Support Center / How to manually set up port forwarding

How to manually set up port forwarding

Port forwarding routes connections through the firewall Proton VPN uses to protect our customers. It’s mainly useful to people downloading and sharing files using P2P protocols such as BitTorrent, although it can also improve performance for online gamers.

Learn more about port forwarding

Port forwarding is available on our Windows app. However, it’s also possible to use port forwarding on other devices that are manually configured to connect to Proton VPN using our OpenVPN or WireGuard configuration files. 

Step 1: Configure VPN settings

All our P2P servers support port forwarding. P2P servers can be easily identified in our apps and on our VPN configuration download pages by a double-arrow icon.

How to spot P2P servers

OpenVPN

1. Sign in to your Proton VPN Account and go to AccountDownloads OpenVPN configuration files. Select a VPN server that supports P2P (double-arrow icon) and download its OpenVPN configuration files.

2. Configure your OpenVPN client (such as OpenVPN GUI for Windows, Tunnelblick for macOS, or the OpenVPN CLI or NetworkManager GUI for Linux).

Remember that your OpenVPN login username and password are different from your regular Proton Account username and password. You can find them in your Proton VPN Account by going to AccountOpenVPN / IKEv2 username.

To use port forwarding, add the suffix +pmp to your OpenVPN username. For example, if your OpenVPN username is “myusername2023”, use “myusername2023+pmp”.

Note that you can use the +pmp suffix with other suffixes supported by Proton VPN. For example, to use port forwarding and our Netshield Ad-blocker feature, your username might be “myusername2023+pmp+f2”. 

3. Connect to Proton VPN. To check that you’re connected and the VPN is working correctly, visit ip.me or open a Terminal window on macOS or Linux and enter curl ip.me.

WireGuard

1. Sign in to your Proton VPN Account and go to AccountDownloads WireGuard configuration.

2. Select a VPN server that supports P2P (double-arrow icon) and generate a WireGuad configuration file. When doing this, ensure that  Select VPN optionsNAT-PMP (port forwarding) is enabled

Enable NAT-PMP

3. Download the generated WireGuard configuration file and use it to configure your WireGuard client. See our sample guide to installing WireGuard with Proton VPN on Ubuntu using Network Manager

4. Connect to Proton VPN. To check that you’re connected and the VPN is working correctly, visit ip.me or open a Terminal window on macOS or Linux and enter curl ip.me.

curl ip.me

Step 2: How to use port forwarding

Manual configuration

You can manually create the correct port mappings on any desktop system in several ways. For example, using netsh on Windows or a mix of Python commands and Cron jobs on Debian

The example below shows you how to create the correct port mappings on Linux using natpmpc. 

1. Connect to the VPN with port forwarding enabled, as described above.

2. Check that port forwarding is allowed on the server you’re connected to. To do this, open a terminal window and enter:

natpmpc

If port forwarding is permitted on the server you are connected to, the output will look like this:

natpmpc success

If this test fails (see screenshot below), please return to Step 1 of this guide, select a different P2P server, and ensure your VPN connection is configured correctly. 

natpmpc fail

3. Create a UDP port mapping on UDP, needed for port forwarding. Enter:

natpmpc -a 0 0 udp 60

In the example below, port 43935 has been allocated for this.

Create a UDP port mapping

4. Create a port mapping on TCP.

natpmpc -a 0 0 tcp 60

In the example below, port 43935 has been allocated for this.

Create a TCP port mapping

5. Finally, loop natmpmpc so that it doesn’t expire. Enter:

while true ; do date ; natpmpc -a 0 0 udp 60 && natpmpc -a 0 0 tcp 60 || { echo -e "ERROR with natpmpc command \a" ; break ; } ; sleep 45 ; done
Loop natmpmpc so that it doesn’t expire

Port forwarding is now activated. Note that closing your terminal window will terminate the loop process. You will need to re-run this loop script each time you want to start a new port forwarding session, or the port will only stay open for 60 seconds. 

Technical notes

1. Our extension to the NAT-PMP protocol uses internal/external ports 0/0. This is a Proton VPN customization that follows rfc6886 for NAT-PMP implementation to assign a random external port but adds custom handling of requests to ports 0/0.

This makes configuration easier by ensuring the mapped internal port and external port are the same.

2. These instructions have very little in the way of error handling. Best practice would be to parse the return code and output of natpmpc, but we haven’t done that here to keep this guide as simple as possible. You can find a good example of correct error handling here (but please note that Proton VPN has no affiliation whatsoever with this Reddit discussion). 

