Return to protonvpn.com Facebook   Twitter   Reddit   ProtonMail
Support Center / Download and setup / How to use ProtonVPN on Linux?

How to use ProtonVPN on Linux?

ProtonVPN servers can be set-up as VPN for Linux using the ‘openvpn’ package and with the appropriate config files.

As an example, the below step-by-step guide shows how to setup a connection on Ubuntu 16.04LTS in a few easy steps.

 

Note: To address frequent DNS leaks on Linux, we’ve updated this guide with new Linux specific config files and new instructions to connect via CLI (see option B below)

 

The necessary config files can be found in the Download section of the ProtonVPN dashboard.

 

1. Install the necessary packages:

  • First, install the ‘openvpn’ package by opening a terminal (press [Ctrl] + [Alt] + [T]) and entering:

    sudo apt-get install openvpn

    • It will prompt you for your password to allow installation, enter it to proceed
    • When it prompts you to confirm the installation, press ‘y’ and hit ‘[Enter]’
    • Note: if you do not have administrator privileges on your machine, please contact your system administrator and ask them to perform the installation for you.

  • Second, install the ‘network-manager-openvpn-gnome’ package, for easier use and compatibility with the Ubuntu Network Manager GUI, by entering:

    sudo apt-get install network-manager-openvpn-gnome

    • Again, when it prompts you to confirm the installation, press ‘y’ and hit ‘[Enter]’

2. Get the ProtonVPN config files: 

  • Download the wanted configuration files

    • Log into your ProtonVPN dashboard at account.protonvpn.com/login
    • Select Downloads on in the left navigation bar
    • Find the OpenVPN configuration files section and chose
      • Platform: Linux
      • Protocol: UDP (recommended) / TCP if you experience slow VPN speeds (this utilizes port 443)
    • Click the download icons for the server you wish to download
    • If you selected “Download All configurations”, extract the zip file in your desired location

3. Find your OpenVPN credentials:

For added security, ProtonVPN is set-up with two separate credentials to authenticate a connection.

Learn more about how two pairs of credentials increases the security of ProtonVPN.

  • Log in to the ProtonVPN dashboard.

  • Click Account on the left.
  • Find the ‘OpenVPN login’ section

    • Set your OpenVPN password by clicking ‘Set OpenVPN Password’ and following the prompts.

      Note: We strongly recommend to use a long, unique password which is not used anywhere else!

    • Optional: Set your OpenVPN login to something memorable.

      NOTE: We strongly recommend to use a nondescriptive name which is not related in any way to your ProtonMail login!

    • Memorize your OpenVPN login and password (or temporarily note it down and keep it in a safe place)

  • Alternatively, for existing ProtonMail:

    • Log in to your ProtonMail account.
    • Go to the settings tab in the top right corner and then select the VPN submenu on the left
    • You will find the same information in the ‘OpenVPN login section’

Option A: Configure a VPN connection using Network Manager

Attention: At this point, there is a known issue with DNS Leaks on distributions up to Ubuntu 16.04LTS (and its dependencies and parents). If you find that you too are affected by DNS leaks, we recommend you to use Option B below.

A1. Adding a new connection
  • Click on your connection symbol, in the system menu on the top right and select ‘Edit connections’.

  • Click ‘Add’ in the new window to create a new connection.

  • Select ‘Import a saved VPN configuration…’ in the drop-down menu

  • Import the config file of the server you want connect to, by navigating to the location where you extracted the ProtonVPN_config.zip and selecting the desired file.

    • The files are named with a two-letter abbreviation of the destination country and a number to show which server in that country. For example: de-01 is the first server in Germany; ca-04 is the fourth server in Canada, see this article for a list of abbreviations.

    • Files with two country abbreviations are secure core servers, for example: is-us-01 is the secure core connection over Iceland to the USA. Learn more about our Secure Core feature.

  • Enter the OpenVPN credentials from step 3 in the ‘username’ and ‘password’ field of the new window and hit save.

  • For Ubuntu 14.04 LTS: there is an issue specific to 14.04 where importing the configuration that does not read all settings automatically. If you are experiencing issues with the auto-import feature with the network manager, please drop us a line at support{at}protonvpn{dot}com for further instructions.
A2. Establish the VPN connection:respectively
  • Click on your connection symbol in the system menu

  • Select ‘VPN Connections’, click the entry of your newly added config and it will automatically connect to your chosen ProtonVPN server.

  • You will see a popup confirming the VPN connection has been established and a lock next to your connection symbol. Congratulations, you’ve just successfully connected to ProtonVPN!

A3: Optional: To add more connections, simply repeat step A1 with different configuration file(s).

 

Option B: Connecting using the command line interface (CLI)

Note: if you do not have administrator privileges on your machine, please contact your system administrator and ask them to perform the connection for you

  • Open a terminal (press [Ctrl] + [Alt] + [T]) and navigate to the folder where you unzipped the config files using  cd <path> .  In our example, they are located in ~/ProtonVPN_config_linux/ so we enter:

cd ~/ProtonVPN_config_linux

  • Enter the following to initialize a new connection :

sudo openvpn <config.ovpn>

where <config.ovpn> is the config file name of the server you want to connect to, e.g. ch-01.protonvpn.com.udp1194.ovpn for Switzerland #1

  • Enter your PC’s administrator password to execute (openvpn will modify your network adapters and needs root privileges)

  • Subsequently you will be prompted for your OpenVPN credentials from step 3, enter your credentials to authenticate

  • You are successfully connected to ProtonVPN once you see Initialization Sequence Completed.
  • Keep this Terminal open, to stay connected to ProtonVPN.

  • To disconnect, press [Ctrl] + [C] and/or close the Terminal

Additional Ressources

Download Linux config files via the Dashboard

 

Related articles

Does ProtonVPN store user information?

Does ProtonVPN have bandwidth limit?

What is OpenVPN?

Post Comment

139 comments

  1. olax

    Be sure to have the /sbin/resolvconf if you want OpenVPN to update your DNS entries.
    On debian9 => apt install resolvconf
    If you don’t have this bin, you will get DNS leaks.

  2. chris

    The protocol described in option B doesnt prevent from random DNS leak in my case (Mint 18)

  3. voxit

    Hi to all,
    Here is my homemade solution for the DNS and IPv6 leaks issue on Ubuntu 16.04 and surely other Debian ditrib.

    1/ get the VPN server IP instead of its domain name (simply using a ping command) : x.x.x.x instead of xx.protonvpn.com
    2/ modify the .ovpn config file of your server choice by replacing the xx.protonvpn.com by the ip you got step 1/
    3/ open the network manager (edit connections after clicking on the network icon in the status bar)
    4/ delete the old VPN setting, and recreate one using option A with the new .ovpn config file (or simply double click on it and modify the gateaway the same way as above – do not erase the port x.x.x.x:X)
    4 / for all your connections, but not the VPN profile: go to the IPv4 tab: set it to IP adress only (DHCP) and let the DNS server adress blank, in order to have no DNS resolver (think about saving your preexistent ones in .txt if there are)
    5/ for all your connections and the VPN profile: set IPv6 tab to ignore (so you avoid ipv6 hazardous leaks)
    5 / deactivate – reactivate your network adapter in order to have to new setting applied
    6/ test you have no DNS resolver by checking ipleak.net (if it doesnt work it’s nice)
    7/ connect to the VPN (you will automatically be using the VPN DNS server)
    8/ test with ipleak.net
    9/ don’t forget to deactivate the WebRTC interface in your web browsers (and do not use chromium instead of chrome !)

    Waiting for a real patch, it will do the job !
    And let me know if it does work for you 😉

  4. voxit

    do use chromium / firefox instead of chrome *

  5. Nrthlight

    Wow 4 leaks with the second method, what am I paying for here?

  6. Dave Sailer

    I consider this product to be still a beta version.

    Too bad. I’ll have to check back next year. In a few weeks I’m due to renew my existing VPN subscription with another company and I’ll have to stick with them.

    I’m running Linux Mint 17.3 (~= Ubuntu 14.04LTS), and ProtonVPN does not work for me. I tried installing the explicitly beta version, failed, updated/edited the config files on my own, failed, tried the ProtonVPN support’s fix, failed again.

