A step-by-step guide to setting up Proton VPN on your MikroTik router
Proton VPN can be set up on your MikroTik router so that it will automatically connect to a Proton VPN server (available on your subscription) whenever an internet connection is established.
Below is a step-by-step guide to connecting a MikroTik router to a Proton VPN server using the IKEv2 VPN protocol. You can make these changes using the web configuration panel of your router.
1. To open the MikroTik configuration panel, open your terminal and enter
ssh user@192.126.88.1
Read more about using the command line interface with MikroTik
2. Choose a Proton VPN server and download the OpenVPN configuration file: https://account.protonvpn.com/downloads#openvpn-configuration-files
Learn more about downloading configuration files
3. Get your service credentials from here: https://account.protonvpn.com/account#openvpn and use them for this setup.
4. Import Proton VPN CA to your router:
/tool fetch url="https://protonvpn.com/download/ProtonVPN_ike_root.der" /certificate import file-name=ProtonVPN_ike_root.der name="Proton VPN CA" passphrase=""
5. Mark ALL traffic that you want to route through VPN server
/ip firewall address-list add address=192.168.88.0/24 list=under_protonvpn
/ip firewall mangle add action=mark-connection chain=prerouting src-address-list=under_protonvpn new-connection-mark=under_protonvpn passthrough=yes
6. IPsec/IKEv2 configuration
/ip ipsec mode-config add connection-mark=under_protonvpn name="Proton VPN mode config" responder=no /ip ipsec policy group add name=ProtonVPN /ip ipsec profile add dh-group=modp4096,modp2048,modp1024 dpd-interval=disable-dpd enc-algorithm=aes-256 hash-algorithm=sha256 name="Proton VPN profile" /ip ipsec peer add address=<your_chosen_server_IP> exchange-mode=ike2 name="Proton VPN server" profile="Proton VPN profile" /ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=0s name="Proton VPN proposal" pfs-group=none /ip ipsec identity add auth-method=eap certificate="Proton VPN CA" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config="Proton VPN mode config" password=<openvpn_ikev2_password> peer="Proton VPN server" policy-template-group=ProtonVPN username=<openvpn_ikev2_username> /ip ipsec policy add dst-address=0.0.0.0/0 group=ProtonVPN proposal="Proton VPN proposal" src-address=0.0.0.0/0 template=yes
In “/ip ipsec policy” you should be able to see a new dynamic rule added next to your Proton VPN policy. It MUST exist, otherwise configuration is not working.
Note: To use our NetShield DNS filtering feature, you need to add suffixes to your OpenVPN/IKEv2 username. Add the suffix +f1 to block malware only or +f2 to block malware, ads, and trackers (for example: openvpn_ikev2_username+f2). NetShield is only available with our Plus or Visionary plan.
7. (OPTIONAL) Implement our kill switch
/interface/bridge/add name=protonvpn_blackhole protocol-mode=none /routing/table/add name=protonvpn_blackhole fib /ip/firewall/mangle/add chain=prerouting src-address-list=under_protonvpn action=mark-routing new-routing-mark=protonvpn_blackhole passthrough=yes /ip/route/add routing-table=protonvpn_blackhole gateway=protonvpn_blackhole
8. (IMPORTANT) Exclude such VPN traffic from fasttrack
To list all firewall rules
/ip firewall filter print
To remove the two fasttrack rules (the default rule and the dummy rule), add the appropriate numbers you found from the command above to the following command
/ip firewall filter remove
9. Reduce MSS
/ip firewall mangle add action=change-mss chain=forward new-mss=1360 passthrough=yes protocol=tcp connection-mark=under_protonvpn tcp-flags=syn tcp-mss=!0-1375
10. Do not forget to disable the fasttrack rule in FIREWALL RULES and reboot your router!
system reboot