Secure
your internet

Get Proton VPN
Get Proton VPN

For customer support inquiries, please submit the following form for the fastest response:
Support Form

For all other inquiries:
contact@protonvpn.com


-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: OpenPGP.js v4.10.10
Comment: https://openpgpjs.org

xsBNBFiYeeIBCACpwuYcTsACyjQaqY3tOUonokamGZf3VDuLvcA9nQnu4vlB
n1RFFUJa5Pmf2yZ9EjJFSldTl5lreE3tFf53CcZ9wKa1R6aMnN/0VqURJho0
ZTqevQlCvuJ9kKHkDck3Em0/1WWnhDJgabp+fOa5HAHoAvcNy5gVPuexTT/N
wp6QcfB7w+qFhf73s0bcSn5RC+FAYlQxZVFhFtA7/7LthBVatDJrYLYP9XJd
zOZqz9AX0XZwKal25RcVeGHkNKgloo0bTgro4D88MR7saqXFHTRhy3+Wss7c
uqrh0uIkVmqtadoK/rAbqOyFXQ2DlvSMVrEMLUvwlZbC0taqcKDfNA+FABEB
AAHNLWNvbnRhY3RAcHJvdG9udnBuLmNvbSA8Y29udGFjdEBwcm90b252cG4u
Y29tPsLAfwQQAQgAKQUCWJh54wYLCQcIAwIJEN4dfnhhw11TBBUIAgoDFgIB
AhkBAhsDAh4BAAoJEN4dfnhhw11T6PwIAKgIHTUaEcCFQ5WfmwGpdhRgFe7H
gnHR8UOFPrRKnbCOQgTVPGwCFt8UVFhEgbmtroThU89DpxFSYUOD6nZ2k1X3
X4Q9OsItFUUuhPtLJrkz5ghtZLmsAH/edTRbVU1Ew1E8KbylLFI1J5yId7zR
GdnaTXv/E7P3po5X/b08TFAhXSyYYUbMeQuthbJajtpFygr53lm47cOWa4N8
udqLhmpheaQj04DuqYXOGC08JQn+XbHzhFl5Yvlt9Idk8+7c2UJ0qgWKQ5ZV
mquRAw5HDCQM5OqF1MoImDxOH+tK3PUlvFDsLZ1WPEOHK/EN12sPBx0x1R04
fcPTPdbMwgISGM3OwE0EWJh54gEIALqhrLUpvarPc0nkuHpyJC/MsrIDPLuV
qMc49tgjgDBsyIKJFEP9qCnkSOEixaFi+nTljUSpkHGR+PvEGecmcOdW6djN
QGxon/nwBT9d8HbtxJesaEIzwRAxmqQW9MqNq4UsfNQ0VvUYqV9wEbYfdDT/
jZfz9N0hjFELF1sg3UPcCRijhf162bp+rLQdO9vWVUbOdMQvsM/kyUJ6JMXR
xUtyKC05ddxii2SMr4XUW45ostPbxJybOF5oSZpEb1EIlrTLLPAe/498XlBW
hpRAPe+9ZfNs7drMvUEFnnOXahrXAuaaZpyaS/XBaloqSb1+v2AkUep3dbSF
PaRtbXRMS+kAEQEAAcLAaAQYAQgAEwUCWJh54wkQ3h1+eGHDXVMCGwwACgkQ
3h1+eGHDXVMZ4Qf4hu5N8/uYNDqJMFRIWSCpPGxmyIVXGARG4hgR8gwPZY9K
fReAUndX3uODBNIgZU7I3YntawU1DlP6GpP6yyR/8lfUMNCAXPDmd+zTFYIJ
UDHD8sw2GRrFVzFOKUpAapWFOI4XjSMP2UiK4HgrpUjAhe1wSaa7nEjtAuYT
zFx1QSuQD1iYcOF/FAm7EuhBIfWITjYAobGM6gonPbp3IPHM52rUbulllcdV
vCLs+blcyiVCGZlNcmlg3eibAJJL19TQLqT2DbQvQ/SyVBJGjoT+y4TTRtmZ
cebEjt2KJcc4x2lzPq3z2KJNyJTOTMB+aYD9Ma9IObDds+M/+5XDWi7f
=ueTT
-----END PGP PUBLIC KEY BLOCK-----

You can also Tweet to us:
@ProtonVPN