Support Center / Setup and use / How to setup Proton VPN on MikroTik routers

How to setup Proton VPN on MikroTik routers

A step-by-step guide to setting up Proton VPN on your MikroTik router

Proton VPN can be set up on your MikroTik router so that it will automatically connect to a Proton VPN server (available on your subscription) whenever an internet connection is established. 

Below is a step-by-step guide to connecting a MikroTik router to a Proton VPN server using the IKEv2 VPN protocol.  You can make these changes using the web configuration panel of your router. 

1. To open the MikroTik configuration panel, open your terminal and enter

ssh user@

Read more about using the command line interface with MikroTik

2. Choose a Proton VPN server and download the OpenVPN configuration file:

Learn more about downloading configuration files

3. Get your service credentials from here: and use them for this setup.

4. Import Proton VPN CA to your router:

/tool fetch url=""
/certificate import file-name=ProtonVPN_ike_root.der name="Proton VPN CA" passphrase=""

5. Mark ALL traffic that you want to route through VPN server

/ip firewall address-list add address= list=under_protonvpn
/ip firewall mangle add action=mark-connection chain=prerouting src-address-list=under_protonvpn new-connection-mark=under_protonvpn passthrough=yes

6. IPsec/IKEv2 configuration

/ip ipsec mode-config add connection-mark=under_protonvpn name="Proton VPN mode config" responder=no
/ip ipsec policy group add name=ProtonVPN
/ip ipsec profile add dh-group=modp4096,modp2048,modp1024 dpd-interval=disable-dpd enc-algorithm=aes-256 hash-algorithm=sha256 name="Proton VPN profile"
/ip ipsec peer add address=<your_chosen_server_IP> exchange-mode=ike2 name="Proton VPN server" profile="Proton VPN profile"
/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=0s name="Proton VPN proposal" pfs-group=none
/ip ipsec identity add auth-method=eap certificate="Proton VPN CA" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config="Proton VPN mode config" password=<openvpn_ikev2_password> peer="Proton VPN server" policy-template-group=ProtonVPN username=<openvpn_ikev2_username>
/ip ipsec policy add dst-address= group=ProtonVPN proposal="Proton VPN proposal" src-address= template=yes

In “/ip ipsec policy” you should be able to see a new dynamic rule added next to your Proton VPN policy. It MUST exist, otherwise configuration is not working.

Note: To use our NetShield DNS filtering feature, you need to add suffixes to your OpenVPN/IKEv2 username. Add the suffix +f1 to block malware only or +f2  to block malware, ads, and trackers (for example: openvpn_ikev2_username+f2). NetShield is only available with our Plus or Visionary plan.

7. (OPTIONAL) Implement our kill switch

/interface/bridge/add name=protonvpn_blackhole protocol-mode=none
/routing/table/add name=protonvpn_blackhole fib
/ip/firewall/mangle/add chain=prerouting src-address-list=under_protonvpn action=mark-routing new-routing-mark=protonvpn_blackhole passthrough=yes
/ip/route/add routing-table=protonvpn_blackhole gateway=protonvpn_blackhole

8. (IMPORTANT) Exclude such VPN traffic from fasttrack

To list all firewall rules

/ip firewall filter print

To remove the two fasttrack rules (the default rule and the dummy rule), add the appropriate numbers you found from the command above to the following command

/ip firewall filter remove

9. Reduce MSS

/ip firewall mangle add action=change-mss chain=forward new-mss=1360 passthrough=yes protocol=tcp connection-mark=under_protonvpn tcp-flags=syn tcp-mss=!0-1375

10. Do not forget to disable the fasttrack rule in FIREWALL RULES and reboot your router!

system reboot

your internet

Get Proton VPN
Get Proton VPN

Contact us

Support form

Tell us about the problem and we'll get back to you as soon as we can.

Open support form

Live chat

Get help from a support agent in real time. Available with a paid VPN subscription.

Chat with us

Secure email

Send us an encrypted message at It may take us longer to respond.

Email us