    And now, with the “production” version, it looks like we’re still where we were what was it – three months ago?

    My existing VPN setup took about 5 minutes, works, and I have no problems with it. I don’t have a Ph.D. in EE, and am not a system administrator, so ProtonVPN is complex and confusing at best. And, in addition, does not work.

    OK. In six or eight months I’ll give you one more try when I get a new laptop and install an updated OS, but that’s it.

  7. PierreTremblay

    Hi !
    I just bought the ProtonVPN (plus) subscription plan for 1 year on Linux Mint 17.2 (Rafaela) (MATE)
    I followed the instructions here :
    https://protonvpn.com/support/linux-vpn-setup
    Using the console setup. And i only get this message :
    Thu Jul 13 04:55:57 2017 write UDPv4: Operation not permitted (code=1)
    Repeated over and over.
    So far i tried with two different ProtonVPN servers, this one :
    ch-ca-01.protonvpn.com.udp1194.ovpn
    And this one :
    ch-us-01.protonvpn.com.tcp443.ovpn
    Using this command line :
    sudo openvpn ch-us-01.protonvpn.com.udp1194.ovpn
    I am already using another VPN and wanted to switch to ProtonVPN before my previous suscription ends.
    What am i doing wrong please ?
    Thank you.

  8. ProtonVPN

    Please submit a support request to

    https://protonvpn.com/support-form

    so that we can look into it.

  9. David Shawn

    Can I pay in bitcoin? If yes how to proceed? Thank you.

  10. ProtonVPN

    Yes, you can, you have to do it through ProtonMail: https://protonmail.com/support/knowledge-base/paying-with-bitcoin/

  11. tauvpn

    Openvpn does not come with the script update-resolv-conf by default, so the current configuration files are broken for a pure openvpn installation, which is what happens on most of the linux distributions. For instance, my phone, on SailfishOS.
    I would suggest, you protonvpn guys, to also provide that script. In addition, security is weakened by “script-security 2”.

    There is a situation in which normal users, namely all those not having a nickname rooted on a particle from the Standard Model, and not finding the update-resolv-conf script could try to download that script from the internet without really knowing what it does thereby opening an easy security hole.

    My 2 cents 🙂

    Tauvpn, the heaviest of all.

  12. Robert

    The script can be found here:
    https://github.com/masterkorp/openvpn-update-resolv-conf
    It comes standard with alotof/most linux distros.

  13. Nrthlight

    I could not agree more.

  14. Andy

    Hey !
    Thx for your job Proton, I’m glad to use your VPN as a privacy guard of my life on internet.
    By the way, is there any official way to correct the DNS and ipv6 leak i’m experiencing on Linux ?
    On Fedora, some websites still do know where I’m living. I can’t bear it 🙂
    Cheers

  15. ProtonVPN

    hi, currently our servers do not yet support ipv6. we recommend users to disable ipv6 networking capabilities while we are working on adding this feature.

  16. Michael

    re: vpn services generally:
    what ports open on the machine could be visible at the other end of the vpn?
    can the user restrict what ports are visible to only what is needed?

    also can I install it on freeBSD? ..
    (maybe could try compiling the linux version?)

  17. Teo

    How can i have the pem files please ?

  18. ProtonVPN

    hi please drop us a line via protonvpn.com/support-form

  19. user

    DNS AND IPv6-address leak fix
    Recently I reported several leak issues and now I have a fix that works at least on my system
    To get rid of DNS and IP6-address leakage from IPv6 the following procedure
    has resolved the leaking (Verified on several proton-servers)

    Install network-manager-openvpn and its dependencies
    =============================================
    sudo apt-get install network-manager-openvpn network-manager network-manager-gnome network-manager-openvpn-gnome

    add the following to your .opvn configuration file at the end, but before
    the certificates
    ##################################
    block-outside-dns

    script-security 2
    up /etc/openvpn/update-resolv-conf
    down /etc/openvpn/update-resolv-conf
    ##################################
    Import this configuration file into the networkmanager

    To disable leaks (IP and DNS) from IPv6 do the following:

    1 Enter gksudo gedit /etc/sysctl.conf and open the configuration file and
    2 add the following lines at the end
    net.ipv6.conf.all.disable_ipv6 = 1
    net.ipv6.conf.default.disable_ipv6 = 1
    net.ipv6.conf.lo.disable_ipv6 = 1
    3 After that run $ cat /proc/sys/net/ipv6/conf/all/disable_ipv6
    If it reports ‘1′ means you have disabled IPV6. If it reports ‘0‘ then please follow Step 4 and Step 5.
    4 Type command sudo sysctl -p you will see this in terminal:
    net.ipv6.conf.all.disable_ipv6 = 1
    net.ipv6.conf.default.disable_ipv6 = 1
    net.ipv6.conf.lo.disable_ipv6 = 1
    5 Repeat above “Step 3” and it will now report 1.
    Open /etc/NetworkManager/NetworkManager.conf in an editor and change
    dns=dnsmasq
    to this:
    #dns=dnsmasq
    Don’t forget to comment out any IPv6 hosts in your /etc/hosts file
    Disable all IP6 in the networkmanager in the IP6 tab
    reboot the – works for me!

  20. user

    Ubuntu 16.04 openvpn:
    IP address from IP4 is hidden but ipleak.net detects my IP6 ISP IP address. So openvpn does not only leak DNS but also real IP6 IP!
    I can prevent DNS leak when I do the following:
    Open /etc/NetworkManager/NetworkManager.conf in an editor and change
    dns=dnsmasq
    to this:
    #dns=dnsmasq

  21. R.protonvpn

    Solution DNS leak linux via networkmanager: go to system > etc. > networkmanager > networkmanager.config > and than change ‘dns=dnsmasq’ into ‘#dns=dnsmasq’. Tested on ubuntu 16.04.2 LTS and worked. Let me know in the comments if it solved your DNS leak with OS info.

  22. R.protonvpn

    SOLUTION DNS LEAK LINUX Networkmanager

    wget https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1639776/+attachment/4780245/+files/dnsmasq-base_2.76-4ubuntu1FIX1639776ubuntu1_amd64.deb
    sudo dpkg -i dnsmasq-base_2.76-4ubuntu1FIX1639776ubuntu1_amd64.deb

  23. redchris

    works for me (Mint 18). Thanks

  24. joffaMac

    I’m trying to set up my Netgear R8000 router which I’m running LEDE on. Using this as a rough guide [https://help.my-private-network.co.uk/support/solutions/articles/24000005597-openwrt-lede-openvpn-setup] and the config .ovpn file settings obtained via ProtonVPN Downloads for DD-WRT UDP, I saved tls-auth & ca.crt files as suggested, added the missing fields and completed all fields except for ‘mssfix 1450’ as I couldn’t locate that anywhere. When I click start in the OpenVPN instance, nothing happens. I don’t have logs set up as that looks all too hard (andsomething to read up on way later). Can anyone suggest what I may have done wrong.

  25. Dias

    Bonjour, i’am working on Microsoft Windows 10 and this tutorial not working on VirtualBox Kali Linux …no internet connection. Pleaz need your help

  26. buffalo

    This helped resolve my DNS leaking and IP leaking. I am new to VPNs but this patch for network-manager helped

    https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1624317/comments/71
    He released a fix for Ubuntu 17.04 (perhaps it applies to earlier versions) that resolved an issue with network-manager leaking DNS with VPNs. Please check out the comments further down the page written by Stommel. https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1624317

    He later links to this page. https://bugzilla.gnome.org/show_bug.cgi?id=783569

    it fixed my issues.

  27. Sby

    How does the device count (in terms of pricing plan) work if I use ProtonVPN on my router (OpenWRT)? Are all traffic going out from the same router treated as one “device”?

  28. Sh

    What login vpn for linux?

  29. ProtonVPN

    please use your openvpn credentials to log in (not your account credentials)

  30. JY

    This doesn’t work

  31. machavez

    I suggest to check out the airvpn client for Linux. It is easy to use and have a lot of features.

  32. David DARR

    Can this be incorporated into ddwrt?

  33. ProtonVPN

    yes, we’ll be updating with guides in the near future

  34. Dave

    As well as PfSense?

