Return to protonvpn.com Facebook   Twitter   Reddit   Instagram   Mastodon   ProtonMail
Support Center / Setup and use / How to setup ProtonVPN on MikroTik routers

How to setup ProtonVPN on MikroTik routers

A step-by-step guide to setting up ProtonVPN on your MikroTik router

ProtonVPN can be set up on your MikroTik router so that it will automatically connect to a ProtonVPN server (available on your subscription) whenever an internet connection is established. 

Below is a step-by-step guide to connecting a MikroTik router to a ProtonVPN server using the IKEv2 VPN protocol.  You can make these changes using the web configuration panel of your router. 

1. To open the MikroTik configuration panel, open your terminal and enter

ssh user@192.126.88.1

Read more about using the command line interface with MikroTik

2. Choose a ProtonVPN server and download the OpenVPN configuration file: https://account.protonvpn.com/downloads#openvpn-configuration-files

Learn more about downloading configuration files

3. Get your service credentials from here: https://account.protonvpn.com/account#openvpn and use them for this setup.

4. Import ProtonVPN CA to your router:

/tool fetch url="https://protonvpn.com/download/ProtonVPN_ike_root.der"
/certificate import file-name=ProtonVPN_ike_root.der name="ProtonVPN CA" passphrase=""

5. Mark ALL traffic that you want to route through VPN server

/ip firewall address-list add address=192.168.88.0/24 list=under_protonvpn
/ip firewall mangle add action=mark-connection chain=prerouting src-address-list=under_protonvpn new-connection-mark=under_protonvpn passthrough=yes

6. IPsec/IKEv2 configuration

/ip ipsec mode-config add connection-mark=under_protonvpn name="ProtonVPN mode config" responder=no
/ip ipsec policy group add name=ProtonVPN
/ip ipsec profile add dh-group=modp4096,modp2048,modp1024 dpd-interval=disable-dpd enc-algorithm=aes-256 hash-algorithm=sha256 name="ProtonVPN profile"
/ip ipsec peer add address=<your_chosen_server_IP> exchange-mode=ike2 name="ProtonVPN server" profile="ProtonVPN profile"
/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=0s name="ProtonVPN proposal" pfs-group=none
/ip ipsec identity add auth-method=eap certificate="ProtonVPN CA" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config="ProtonVPN mode config" password=<openvpn_ikev2_password> peer="ProtonVPN server" policy-template-group=ProtonVPN username=<openvpn_ikev2_username>
/ip ipsec policy add dst-address=0.0.0.0/0 group=ProtonVPN proposal="ProtonVPN proposal" src-address=0.0.0.0/0 template=yes

In “/ip ipsec policy” you should be able to see a new dynamic rule added next to your ProtonVPN policy. It MUST exist, otherwise configuration is not working.

Note: To use our NetShield DNS filtering feature, you need to add suffixes to your OpenVPN/IKEv2 username. Add the suffix +f1 to block malware only or +f2  to block malware, ads, and trackers (for example: openvpn_ikev2_username+f2). NetShield is only available with our Plus or Visionary plan.

7. (OPTIONAL) Implement our kill switch

/interface bridge add name=protonvpn_blackhole protocol-mode=none
/ip route add gateway=protonvpn_blackhole routing-mark=protonvpn_blackhole
/ip firewall mangle add chain=prerouting src-address-list=under_protonvpn action=mark-routing new-routing-mark=protonvpn_blackhole passthrough=yes

 

8. (IMPORTANT) Exclude such VPN traffic from fasttrack

To list all firewall rules

/ip firewall filter print

To remove the two fasttrack rules (the default rule and the dummy rule), add the appropriate numbers you found from the command above to the following command

/ip firewall filter remove

9. Reduce MSS

/ip firewall mangle add action=change-mss chain=forward new-mss=1360 passthrough=yes protocol=tcp connection-mark=under_protonvpn tcp-flags=syn tcp-mss=!0-1375

10. Do not forget to disable the fasttrack rule in FIREWALL RULES and reboot your router!

system reboot

 

Leave a Reply

Your email address will not be published. Required fields are marked *

Didn't find the answer you were looking for? We're happy to help you!Contact Our Support Team

Secure your internet

Get ProtonVPN

For customer support inquiries, please submit the following form for the fastest response:
Support Form

