedicated to privacy), example here:
https://thatoneprivacysite.net/2016/10/12/crypticvpn-review/
0
Hi protonboy,
in our current setting, latest 16.04LTS reads the integrated .ovpn files without a hitch. If you need the separated cert files, please contact support and we’ll get back to you.
0
How about Android… Using openvpn client it fails with a failure to verify server cert… Any ideas?
0
Hey Jom, check here https://protonvpn.com/support/android-vpn-setup/
0
Hi,
I’ve tested openvpn connection on Android. Il have an error on certificate. Is it normal ?
0
Try using OpenVPN for Android by Arne Schwabe. Just import the .ovpn config file and enter username and password when prompted. I haven’t had any issues.
0
There is now also a step by step guide for android here https://protonvpn.com/support/android-vpn-setup/
0
Experiencing troubleshooting wih Ubunu Mint Can get connection.
0
Hi, please contact support and we’ll be happy to help.
0
Any chance we could get instructions for set-up using connman? There’s also connman-vpn.
0
How can I connect on Android? I tried OpenVPN Client but it needs a certificate which I didn’t find on this website.
0
Hi Android User, currently the OpenVPN Connect app on Android has issues with our config files. We’re aware of the issue and are working on a fix and we’ll be distributing platform specific config files in the near future.
0
Great, thank you.
I hope for it soon.
0
Android support, this is incredible! Doing the lord’s work!
0
If you use opensource ‘OpenVPN for Android’ app (http://ics-openvpn.blinkt.de/FAQ.html) everything is perfect. You can find it on Google Play or F-Droid.
0
Hi, check out our android guide: https://protonvpn.com/support/android-vpn-setup/
0
Ubuntu. Installed. Good How-To. Works like a charm. You guys are doing great work!
0
There appears to be a bug with network-manager-openvpn-gnome wherein the applet crashes when trying to “import a saved OpenVPN configuration”. Would it be possible to add an example which shows how you’d go about entering one of the ovpn files manually?
0
Hi there, I’m excited to start testing this service!
If we have troubleshooting questions, whom should we email?
Thanks.
0
Hi storman_norman, you can always reach our support team via the support form at the bottom.
0
The link
“Learn more about how two pairs of credentials increases security of ProtonVPN.” is broken.
Best
0
Thanks, fixed.
0
Hello Proton VPN Team!
I tried ProtonVPN on Debian Jessie. It works just perfect with following command, no GUI installed.
daniel@lnxdeb:~/protonvpn$ sudo /usr/sbin/openvpn –auth-nocache –config se-uk-01.protonvpn.com.udp1194.ovpn
What is the price of ProtonVPN service?
0
Just trying…:
sudo openvpn –config [path to.Proton .ovpn file] –auth-user-pass [path to file containing username and password on 2 lines] works too.
Thank you !
0
Hello,
Thank you for this complementary service. However, I cannot succeed to make it work on Plasma 5.9 (KDE desktop). I have nor errors neither logs describing what happens but the connection never work. Are you only supporting gnome or will you look at KDE desktop too?
Furthermore, whatever happen, it looks like I cannot change the password for the openvpn login in the user settings of protonmail. It says that everything is cool when I click on “save” but when I reload the page, it is the old password which is displayed.
Keep up the great work.
Thank you!
0
Issue sorted with applet on Linux Mint 17-32 Bits. No help required thank you ! Please delete my comments and apologies for the unnecessary trouble
0
Hi, what have you done? I experience trouble to setup the editing page, because an extra cert is required and there is none in the downloaded folder…
0
Hi Luxlin, drop us a line at support@ and we’ll supply the necessary cert and key files. While they are already included in the ovpn file, some distro versions have trouble parsing the file correctly (e.g. ubuntu 14.04lts and its cousins)
0
The link in section 3 is also broken. It should be https://protonvpn.com/support/vpn-login/ (minus the extra characters at the end).
0
Thanks, fixed!
0
Hi Guys.
I am running Linux Mint 17 / Mozilla Firefox. In the process of installing a new VPN I am unable to find that connection symbol and Edit connections features in system tray. Am I blind?
Click on your connection symbol, in the system tray on the top right and select ‘Edit connections’.
Any help please? Thank you
0
Please can you clarify how I can use the encrypted VPN on a mobile android device? Thank you.
0
Hi Tish, check out the android guide https://protonvpn.com/support/android-vpn-setup/
0
I will be debating on switching to ProtonVPN once officially released.
The link in section 4. “Learn more more about our Secure Core feature.” is pointing to “http://protonvpn.com/support/linux-vpn-setup ” please update to “https://protonvpn.com/support/secure-core-vpn/”
Keep up the great work.
Thank you!
0
Hi protonman, thanks for pointing it out. It’s fixed.
0
Hello Proton VPN Team!
I tried ProtonVPN on Debian Jessie. It works just perfect with following command, no GUI installed.
daniel@lnxdeb:~/protonvpn$ sudo /usr/sbin/openvpn –auth-nocache –config se-uk-01.protonvpn.com.udp1194.ovpn
What is the price of ProtonVPN service?
0