  35. John

    DNS leaks with new settings, how would I protect against this?

  36. ProtonVPN

    hi John, please drop us a line at https://protonvpn.com/support-form with a detailed description of your setup and how you connect (cli vs nm)

  37. Ken

    Thank you for your continued efforts to support the Linux community. I just created a VMWare virtual machine Ubuntu Mate 16.04 + current updates + openvpn packages per your instructions. I configured a vpn connection using is-03-protonvpn.com.udp1194.ovpn from your Linux config files collection using network manager – again per your instructions. When I connect with the vpn I observe that my assigned address is 185.159.158.50 which appears to be in Iceland. So far, so good.

    I accessed a DNS leak check site (https://hidester.com/dns-leak-test/) and ran a test. It confirms my address but the leak test results are:

    Real DNS IP: 162.210.192.160
    DNS Host: 162.210.192.160
    Country: United States
    City: Manassas LeaseWeb USA Inc.

    162.210.192.160 is in fact the address of my router/gateway computer which provides Internet access to my LAN. It is running CentOS 7.3 and is accessing your US vpn server us-04.protonvpn.com.udp1194.ovpn file. Openvpn is run from the command line and uses my home made DNS leakage mitigation process.

    I further observe that your Linux .ovpn file has these lines added to the end. These scripts are SUPPOSED to address DNS leakage on Linux.

    script-security 2
    up /etc/openvpn/update-resolv-conf
    down /etc/openvpn/update-resolv-conf

    With the vpn connected I observe tthat

    /etc/resolv.conf is linked to /run/resolvconf/resolv.conf

    the latter file contains:

    # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
    # DO NOT EDIT THIS FILE BY HAND — YOUR CHANGES WILL BE OVERWRITTEN
    nameserver 127.0.1.1

    Disconnecting the vpn make no change to the link nor to the target resolve.conf file. the nameserver is still 127.0.1.1

    Perhaps I have made an error in configuring the test machine or perhaps there is some more work to do (or perhaps it is an issue with the Mate desktop.) Please let me know if I can provide some additional information or do some additional testing for you.

    Issue #2 – Openvpn when used via network manager does NOT fail in a safe direction. By that I mean that when the vpn connection drops – either by user action or some network anomaly/blip etc. – the computer will continue to access the Internet WITHOUT the benefit/protection of the vpn.

  38. ProtonVPN

    Hi Ken, we’ve submitted a ticket for you via the support form, our support team should get back to you with detailed instructions soon.

  39. linux

    I’m using RHEL 7 and tried to use the latest config files adjusted for linux from CLI, but still DNS leaks. Is there any reliable solution? Thanks

  40. ProtonVPN

    hi it could be that the required files for resolf-config (last three lines in linux config files) are located in a different directory for you. can you verify that these exist or alternatively adapt the path to the location on your machine?

  41. Paranoid Android

    Is there a reason why the file “is-us-01.protonvpn.com.udp1194.ovpn”, which was included in the zip of ovpn files a couple months ago, is no longer included in the most recent download? Does this mean it’s no longer safe to use that particular configuration file?

  42. ProtonVPN

    We just brought our Swiss Secure core servers online and shifted the US connection to go via CH. the IS-US connection is depreciated and will be taken offline in the future, hence we removed it from zip file. Recommend to use the CH-US one instead

  43. Charlie

    Systemd has a bug in Ubuntu 17.04 which prevents DNS leak prevention ( https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1624317 ). But following the instructions in this comment fixed it for me:

    [admin edit: removed quote due to length. It can be found in link below]

    Source: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1624317/comments/42

  44. ProtonVPN

    thanks for the suggestion. We’ll introduce platform specific config files soon which will have the necessary script security lines included to run without DNS leak from CLI

  45. Charlie

    Glad to hear it!

  46. EEReughrug9547574

    Notice that, currently, Ubuntu 17.04 suffers from a bug in network-manager-openvpn which prevents the import of .ovpn config files: https://bugs.launchpad.net/ubuntu/+source/network-manager-openvpn/+bug/1677198
    I found that using the terminal works with the following command: sudo openvpn –config /path/to/protonvpn/configfile.ovpn

  47. cc

    Any chance that the issue has been solved in the new version of Network Manager 1.8? (https://github.com/NetworkManager/NetworkManager)

  48. David

    Any setup examples for tomato router? Thanks!

  49. Van

    Following the instructions I complete the installation successfully for Linux, Mac, iOS. Only iOS changes my IP address. The Mac warns of the IP address being unchanged. Linux doesn’t warn and isn’t behaving as intended.

  50. Robert Roze

    For getting ProtonVPN to work on Linux, Step 4 (Configure a VPN connection), the end of the paragraph reads:
    In the editing page, enter the OpenVPN credentials from step 3 in the ‘username’ and ‘password’ field respectively, and hit save.

    But, when I enter my ProtonVPN username and password, the “Save” button remains grey/dis-abled. There is no way to save. How can I continue?

  51. ProtonVPN

    This sounds like you might need separate OpenVPN cert and key files because your network manager doesn’t recognize the ovpn config file properly (similar to Ubuntu 14.04LTS issue). Please contact us at support@ and let us know your OS version.

  52. Gabriel

    I’m glad to see from a comment above that you are working on a native Linux client. In the interim, would it be possible to provide user-friendly guides on how to configure/test the built in networking tools & OpenVPN for:
    > how to protect against DNS/IP leaks + verification process
    > how to prevent any outbound connections that aren’t going through the VPN + verification process

    My biggest issue with VPN services (and self-described secure services generally) is a lack of transparency about how their technologies function and what their weak points can be, and without making verification processes (and notifications) clear, the essential element of trust is compromised to some degree.

    In any case, speeds are looking great compared to my previous provider and I intend on sticking with you guys. Thank you for your work!

    (I am currently using Antergos+KDE)

  53. ProtonVPN

    Thanks for the suggestions and encouraging words. We’ll be adding details to our guides and publish more technical details about our configurations as we get closer to launch. Our goal is to be as transparent as possible so that you know whom you’re trusting with your VPN connection.

  54. Paul Bonneau

    Comment by Ken Taylor (Mar 19): “Network Manager tends to simply switch to an direct Internet connection in the case of a VPN disconnect.”

    If true, this is unacceptable, and this procedure should be re-written to not use Network Manager.

    I am using Lubuntu 16.04LTS. I failed to connect with this procedure. At the end of step 4, a window popped up saying, “Enter password for keyring ‘Default keyring’ to unlock”. It is unclear what password is wanted, I tried every one I could think of. In fact that is another problem, entirely too many passwords and it is unclear which is wanted where, or whether they might be stored in some password manager or have to be manually entered every time (the discussion at the end of step 3 was not clear about this).

    “Click on your connection symbol, in the system menu on the top right” This had me going for a while. My menu bar is at the bottom, and I finally understood you wanted to enter the Network Manager. You should say so (although again, maybe we should not use Network Manager for vpn).

  55. Neil

    I am currently using ProtonVPN on my Ubuntu workstation using the setup steps outlined above. My ISP is Spectrum, previously known as Time Warner Cable (I’m in the US).

    My question is, do my outbound requests go from my ISP’s DNS server to ProtonVPN’s servers, or does ProtonVPN circumvent my ISP’s DNS server? The latter would be ideal for privacy purposes.

    Also, how would I be able to test this out? I’m a novice Linux user with knowledge of basic everyday terminal commands, so please be as specific as possible.

    Thank you!

  56. ProtonVPN

    Our exit nodes are set up as their own DNS, therefore if everything is running correctly, you will not have to rely on the DNS of your ISP.

  57. Dan S

    Do you plan to release a Linux application similar to the Windows application, or will Linux users just use OpenVPN?

  58. ProtonVPN

    we do plan to support mac and linux natively and development is currently in the early stages. no release date set yet. stay tuned

  59. Sean

    For anyone running this from shell or terminal in a Unix environment this is how to set it up.
    My example is running on a DD-WRT router with a usb thumb drive mounted at /opt. My working directory is /opt/openvpncl/proton/. You can put it wherever you want, just make sure to change all paths in the following to suite your needs.

