How to manually set up port forwarding
Port forwarding routes connections through the firewall Proton VPN uses to protect our customers. It’s mainly useful to people downloading and sharing files using P2P protocols such as BitTorrent, although it can also improve performance for online gamers.
Learn more about port forwarding
Port forwarding is available to everyone with a paid Proton VPN plan. If you’re on our free plan, you can upgrade by signing in to account.protonvpn.com and choosing a paid plan from the Subscription tab the meets your needs
Port forwarding available on our Windows app, and our Linux app now offers a port forwarding feature that replaces the need to use configuration files on a third-party VPN client. However, port forwarding on Linux is only partially automated, and requires some manual setup.
It’s also possible to use port forwarding on devices that are manually configured to connect to Proton VPN using our OpenVPN or WireGuard configuration files.
- Configure VPN settings for OpenVPN
- Configure VPN settings for WireGuard
- How to manually port forward on Linux
- How to port forward on macOS
- Technical notes
Step 1: Download OpenVPN or WireGuard configuration files
Note that this step isn’t needed if you’re using our Linux app. All our P2P servers support port forwarding. P2P servers can be easily identified in our apps and on our VPN configuration download pages by a double-arrow icon.
OpenVPN
1. Sign in to your Proton VPN Account and go to Account→ Downloads → OpenVPN configuration files. Select a VPN server that supports P2P (double-arrow icon) and download its OpenVPN configuration files.
2. Configure your OpenVPN client (such as OpenVPN GUI for Windows, Tunnelblick for macOS, or the OpenVPN CLI or NetworkManager GUI for Linux).
Remember that your OpenVPN login username and password are different from your regular Proton Account username and password. You can find them in your Proton VPN Account by going to Account→ OpenVPN / IKEv2 username.
To use port forwarding, add the suffix +pmp to your OpenVPN username. For example, if your OpenVPN username is “myusername2023”, use “myusername2023+pmp”.
Note that you can use the +pmp suffix with other suffixes supported by Proton VPN. For example, to use port forwarding and our Netshield Ad-blocker feature, your username might be “myusername2023+pmp+f2”.
3. Connect to Proton VPN. To check that you’re connected and the VPN is working correctly, visit ip.me(новое окно) or open a Terminal window on macOS or Linux and enter curl ip.me.
WireGuard
1. Sign in to your Proton VPN Account and go to Account→ Downloads → WireGuard configuration.
2. Select a VPN server that supports P2P (double-arrow icon) and generate a WireGuard configuration file. When doing this, ensure that Select VPN options → NAT-PMP (port forwarding) is enabled.
3. Download the generated WireGuard configuration file and use it to configure your WireGuard client. See our sample guide to installing WireGuard with Proton VPN on Ubuntu using Network Manager.
4. Connect to Proton VPN. To check that you’re connected and the VPN is working correctly, visit ip.me(новое окно) or open a Terminal window on macOS or Linux and enter curl ip.me.
Step 2: How to use port forwarding
Linux
Our Linux app offers a port forwarding feature that replaces the need to use configuration files on a third-party VPN client (as described above). To enable port forwarding, open the app, go to Settings → and toggle the Port forwarding switch on.
However, at present you’ll need to manually configure the rest of the process in the same way as if you’re using a VPN third-party client with our OpenVPN or WireGuard configuration files.
If you don’t use our official Linux client, you can connect to the VPN using manual configuration with port forwarding (NAT-PMP) enabled, as described above.
The example below shows you how to create the correct port mappings on Linux using natpmpc.
1. Connect to the VPN with port forwarding enabled.
2. Install natpmpc. To do this on Debian and Ubuntu-based systems, open a terminal window and enter:
sudo apt install natpmpc
On RedHat systems (including Fedora), enter:
sudo dnf install libnatpmp
3. Verify your natpmpc version. natpmpc versions 20150609-xxx contain a bug that may misinterpret the response from the VPN server and generate confusing output. The Proton VPN team submitted a fix to this that has been accepted and merged upstream, so the bug doesn’t affect natpmpc version 20230423-xxx (and newer).
To verify the natpmpc version your running on Debian and Ubuntu-based systems, open a terminal window and enter:
apt policy natpmpc libnatpmp*
On RedHat systems (including Fedora), enter:
dnf list libnatpmp
If you’re running an older version of natpmpc, you should update it to natpmpc version 20230423-xxx (or newer). To do this, you can either:
- Manually download the latest versions of natpmpc(новое окно) and libnatpmp1(новое окно) (DEB) or libnatpmp(новое окно) (RPM) as binaries
- Compile libnatpmp from source using the following commands:
git clone https://github.com/miniupnp/libnatpmp.git
cd libnatpmp
make all
sudo make install
4. Check that port forwarding is allowed on the server you’re connected to. To do this, open a terminal window and enter:
natpmpc -g 10.2.0.1
If port forwarding is permitted on the server you are connected to, the output will look like this:
If this test fails (see screenshot below), please return to Step 1 of this guide, select a different P2P server, and ensure your VPN connection is configured correctly.
5. Create UDP and TCP port mappings, then loop natpmpc so that it doesn’t expire. Enter:
while true ; do date ; natpmpc -a 1 0 udp 60 -g 10.2.0.1 && natpmpc -a 1 0 tcp 60 -g 10.2.0.1 || { echo -e "ERROR with natpmpc command \a" ; break ; } ; sleep 45 ; done
In the example below, port 53186 has been allocated for this (for both UDP and TCP).
Port forwarding is now activated. Note that closing your terminal window will terminate the loop process. You will need to re-run this loop script each time you want to start a new port forwarding session or the port will only stay open for 60 seconds.
6. In your BitTorrent client, disable UPnP / NAT-PMP port forwarding from your router and paste the public port number displayed in the connection output (see above), into the port forwarding section of your BitTorrent client.
For example, on qBittorrent, go to Tools → Preferences... → Connection → Listening port → paste the port number into Port used for communications field. Below it, uncheck Use UPnP / NAT-PMP port forwarding from my router (it’s enabled by default). Click OK when you’re done.
Port forwarding is now configured.
macOS
Get an OpenVPN or WireGuard config file from ProtonVPN, making sure the server supports P2P and the NAT-PMP toggle is enabled.
1. Connect to the VPN with port forwarding (NAT-PMP) enabled, as described above.
2. Download Python 3(новое окно) as a DMG and install it. You’ll need to allow the app by going to Privacy & Security → Security.
3. Install Pip. To do this, open Terminal and enter:
curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py
Followed by:
python3 get-pip.py
Then run:
python3 -m pip install py-natpmp
4. We can now run natpmpc and loop it so that it doesn’t expire:
cd "$(python3 -m pip show py-natpmp | grep Location | cut -d\ -f 2)/natpmp" && while true ; do date ; python3 natpmp_client.py -g 10.2.0.1 0 0 || { echo -e "ERROR with natpmpc command \a" ; break ; } ; sleep 45 ; done
Port forwarding is now enabled. Note that you’ll need to leave the Terminal window open for the script to continue working. To disable the bell notification each time the script loops, go to menu bar → Terminal → Settings → Profiles tab → Advanced → Bell and uncheck Audible Bell.
5. In your BitTorrent client, disable UPnP / NAT-PMP port forwarding from your router and paste in the public port number displayed in the connection output (see above), into the port forwarding section of your BitTorrent client.
For example, on qBittorrent, go to Tools → Preferences... → Connection → Listening port → paste the port number into the Port used for communications field. Below it, uncheck Use UPnP / NAT-PMP port forwarding from my router (it’s enabled by default). Click OK when you’re done.
Port forwarding should now be active on your BitTorrent client.