A step-by-step guide to setting up ProtonVPN on your MikroTik router
ProtonVPN can be set up on your MikroTik router so that it will automatically connect to a ProtonVPN server (available on your subscription) whenever an internet connection is established.
Below is a step-by-step guide to connecting a MikroTik router to a ProtonVPN server using the IKEv2 VPN protocol. You can make these changes using the web configuration panel of your router.
1. To open the MikroTik configuration panel, open your terminal and enter
ssh user@192.126.88.1
Read more about using the command line interface with MikroTik
2. Choose a ProtonVPN server and download the OpenVPN configuration file: https://account.protonvpn.com/downloads#openvpn-configuration-files
Learn more about downloading configuration files
3. Get your service credentials from here: https://account.protonvpn.com/account#openvpn and use them for this setup.
4. Import ProtonVPN CA to your router:
/tool fetch url="https://protonvpn.com/download/ProtonVPN_ike_root.der" /certificate import file-name=ProtonVPN_ike_root.der name="ProtonVPN CA" passphrase=""
5. Mark ALL traffic that you want to route through VPN server
/ip firewall address-list add address=192.168.88.0/24 list=under_protonvpn
/ip firewall mangle add action=mark-connection chain=prerouting src-address-list=under_protonvpn new-connection-mark=under_protonvpn passthrough=yes
6. IPsec/IKEv2 configuration
/ip ipsec mode-config add connection-mark=under_protonvpn name="ProtonVPN mode config" responder=no /ip ipsec policy group add name=ProtonVPN /ip ipsec profile add dh-group=modp4096,modp2048,modp1024 dpd-interval=disable-dpd enc-algorithm=aes-256 hash-algorithm=sha256 name="ProtonVPN profile" /ip ipsec peer add address=<your_chosen_server_IP> exchange-mode=ike2 name="ProtonVPN server" profile="ProtonVPN profile" /ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=0s name="ProtonVPN proposal" pfs-group=none /ip ipsec identity add auth-method=eap certificate="ProtonVPN CA" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config="ProtonVPN mode config" password=<openvpn_ikev2_password> peer="ProtonVPN server" policy-template-group=ProtonVPN username=<openvpn_ikev2_username> /ip ipsec policy add dst-address=0.0.0.0/0 group=ProtonVPN proposal="ProtonVPN proposal" src-address=0.0.0.0/0 template=yes
In “/ip ipsec policy” you should be able to see a new dynamic rule added next to your ProtonVPN policy. It MUST exist, otherwise configuration is not working.
Note: To use our NetShield DNS filtering feature, you need to add suffixes to your OpenVPN/IKEv2 username. Add the suffix +f1 to block malware only or +f2 to block malware, ads, and trackers (for example: openvpn_ikev2_username+f2). NetShield is only available with our Plus or Visionary plan.
7. (OPTIONAL) Implement our kill switch
/interface/bridge/add name=protonvpn_blackhole protocol-mode=none /routing/table/add name=protonvpn_blackhole fib /ip/firewall/mangle/add chain=prerouting src-address-list=under_protonvpn action=mark-routing new-routing-mark=protonvpn_blackhole passthrough=yes /ip/route/add routing-table=protonvpn_blackhole gateway=protonvpn_blackhole
8. (IMPORTANT) Exclude such VPN traffic from fasttrack
To list all firewall rules
/ip firewall filter print
To remove the two fasttrack rules (the default rule and the dummy rule), add the appropriate numbers you found from the command above to the following command
/ip firewall filter remove
9. Reduce MSS
/ip firewall mangle add action=change-mss chain=forward new-mss=1360 passthrough=yes protocol=tcp connection-mark=under_protonvpn tcp-flags=syn tcp-mss=!0-1375
10. Do not forget to disable the fasttrack rule in FIREWALL RULES and reboot your router!
system reboot