    So you need 6 files in your working directory:

    openvpn.conf
    auth.conf
    proton_ca.crt
    proton_tls.key
    route-up.sh
    route-down.sh

    I will now breakdown the contents of each file. Just copy and paste between the solid lines.

    openvpn.conf:
    note: replace (enter server address here) with the server you wish to connect to.
    example: remote ca-03.protonvpn.com 1194
    You can use either the domain name or ip address of the server.
    __________
    ca /opt/openvpncl/proton/proton_ca.crt
    management 127.0.0.1 16
    management-log-cache 100
    verb 3
    syslog
    writepid /var/run/openvpncl.pid
    client
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    script-security 2
    dev tun1
    proto udp
    cipher aes-256-cbc
    auth sha512
    auth-user-pass /opt/openvpncl/proton/auth.conf
    remote (enter server address here) 1194
    comp-lzo adaptive
    tun-mtu 1500
    mtu-disc yes
    fast-io
    tun-ipv6
    tls-auth /opt/openvpncl/proton/proton_tls.key 1
    tun-mtu-extra 32
    mssfix 1450
    ping 15
    ping-restart 0
    ping-timer-rem
    reneg-sec 0
    remote-cert-tls server
    pull
    key-direction 1
    __________

    auth.conf
    note: replace each line with your username and password respectively.
    __________
    username
    password
    __________

    proton_ca.crt:
    This file contains your the Certificate
    __________
    —–BEGIN CERTIFICATE—–
    MIIFozCCA4ugAwIBAgIBATANBgkqhkiG9w0BAQ0FADBAMQswCQYDVQQGEwJDSDEV
    MBMGA1UEChMMUHJvdG9uVlBOIEFHMRowGAYDVQQDExFQcm90b25WUE4gUm9vdCBD
    QTAeFw0xNzAyMTUxNDM4MDBaFw0yNzAyMTUxNDM4MDBaMEAxCzAJBgNVBAYTAkNI
    MRUwEwYDVQQKEwxQcm90b25WUE4gQUcxGjAYBgNVBAMTEVByb3RvblZQTiBSb290
    IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAt+BsSsZg7+AuqTq7
    vDbPzfygtl9f8fLJqO4amsyOXlI7pquL5IsEZhpWyJIIvYybqS4s1/T7BbvHPLVE
    wlrq8A5DBIXcfuXrBbKoYkmpICGc2u1KYVGOZ9A+PH9z4Tr6OXFfXRnsbZToie8t
    2Xjv/dZDdUDAqeW89I/mXg3k5x08m2nfGCQDm4gCanN1r5MT7ge56z0MkY3FFGCO
    qRwspIEUzu1ZqGSTkG1eQiOYIrdOF5cc7n2APyvBIcfvp/W3cpTOEmEBJ7/14RnX
    nHo0fcx61Inx/6ZxzKkW8BMdGGQF3tF6u2M0FjVN0lLH9S0ul1TgoOS56yEJ34hr
    JSRTqHuar3t/xdCbKFZjyXFZFNsXVvgJu34CNLrHHTGJj9jiUfFnxWQYMo9UNUd4
    a3PPG1HnbG7LAjlvj5JlJ5aqO5gshdnqb9uIQeR2CdzcCJgklwRGCyDT1pm7eoiv
    WV19YBd81vKulLzgPavu3kRRe83yl29It2hwQ9FMs5w6ZV/X6ciTKo3etkX9nBD9
    ZzJPsGQsBUy7CzO1jK4W01+u3ItmQS+1s4xtcFxdFY8o/q1zoqBlxpe5MQIWN6Qa
    lryiET74gMHE/S5WrPlsq/gehxsdgc6GDUXG4dk8vn6OUMa6wb5wRO3VXGEc67IY
    m4mDFTYiPvLaFOxtndlUWuCruKcCAwEAAaOBpzCBpDAMBgNVHRMEBTADAQH/MB0G
    A1UdDgQWBBSDkIaYhLVZTwyLNTetNB2qV0gkVDBoBgNVHSMEYTBfgBSDkIaYhLVZ
    TwyLNTetNB2qV0gkVKFEpEIwQDELMAkGA1UEBhMCQ0gxFTATBgNVBAoTDFByb3Rv
    blZQTiBBRzEaMBgGA1UEAxMRUHJvdG9uVlBOIFJvb3QgQ0GCAQEwCwYDVR0PBAQD
    AgEGMA0GCSqGSIb3DQEBDQUAA4ICAQCYr7LpvnfZXBCxVIVc2ea1fjxQ6vkTj0zM
    htFs3qfeXpMRf+g1NAh4vv1UIwLsczilMt87SjpJ25pZPyS3O+/VlI9ceZMvtGXd
    MGfXhTDp//zRoL1cbzSHee9tQlmEm1tKFxB0wfWd/inGRjZxpJCTQh8oc7CTziHZ
    ufS+Jkfpc4Rasr31fl7mHhJahF1j/ka/OOWmFbiHBNjzmNWPQInJm+0ygFqij5qs
    51OEvubR8yh5Mdq4TNuWhFuTxpqoJ87VKaSOx/Aefca44Etwcj4gHb7LThidw/ky
    zysZiWjyrbfX/31RX7QanKiMk2RDtgZaWi/lMfsl5O+6E2lJ1vo4xv9pW8225B5X
    eAeXHCfjV/vrrCFqeCprNF6a3Tn/LX6VNy3jbeC+167QagBOaoDA01XPOx7Odhsb
    Gd7cJ5VkgyycZgLnT9zrChgwjx59JQosFEG1DsaAgHfpEl/N3YPJh68N7fwN41Cj
    zsk39v6iZdfuet/sP7oiP5/gLmA/CIPNhdIYxaojbLjFPkftVjVPn49RqwqzJJPR
    N8BOyb94yhQ7KO4F3IcLT/y/dsWitY0ZH4lCnAVV/v2YjWAWS3OWyC8BFx/Jmc3W
    DK/yPwECUcPgHIeXiRjHnJt0Zcm23O2Q3RphpU+1SO3XixsXpOVOYP6rJIXW9bMZ
    A1gTTlpi7A==
    —–END CERTIFICATE—–
    __________

    proton_tls.key:
    This file contains the TLS Key.
    __________
    —–BEGIN OpenVPN Static key V1—–
    6acef03f62675b4b1bbd03e53b187727
    423cea742242106cb2916a8a4c829756
    3d22c7e5cef430b1103c6f66eb1fc5b3
    75a672f158e2e2e936c3faa48b035a6d
    e17beaac23b5f03b10b868d53d03521d
    8ba115059da777a60cbfd7b2c9c57472
    78a15b8f6e68a3ef7fd583ec9f398c8b
    d4735dab40cbd1e3c62a822e97489186
    c30a0b48c7c38ea32ceb056d3fa5a710
    e10ccc7a0ddb363b08c3d2777a3395e1
    0c0b6080f56309192ab5aacd4b45f55d
    a61fc77af39bd81a19218a79762c3386
    2df55785075f37d8c71dc8a42097ee43
    344739a0dd48d03025b0450cf1fb5e8c
    aeb893d9a96d1f15519bb3c4dcb40ee3
    16672ea16c012664f8a9f11255518deb
    —–END OpenVPN Static key V1—–
    __________

    route-up.sh:
    This file contains iptables for routing.
    __________
    #!/bin/sh
    iptables -D POSTROUTING -t nat -o tun1 -j MASQUERADE
    iptables -I POSTROUTING -t nat -o tun1 -j MASQUERADE
    iptables -D INPUT -i tun1 -j ACCEPT
    iptables -D FORWARD -i tun1 -j ACCEPT
    iptables -D FORWARD -o tun1 -j ACCEPT
    iptables -I INPUT -i tun1 -j ACCEPT
    iptables -I FORWARD -i tun1 -j ACCEPT
    iptables -I FORWARD -o tun1 -j ACCEPT
    stopservice dnsmasq -f
    startservice dnsmasq -f
    cat /tmp/resolv.dnsmasq > /tmp/resolv.dnsmasq_isp
    env | grep ‘dhcp-option DNS’ | awk ‘{ print “nameserver ” $3 }’ > /tmp/resolv.dnsmasq
    cat /tmp/resolv.dnsmasq_isp >> /tmp/resolv.dnsmasq
    __________

    route-down.sh
    This file deletes the iptables that were created in the above file and is used when shutting down the VPN connection.
    __________
    #!/bin/sh
    iptables -D INPUT -i tun1 -j ACCEPT
    iptables -D POSTROUTING -t nat -o tun1 -j MASQUERADE
    __________

    Now that your working directory is populated with the above files all that’s needed is to run the following command from the terminal to start the connection:
    __________
    openvpn –config /opt/openvpncl/proton/openvpn.conf –route-up /opt/openvpncl/proton/route-up.sh –route-pre-down /opt/openvpncl/proton/route-down.sh –daemon
    __________
    To check if your connected run the following from a terminal:
    __________
    curl -s ipinfo.io
    __________

    This will give you your ip address and location information to verify you’re connected to the VPN.
    __________
    Next step would be to setup a startup script to start the VPN on startup. I’ll leave that up to you.