For all other inquiries:
contact@protonvpn.com


-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: OpenPGP.js v4.10.10
Comment: https://openpgpjs.org

xsBNBFiYeeIBCACpwuYcTsACyjQaqY3tOUonokamGZf3VDuLvcA9nQnu4vlB
n1RFFUJa5Pmf2yZ9EjJFSldTl5lreE3tFf53CcZ9wKa1R6aMnN/0VqURJho0
ZTqevQlCvuJ9kKHkDck3Em0/1WWnhDJgabp+fOa5HAHoAvcNy5gVPuexTT/N
wp6QcfB7w+qFhf73s0bcSn5RC+FAYlQxZVFhFtA7/7LthBVatDJrYLYP9XJd
zOZqz9AX0XZwKal25RcVeGHkNKgloo0bTgro4D88MR7saqXFHTRhy3+Wss7c
uqrh0uIkVmqtadoK/rAbqOyFXQ2DlvSMVrEMLUvwlZbC0taqcKDfNA+FABEB
AAHNLWNvbnRhY3RAcHJvdG9udnBuLmNvbSA8Y29udGFjdEBwcm90b252cG4u
Y29tPsLAfwQQAQgAKQUCWJh54wYLCQcIAwIJEN4dfnhhw11TBBUIAgoDFgIB
AhkBAhsDAh4BAAoJEN4dfnhhw11T6PwIAKgIHTUaEcCFQ5WfmwGpdhRgFe7H
gnHR8UOFPrRKnbCOQgTVPGwCFt8UVFhEgbmtroThU89DpxFSYUOD6nZ2k1X3
X4Q9OsItFUUuhPtLJrkz5ghtZLmsAH/edTRbVU1Ew1E8KbylLFI1J5yId7zR
GdnaTXv/E7P3po5X/b08TFAhXSyYYUbMeQuthbJajtpFygr53lm47cOWa4N8
udqLhmpheaQj04DuqYXOGC08JQn+XbHzhFl5Yvlt9Idk8+7c2UJ0qgWKQ5ZV
mquRAw5HDCQM5OqF1MoImDxOH+tK3PUlvFDsLZ1WPEOHK/EN12sPBx0x1R04
fcPTPdbMwgISGM3OwE0EWJh54gEIALqhrLUpvarPc0nkuHpyJC/MsrIDPLuV
qMc49tgjgDBsyIKJFEP9qCnkSOEixaFi+nTljUSpkHGR+PvEGecmcOdW6djN
QGxon/nwBT9d8HbtxJesaEIzwRAxmqQW9MqNq4UsfNQ0VvUYqV9wEbYfdDT/
jZfz9N0hjFELF1sg3UPcCRijhf162bp+rLQdO9vWVUbOdMQvsM/kyUJ6JMXR
xUtyKC05ddxii2SMr4XUW45ostPbxJybOF5oSZpEb1EIlrTLLPAe/498XlBW
hpRAPe+9ZfNs7drMvUEFnnOXahrXAuaaZpyaS/XBaloqSb1+v2AkUep3dbSF
PaRtbXRMS+kAEQEAAcLAaAQYAQgAEwUCWJh54wkQ3h1+eGHDXVMCGwwACgkQ
3h1+eGHDXVMZ4Qf4hu5N8/uYNDqJMFRIWSCpPGxmyIVXGARG4hgR8gwPZY9K
fReAUndX3uODBNIgZU7I3YntawU1DlP6GpP6yyR/8lfUMNCAXPDmd+zTFYIJ
UDHD8sw2GRrFVzFOKUpAapWFOI4XjSMP2UiK4HgrpUjAhe1wSaa7nEjtAuYT
zFx1QSuQD1iYcOF/FAm7EuhBIfWITjYAobGM6gonPbp3IPHM52rUbulllcdV
vCLs+blcyiVCGZlNcmlg3eibAJJL19TQLqT2DbQvQ/SyVBJGjoT+y4TTRtmZ
cebEjt2KJcc4x2lzPq3z2KJNyJTOTMB+aYD9Ma9IObDds+M/+5XDWi7f
=ueTT
-----END PGP PUBLIC KEY BLOCK-----

You can also Tweet to us:
@ProtonVPN