How to setup Proton VPN on MikroTik routers using WireGuard
You can set up Proton VPN on your MikroTik router so that all devices that connect to the internet through it are protected by Proton VPN.
In this guide, we show you how to do this using the WireGuard VPN protocol on MicroTik routers running RouterOS 7. This requires a Proton VPN Account
How to set up Proton VPN WireGuard on MikroTik routers (update)
1. Download a WireGuard configuration file
Open it using any text editor.
Learn how to download a WireGuard configuration file from Proton VPN
Note that you can’t use a saved config file. Proton VPN never stores your private keys, so saved config files don’t have them. You must create and download a new config file.
2. Open the MikroTik configuration panel
To do this, open a command line (using Terminal on Linux and macOS or PowerShell on Windows) and enter:
ssh user@192.168.88.1
Read more about using the command line with MikroTik(new window)
3. Create a new WireGuard interface
Using the command line, enter the following text and tap <enter>. To find your private key, look for the line starting PrivateKey= in the WireGuard config file you downloaded in step 1.
/interface wireguard add listen-port=13231 mtu=1420 name=wireguard-inet private-key=”your private key”
All following steps will involve you entering commands into the command line.
4. Add an IP address to the interface you just created:
/ip address add address=10.2.0.2/30 interface=wireguard-inet network=10.2.0.0
5. Add a WireGuard server as a peer
Add the endpoint address, endpoint port, and public key from the WireGuard config file. Look for the lines starting PublicKey= and Endpoint=.
For example, if the config says Endpoint=103.107.197.2:51820, enter endpoint-address=103.107.197.2 and endpoint-port=51820
/interface wireguard peers add allowed-address=0.0.0.0/0 endpoint-address=x.x.x.x endpoint-port=xxxxx interface=wireguard-inet persistent-keepalive=25s public-key="your public key"
6. Enable masquerade for that interface
Note: This setup assumes that you are using the default local network address used by MikroTik. If you have changed this, use that address for scr-address= instead.
/ip firewall nat add action=masquerade chain=srcnat out-interface=wireguard-inet src-address=192.168.88.0/24
7. Redirect all internet traffic through WireGuard
/ip route add disabled=no distance=1 dst-address=0.0.0.0/1 gateway=10.2.0.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10 add disabled=no distance=1 dst-address=128.0.0.0/1 gateway=10.2.0.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
8. Configure DNS settings
/ip dns set servers=10.2.0.1 /ip dhcp-client set 0 use-peer-dns=no
9. Redirect the WireGuard IP address through main provider’s gateway
Replace x.x.x.x with the endpoint address from the config file (Endpoint=).
/ip route add disabled=no dst-address=x.x.x.x/32 gateway=[/ip dhcp-client get [find interface=ether1] gateway] routing-table=main suppress-hw-offload=no
If this doesn’t work, you’ll need to replace gateway=[/ip dhcp-client get [find interface=ether1] gateway] with gateway=x.x.x.x, where x.x.x.x is your own internet gateway address. Your internet service provider (ISP) should be able to provide this address.
10. Restart your router
And you’re done! Your router should now protect all internet connections it provides with Proton VPN.