    Hope this helps. Took me a while to figure it all out! 😛

  60. sciro

    Thanks for sharing all your hard work and knowledge!

  61. Username

    You can make it run on startup by un-commenting the line “AUTOSTART=”all”” in “/etc/default/openvpn”, though this may require your files to be in “/etc/openvpn” rather than “/etc/opnvpn/protonvpn”.

  62. Sean

    Ok Here’s how you get this setup on DD-WRT via the GUI:

    -Login to the router’s web GUI. In my case, http://192.168.1.1/
    -Navigate to Services Tab
    -Navigate to VPN sub Tab
    -Scroll down OpenVPN Client click Enable
    -Set the following settings:
    Server IP/NAME: us-04.protonvpn.com #Change to whatever server you’d like to connect to
    Port: 1194
    Tunnel Device: TUN
    Tunnel Protocol: UDP
    Encryption Cipher: AES-256 CBC
    Hash Algorithm: SHA512
    User Pass Authentication: Enable
    Username: yourusername
    Password: yourpassword
    Advanced Options: Enable
    TLS Cipher: None
    LZO Compression: Adaptive
    NAT: Enable
    Firewall Protection: Enable
    IP Address: Leave Blank
    Subnet Mask: Leave Blank
    Tunnel MTU Setting: 1500
    Tunnel UDP Fragment: Leave Blank
    Tunnel UDP MSS-Fix: Disable
    nsCertType verification: Leave Un-Checked
    TLS Auth KEY: Insert Auth Key here
    Additional Config: tun-mtu-extra 32
    mssfix 1450
    ping 15
    ping-restart 0
    ping-timer-rem
    reneg-sec 0
    remote-cert-tls server
    pull
    key-direction 1
    Policy based Router: Leave Blank
    PKCS12 Key: Leave Blank
    Static Key: Leave Blank
    CA Cert: Insert CA Certificate here
    Public Client Cert: Leave Blank
    Private Client Key: Leave Blank
    -Click Apply Settings
    -Now give it a few seconds then navigate to Status Tab
    —Navigate to VPN Sub Tab
    You should see “Client: CONNECTED SUCCESS” along with Local Address and Remote address.
    Fire-up a browser and google “what’s my ip”. You should be up and running.

    Cheers!

  63. Walker

    Worked like a charm! Appreciate it!

  64. Sean

    Some progress.

    Firstly, I noticed the default tunnel device is tun0 and so I changed my route-up and route-down scripts to reflect that.

    Log files indicate
    “WARNING: Failed running command (–up/–down): external program fork failed”

    This is due to script-security being set too high. And so I added script-security 2 to the openvpn.conf file in order to allow running of external scripts.

    Ran it again and BAM just like that I was connected and traffic was being routed through the tunnel.
    Running “curl -s ident.me” revealed 162.210.192.157 confirming my ip address was that of the vpn server.

    Something is still wrong with the routing however. The router itself is connect to the VPN. I can ping google.ca and get a response. However all devices on the network are dead in the water. No WAN access. ping google.ca returns no response.

    That’s as far as I got so far with DD-WRT.

  65. Sean

    So I wanted to start simple. Run openvpn using one of protonvpn’s config files. I created my openvpn.conf file to be verbatim from us-01.protonvpn.com.udp1194.ovpn.

    Then ran the following command:
    openvpn –config /opt/openvpncl/proton/openvpn.conf –route-up /opt/openvpncl/proton/route-up.sh –route-pre-down /opt/openvpncl/proton/route-down.sh

    Log File:
    ___________
    Apr 2 18:41:36 router daemon.notice openvpn[21675]: OpenVPN 2.3.8 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Oct 24 2015
    Apr 2 18:41:36 router daemon.notice openvpn[21675]: library versions: OpenSSL 1.0.2d 9 Jul 2015, LZO 2.09
    Apr 2 18:42:04 router daemon.warn openvpn[21698]: WARNING: –ping should normally be used with –ping-restart or –ping-exit
    Apr 2 18:42:04 router daemon.warn openvpn[21698]: NOTE: starting with OpenVPN 2.1, ‘–script-security 2’ or higher is required to call user-defined scripts or executables
    Apr 2 18:42:04 router daemon.notice openvpn[21698]: Control Channel Authentication: tls-auth using INLINE static key file
    Apr 2 18:42:04 router daemon.notice openvpn[21698]: Outgoing Control Channel Authentication: Using 512 bit message hash ‘SHA512’ for HMAC authentication
    Apr 2 18:42:04 router daemon.notice openvpn[21698]: Incoming Control Channel Authentication: Using 512 bit message hash ‘SHA512’ for HMAC authentication
    Apr 2 18:42:04 router daemon.notice openvpn[21698]: Socket Buffers: R=[180224->131072] S=[180224->131072]
    Apr 2 18:42:04 router daemon.notice openvpn[21698]: UDPv4 link local: [undef]
    Apr 2 18:42:04 router daemon.notice openvpn[21698]: UDPv4 link remote: [AF_INET]162.210.192.157:1194
    Apr 2 18:42:04 router daemon.notice openvpn[21698]: TLS: Initial packet from [AF_INET]162.210.192.157:1194, sid=e4a59209 aefffd23
    Apr 2 18:42:04 router daemon.warn openvpn[21698]: WARNING: this configuration may cache passwords in memory — use the auth-nocache option to prevent this
    Apr 2 18:42:05 router daemon.notice openvpn[21698]: VERIFY OK: depth=2, C=CH, O=ProtonVPN AG, CN=ProtonVPN Root CA
    Apr 2 18:42:05 router daemon.notice openvpn[21698]: VERIFY OK: depth=1, C=CH, O=ProtonVPN AG, CN=ProtonVPN Intermediate CA 1
    Apr 2 18:42:05 router daemon.notice openvpn[21698]: Validating certificate key usage
    Apr 2 18:42:05 router daemon.notice openvpn[21698]: ++ Certificate has key usage 00a0, expects 00a0
    Apr 2 18:42:05 router daemon.notice openvpn[21698]: VERIFY KU OK
    Apr 2 18:42:05 router daemon.notice openvpn[21698]: Validating certificate extended key usage
    Apr 2 18:42:05 router daemon.notice openvpn[21698]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
    Apr 2 18:42:05 router daemon.notice openvpn[21698]: VERIFY EKU OK
    Apr 2 18:42:05 router daemon.notice openvpn[21698]: VERIFY OK: depth=0, CN=us-01.protonvpn.com
    Apr 2 18:42:05 router daemon.notice openvpn[21698]: Data Channel Encrypt: Cipher ‘AES-256-CBC’ initialized with 256 bit key
    Apr 2 18:42:05 router daemon.notice openvpn[21698]: Data Channel Encrypt: Using 512 bit message hash ‘SHA512’ for HMAC authentication
    Apr 2 18:42:05 router daemon.notice openvpn[21698]: Data Channel Decrypt: Cipher ‘AES-256-CBC’ initialized with 256 bit key
    Apr 2 18:42:05 router daemon.notice openvpn[21698]: Data Channel Decrypt: Using 512 bit message hash ‘SHA512’ for HMAC authentication
    Apr 2 18:42:05 router daemon.notice openvpn[21698]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
    Apr 2 18:42:05 router daemon.notice openvpn[21698]: [us-01.protonvpn.com] Peer Connection Initiated with [AF_INET]162.210.192.157:1194
    Apr 2 18:42:07 router daemon.notice openvpn[21698]: SENT CONTROL [us-01.protonvpn.com]: ‘PUSH_REQUEST’ (status=1)
    Apr 2 18:42:08 router daemon.notice openvpn[21698]: PUSH: Received control message: ‘PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.8.8.1,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,route-gateway 10.8.8.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.8.8
    Apr 2 18:42:08 router daemon.notice openvpn[21698]: OPTIONS IMPORT: timers and/or timeouts modified
    Apr 2 18:42:08 router daemon.notice openvpn[21698]: OPTIONS IMPORT: explicit notify parm(s) modified
    Apr 2 18:42:08 router daemon.notice openvpn[21698]: OPTIONS IMPORT: –sndbuf/–rcvbuf options modified
    Apr 2 18:42:08 router daemon.notice openvpn[21698]: Socket Buffers: R=[131072->360448] S=[131072->360448]
    Apr 2 18:42:08 router daemon.notice openvpn[21698]: OPTIONS IMPORT: –ifconfig/up options modified
    Apr 2 18:42:08 router daemon.notice openvpn[21698]: OPTIONS IMPORT: route options modified
    Apr 2 18:42:08 router daemon.notice openvpn[21698]: OPTIONS IMPORT: route-related options modified
    Apr 2 18:42:08 router daemon.notice openvpn[21698]: OPTIONS IMPORT: –ip-win32 and/or –dhcp-option options modified
    Apr 2 18:42:08 router daemon.notice openvpn[21698]: OPTIONS IMPORT: peer-id set
    Apr 2 18:42:08 router daemon.notice openvpn[21698]: OPTIONS IMPORT: adjusting link_mtu to 1637
    Apr 2 18:42:08 router daemon.notice openvpn[21698]: TUN/TAP device tun0 opened
    Apr 2 18:42:08 router daemon.notice openvpn[21698]: TUN/TAP TX queue length set to 100
    Apr 2 18:42:08 router daemon.notice openvpn[21698]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Apr 2 18:42:08 router daemon.notice openvpn[21698]: /sbin/ifconfig tun0 10.8.8.51 netmask 255.255.255.0 mtu 1500 broadcast 10.8.8.255
    Apr 2 18:42:08 router daemon.notice openvpn[21698]: /sbin/route add -net 162.210.192.157 netmask 255.255.255.255 gw 50.70.176.1
    Apr 2 18:42:08 router daemon.notice openvpn[21698]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.8.1
    Apr 2 18:42:08 router daemon.notice openvpn[21698]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.8.1
    Apr 2 18:42:08 router daemon.warn openvpn[21698]: WARNING: External program may not be called unless ‘–script-security 2’ or higher is enabled. See –help text or man page for detailed info.
    Apr 2 18:42:08 router daemon.warn openvpn[21698]: WARNING: Failed running command (–route-up): external program fork failed
    Apr 2 18:42:08 router daemon.notice openvpn[21698]: Initialization Sequence Completed
    Apr 2 18:44:02 router daemon.err openvpn[21640]: event_wait : Interrupted system call (code=4)
    Apr 2 18:44:02 router daemon.err openvpn[21698]: event_wait : Interrupted system call (code=4)
    Apr 2 18:44:02 router daemon.notice openvpn[21698]: SIGTERM received, sending exit notification to peer
    Apr 2 18:44:02 router daemon.notice openvpn[21640]: SIGTERM[hard,] received, process exiting
    Apr 2 18:44:03 router daemon.notice openvpn[21698]: /opt/openvpncl/proton/route-down.sh tun0 1500 1637 10.8.8.51 255.255.255.0 init
    Apr 2 18:44:03 router daemon.err openvpn[21698]: WARNING: Failed running command (–up/–down): external program fork failed
    Apr 2 18:44:03 router daemon.notice openvpn[21698]: Exiting due to fatal error
    ______________________________________

    Here’s my route-up.sh script:
    ______________________________________
    #!/bin/sh
    iptables -D POSTROUTING -t nat -o tun1 -j MASQUERADE
    iptables -I POSTROUTING -t nat -o tun1 -j MASQUERADE
    iptables -D INPUT -i tun1 -j ACCEPT
    iptables -D FORWARD -i tun1 -j ACCEPT
    iptables -D FORWARD -o tun1 -j ACCEPT
    iptables -I INPUT -i tun1 -j ACCEPT
    iptables -I FORWARD -i tun1 -j ACCEPT
    iptables -I FORWARD -o tun1 -j ACCEPT
    stopservice dnsmasq -f
    startservice dnsmasq -f
    cat /tmp/resolv.dnsmasq > /tmp/resolv.dnsmasq_isp
    env | grep ‘dhcp-option DNS’ | awk ‘{ print “nameserver ” $3 }’ > /tmp/resolv.dnsmasq
    cat /tmp/resolv.dnsmasq_isp >> /tmp/resolv.dnsmasq
    _________________________________

    Here’s my route-down.sh script
    _________________________________
    #!/bin/sh
    iptables -D INPUT -i tun1 -j ACCEPT
    iptables -D POSTROUTING -t nat -o tun1 -j MASQUERADE
    _________________________________

  66. Sean

    Still need to get up and running DD-WRT.. Anyone out there experimenting with this? I’d love to compare notes. I’m running OpenVPN 2.3.8. I can get the tunnel up but for some reason the routing is all messed up and all devices have no wan access. I’ll keep working on it and post my progress. Any help from the Proton team and the community would be greatly appreciated. DD-WRT via shell would be most useful to me. But via the GUI would also help and be more user friendly for the general population.

  67. Richard

    On currently trying <out ProtonVPN on Ubuntu 16;04(I'll try it on my Windows 10 PC later) and so far I'm trying to figure where I messed up,because I've tried 2 servers,but the connecttion fails.

    AFAIK,I got steps 1 and 2 correct,so that only leaves step 3.I imported a vpn connection,entered a server,plus my OpenVPN ID and password from my ProtonMail backoffice,so I can't figure out what I've missed.

    Any ideas?

    Android app?

  68. Dexter Fryar

    Looks like there are no name servers set. Connected using the command line on Ubuntu 16.10. You can ping a specific address, but I had to manually edit /etc/resolv.conf in order to get name resolution working.

    Any chance this will be fixed on PM’s side?

  69. Dexter Fryar

    Found the answer here. Not sure why this is not part of the downloaded config files, Proton, can you answer?

    https://protonvpn.com/support/prevent-dns-leak/

    add the following to the end of the .ovpn file

    script-security 2
    up /etc/openvpn/update-resolv-conf
    down /etc/openvpn/update-resolv-conf

  70. Ted

    I’m using Mint 17 and am trying to get the connection manager to work.

    I go through the procedure listed above and select the .ovpn config file. Then I change the authentication type to password, but it wont let me save it without a CA Certificate file, which it says needs to be .pem, .crt, .key, or .cer. Is there a way to convert the .ovpn file to the appropriate file type? Thanks!

  71. ProtonVPN

    Mint17’s network manager has an issue with importing integrated config files (where the ca is in the ovpn file) similar to Ubuntu 14.04. Upgrading to a later Mint version should solve this problem. Alternatively drop us a line and we’ll send you the necessary files.

  72. Luxlin

    Thanks, i got my answer for a question I posted one minute before 🙂 . But, at least, there’s a way to make it works (it works with me/Cinnamon 17.2).
    1) Download and extract the zip package with the OpenVPN configuration files
    2) Open Terminal and set-up OpenVpn (only if you need it) :
    sudo apt-get install openvpn
    sudo apt-get install network-manager-openvpn-gnomen
    3) enter : sudo openvpn /[path to.Proton .ovpn file] and follow instructions (enter login and password).
    You should get “Initialization Sequence Completed” if it’s working.

  73. ProtonVPN

    glad that it worked for you. Do note that currently, the CLI connection will per default not accept the DNS options which are pushed by our servers once you connect – hence we recommend the network manager approach.

  74. Chris C

    I’m interested in having steps for configuring pfSense. I have managed to establish a connection, however I have been unable to ping the gateway address.

  75. Chris C

    I managed to figure it out.

    System -> Cert. Manager
    CAs tab
    Add button
    Descriptive name:
    Method: Import an existing Certificate Authority
    Certificate data: <contents of section of ovpn file>
    Save

    VPN -> OpenVPN
    Clients tab
    Add button
    Server mode: Peer to Peer (SSL/TLS)
    Protocol: UDP
    Device mode: tun
    Interface: any
    Local port:
    Server host or address:
    Server port: 1194
    Proxy fields: blank
    Server hostname Resolution: Checked
    Description: Pick something
    Username: OpenVPN username
    Password: OpenVPN password
    TLS authentication: checked
    Key: < section of ovpn file>
    Peer Certificate Authority:
    Client Certificate: None (Username and/or Password required)
    Encryption algorithm: AES-256-CBC (256bit)
    Auth digest algorithm (SHA512 (512-bit)
    Hardware Crypto:

    IPV4 Tunnel Network: Blank
    IPv6 Tunnel Network: Blank
    IPv4 Remote Network(s): Blank
    IPv6 Remote Network(s): Blank
    Limit outgoing bandwidth:
    Compression: Enabled with Adaptive Compression
    Topology: Subnet
    Type-of-service: Checked
    Disable IPv6: Checked
    Don’t pull routes: Unchecked
    Don’t add/remove routes: Unchecked
    Custom options: tun-mtu 1500,tun-mtu-extra 32,mssfix 1450,persist-key,persist-tun,ping 15,ping-restart 0,ping-timer-rem,reneg-sec 0,remote-cert-tls server,auth-user-pass,pull,fast-io,key-direction 1
    Verbosity: 3

    Interfaces -> Assign
    Available network ports:
    Add button
    Click on new interface
    Enable: Checked
    Description:
    IPv4 Configuration Type: None (handled by OVPN)
    IPv6 Configuration type: None
    MAC Address: Blank
    MTU: 1500
    MSS: 1450

    At this point the connection is established. use NAT/firewall rules/static routes to route traffic to the VPN.

  76. ProtonVPN

    Hi Chris, thanks for helping out other users with details on what worked for you. Happy testing

  77. Raven

    This worked for me as well but I had to change my OpenVPN login from the default one to something else because auth kept failing

  78. DebKDE

    Debian Testing on KDE worked quickly and without any problems.
    To get it working using the Network Manager GUI:
    1.) open the connection editor (e.g. right click the wifi symbol in the tray and Configure Network Connections)
    2.) Click the Connection pull-down and select Import VPN
    3.) Choose the proton .ovpn file
    4.) Choose whether to copy certs to ~/.local/share/networkmanagement/certificates/ (either choice works)
    5.) Choose the newly imported protonVPN connection from the list and Edit it
    6.) Add the correct username and password under VPN(openvpn) tab and click OK
    7.) Test the connection (it should work!)

  79. john

    Hey DebKDE,

    Dumb question: Did you look at the logfile to ensure that NetworkManager is doing host authentication? I checked this with Debian Jessie (stable), and it didn’t look to me like that rev of nm-openvpn-gnome did the host authentication check.

    thanks!

  80. Gabriel

    Thanks! I got ProtonVPN working on Antergos/KDE with these steps.

  81. tnorth

    Thanks, works for me as well on Fedora 25, x86_64, SELinux enabled.

  82. Dave X

    “Click on your connection symbol, in the system tray on the top right and select ‘Edit connections’.”

    Where is it? I don’t see this anywhere on Ubuntu 16.

  83. Lou Gro

    Just got this up and running on Ubuntu 16. Easy setup and works great! Thank you Proton for this excellent beta.

  84. fishstick

    Are there any official instructions or suggestions fit using ProtonVPN on a router to direct all network traffic through it?
    E.g. using the OpenVPN options in an open-source firmware like dd-wrt?

  85. t0dd

    Instructions for Fedora Linux users…

    1. sudo dnf install NetworkManager-openvpn-gnome openvpn

    2.a. Download ProtonVPN_config.zip file as indicated in the instructions.
    2.b. …
    mkdir ~/.local/share/protonvpn
    cp ProtonVPN_config.zip ~/.local/share/protonvpn/
    cd ~/.local/share/protonvpn
    unzip ProtonVPN_config.zip

    3. Follow original instructions

    4. On GNOME desktop…
    4.a. Upper right corner, open the System Menu (it’s not the System Tray, by the way)…
    Settings icon > Network > Bottom-left, click “+” > Import from file…
    (you will have to start typing “.local/” to get to the hidden .local file)
    Selection a server in your region.
    4.b. Input your OpenVPN login (User name) and password and click Add
    4.c. Close the Settings menu dialogue

    5. On GNOME Desktop, navigate to the upper right corn and open the System Menu again
    Click on VPN Off and scroll/browse down to one of the newly configured VPN options.
    Click the on/off slider
    5.a. Alternatively, you can click on Network Settings, browse to your VPN item, click on it, and ensure the ON/OFF slider is set to ON

    Done.

  86. t0dd

    The Red Hat family? In particular… Fedora?

  87. Sean

    I’ve tried everything to get this to work with DD-WRT.. No dice. Via the web interface or by manually starting openvpn via ssh. Has anyone had any luck with setting this up on DD-WRT? I’m running Kong 28000M. I’d appreciate any help. Cheers!

    Here’s my .conf file:

    ca /opt/openvpncl/proton/proton_ca.crt
    tls-auth proton_tls.key 1
    management 127.0.0.1 16
    management-log-cache 100
    client
    dev tun1
    remote ca-03.protonvpn.com 1194
    proto udp
    remote-random
    resolv-retry infinite
    nobind
    cipher AES-256-CBC
    auth SHA512
    comp-lzo
    verb 3
    script-security 2

    tun-mtu 1500
    tun-mtu-extra 32
    mssfix 1450
    persist-key
    persist-tun

    ping 15
    ping-restart 0
    ping-timer-rem
    reneg-sec 0

    remote-cert-tls server
    auth-user-pass /opt/openvpncl/proton/auth.conf
    pull
    fast-io
    auth-nocache

  88. Ken Taylor

    Thank you for the great service (and email) ! I have been testing ProtonVPN on CentOS 7.3 with the Mate desktop. So far, so good. I am running OpenVPN on a dedicated tiny PC which serves as a router and DHCP server for my home LAN.

    I am testing the VPN from Network Manager and from the command line as fr..in describes above. Based on my experience with another VPN service which I use, I prefer the command line method as it will cause all Internet traffic to stop if/when the VPN connection is lost. Network Manager tends to simply switch to an direct Internet connection in the case of a VPN disconnect. Not cool!

    I have also been doing some leakage testing. The only concern which I have been unable to resolve is potential DNS leakage. The command line approach does not seem to offer any way to mitigate this. Nor does Network Manager (although I read that Ubuntu is supposed to deal with DNS leakage – I will have to test). That said…

    Can you provide the addresses for a ProtonVPN DNS? That would seem to be a way to partially mitigate the leakage issue. Any DNS requests would be seen only by the ProtonVPN DNS server – which we can trust.

    Thanks!

  89. Jezza

    On an up-to-date Fedora 25 Desktop with Gnome shell, OpenVPN keeps asking for and rejecting my login credentials – which have been stored and which are correct according to what is saved in my ProtonMail VPN settings – and that’s it.

    Trying on command line with

    sudo openvpn –openvpn {path/to/config/file.ovpn} –auth-user-pass {path/to/text/file/with/username&password}

    results in failure, as well:

    Sun Mar 19 12:12:03 2017 AUTH: Received control message: AUTH_FAILED
    Sun Mar 19 12:12:03 2017 SIGTERM[soft,auth-failure] received, process exiting

    What to do?

  90. ProtonVPN

    Hi Jezza, if this issue persists, please contact our support team via the form at the bottom

  91. Alain

    I use the Ubuntu version 16,10 and the program ProtonVPN works perfectly. I made an attempt with Win 7 but could not finalize the installation. It seems that I do not have sufficient permissions.

  92. Paranoid guy

    Hi, anyone tried this with DD-WRT? I’m using the latest KONG build Firmware: DD-WRT v3.0-r31520M (03/01/17)

  93. !acompletenoob

    Hey, I would also benefit from getting some basic dd-wrt instructions here.

  94. !acompletenoob

    ok may I am a complete noob problem appears to be solved here just 48 hours ago: https://protonvpn.com/support/linux-vpn-setup/#comment-250

  95. Sean

    See my post below. I got it up and running on DD-WRT v3.0-r28000M kongac (10/24/15).
    Both GUI and Terminal write ups are below.

  96. O

    I’m unable to save the imported vpn information without a .crt file. Is there one available?

  97. ProtonVPN

    Hi O, reach out to the support team, they’ll be happy to supply one: https://protonvpn.com/support-form

  98. chee

    this just always times out for me ;-;

  99. Lukas

    dot / period / ” . ” in username gives auth error, thus not connecting.
    Removing the dot fixes the issue, however i believe dots should be allowed!

  100. Sven

    Thank’s!!!! This works very well, and extremely easy to setup.

    I’m using VPN from privatevpn since several years but this was far easier to set up. Im running different linux installation on desktop and laptop, e.g. siduction and kubuntu. The only problem I had was to understand which password I was suppose to enter, since there are several to chose from. ProtonVPN, openvpn within protonmail, protonmail login password etc. Also, I dont understand the difference between the different VPN-files from the same country in the zipfile, again, documentation I guess.

    Overall: Well done,

    Thank you

  101. iw

    Question to DNS leak protection in linux.
    I recognized that a dns leak test showed some non protonmail dns server. I was curious and tried out the ProtonVPN client in windows and the same dns leak test was ok (only 1 dns server from proton vpn showed up).

    So is there a way to achieve this in linux too? I’m using Ubuntu 16 LTS.

  102. protonboy

    I’m no expert, but in my experience you need openvpn .conf files with the certificates broken out into different files for VPN use within command line Linux. Having to manually break the certs out is a pain.

  103. protonboy

    To update on this, I got the .ovpn files working via command line, but not via KDE’s NetworkManager gui.

    Just note that having to manually break out the certs is a frequent complaint by ThatOnePrivacyGuy (very well respected VPN and Email reviewer for people dedicated to privacy), example here:
    https://thatoneprivacysite.net/2016/10/12/crypticvpn-review/

  104. ProtonVPN

    Hi protonboy,
    in our current setting, latest 16.04LTS reads the integrated .ovpn files without a hitch. If you need the separated cert files, please contact support and we’ll get back to you.

  105. Jom

    How about Android… Using openvpn client it fails with a failure to verify server cert… Any ideas?

  106. ProtonVPN

    Hey Jom, check here https://protonvpn.com/support/android-vpn-setup/

  107. leboural

    Hi,
    I’ve tested openvpn connection on Android. Il have an error on certificate. Is it normal ?

  108. Walker Foster

    Try using OpenVPN for Android by Arne Schwabe. Just import the .ovpn config file and enter username and password when prompted. I haven’t had any issues.

  109. ProtonVPN

    There is now also a step by step guide for android here https://protonvpn.com/support/android-vpn-setup/

  110. MARTIN

    Experiencing troubleshooting wih Ubunu Mint Can get connection.

  111. ProtonVPN

    Hi, please contact support and we’ll be happy to help.

  112. DebianUser

    Any chance we could get instructions for set-up using connman? There’s also connman-vpn.

  113. Android User

    How can I connect on Android? I tried OpenVPN Client but it needs a certificate which I didn’t find on this website.

  114. ProtonVPN

    Hi Android User, currently the OpenVPN Connect app on Android has issues with our config files. We’re aware of the issue and are working on a fix and we’ll be distributing platform specific config files in the near future.

  115. Depra

    Great, thank you.
    I hope for it soon.

  116. Protonson

    Android support, this is incredible! Doing the lord’s work!

  117. Perica

    If you use opensource ‘OpenVPN for Android’ app (http://ics-openvpn.blinkt.de/FAQ.html) everything is perfect. You can find it on Google Play or F-Droid.

  118. ProtonVPN

    Hi, check out our android guide: https://protonvpn.com/support/android-vpn-setup/

  119. Peter Pan

    Ubuntu. Installed. Good How-To. Works like a charm. You guys are doing great work!

  120. Kaufas Brady

    There appears to be a bug with network-manager-openvpn-gnome wherein the applet crashes when trying to “import a saved OpenVPN configuration”. Would it be possible to add an example which shows how you’d go about entering one of the ovpn files manually?

  121. storman_norman

    Hi there, I’m excited to start testing this service!

    If we have troubleshooting questions, whom should we email?

    Thanks.

  122. ProtonVPN

    Hi storman_norman, you can always reach our support team via the support form at the bottom.

  123. Dorothe

    The link
    “Learn more about how two pairs of credentials increases security of ProtonVPN.” is broken.
    Best

  124. ProtonVPN

    Thanks, fixed.

  125. DanielSweden

    Hello Proton VPN Team!

    I tried ProtonVPN on Debian Jessie. It works just perfect with following command, no GUI installed.

    daniel@lnxdeb:~/protonvpn$ sudo /usr/sbin/openvpn –auth-nocache –config se-uk-01.protonvpn.com.udp1194.ovpn

    What is the price of ProtonVPN service?

  126. fr..in

    Just trying…:

    sudo openvpn –config [path to.Proton .ovpn file] –auth-user-pass [path to file containing username and password on 2 lines] works too.

    Thank you !

  127. Nils

    Hello,

    Thank you for this complementary service. However, I cannot succeed to make it work on Plasma 5.9 (KDE desktop). I have nor errors neither logs describing what happens but the connection never work. Are you only supporting gnome or will you look at KDE desktop too?

    Furthermore, whatever happen, it looks like I cannot change the password for the openvpn login in the user settings of protonmail. It says that everything is cool when I click on “save” but when I reload the page, it is the old password which is displayed.

    Keep up the great work.
    Thank you!

  128. Pelet

    Issue sorted with applet on Linux Mint 17-32 Bits. No help required thank you ! Please delete my comments and apologies for the unnecessary trouble

  129. Luxlin

    Hi, what have you done? I experience trouble to setup the editing page, because an extra cert is required and there is none in the downloaded folder…

  130. ProtonVPN

    Hi Luxlin, drop us a line at support@ and we’ll supply the necessary cert and key files. While they are already included in the ovpn file, some distro versions have trouble parsing the file correctly (e.g. ubuntu 14.04lts and its cousins)

  131. Don

    The link in section 3 is also broken. It should be https://protonvpn.com/support/vpn-login/ (minus the extra characters at the end).

  132. ProtonVPN

    Thanks, fixed!

  133. Pelet

    Hi Guys.
    I am running Linux Mint 17 / Mozilla Firefox. In the process of installing a new VPN I am unable to find that connection symbol and Edit connections features in system tray. Am I blind?

    Click on your connection symbol, in the system tray on the top right and select ‘Edit connections’.

    Any help please? Thank you

  134. Tish

    Please can you clarify how I can use the encrypted VPN on a mobile android device? Thank you.

  135. ProtonVPN

    Hi Tish, check out the android guide https://protonvpn.com/support/android-vpn-setup/

  136. protonman

    I will be debating on switching to ProtonVPN once officially released.

    The link in section 4. “Learn more more about our Secure Core feature.” is pointing to “http://protonvpn.com/support/linux-vpn-setup ” please update to “https://protonvpn.com/support/secure-core-vpn/”

    Keep up the great work.
    Thank you!

  137. ProtonVPN

    Hi protonman, thanks for pointing it out. It’s fixed.

  138. DanielSweden

    Hello Proton VPN Team!

    I tried ProtonVPN on Debian Jessie. It works just perfect with following command, no GUI installed.

    daniel@lnxdeb:~/protonvpn$ sudo /usr/sbin/openvpn –auth-nocache –config se-uk-01.protonvpn.com.udp1194.ovpn

    What is the price of ProtonVPN service?

Leave a Reply to Luxlin Cancel reply

Your email address will not be published. Required fields are marked *

Don't find your answer? We're happy to help you!     Contact Our Support Team

Secure Your Internet Today

Get ProtonVPN