How to setup Proton VPN on MikroTik routers using WireGuard

You can set up Proton VPN on your MikroTik router so that all devices that connect to the internet through it are protected by Proton VPN.  

In this guide, we show you how to do this using the WireGuard VPN protocol on MicroTik routers running RouterOS 7. This requires a Proton VPN Account 

How to set up Proton VPN WireGuard® on MikroTik routers (update)

1. Download a WireGuard configuration file

Open it using any text editor.

Learn how to download a WireGuard configuration file from Proton VPN

Note that you can’t use a saved config file. Proton VPN never stores your private keys, so saved config files don’t have them. You must create and download a new config file. 

2. Open the MikroTik configuration panel

To do this, open a command line (using Terminal on Linux and macOS or PowerShell on Windows) and enter:

ssh user@192.168.88.1

Read more about using the command line with MikroTik(new window)

3. Create a new WireGuard interface

Using the command line, enter the following text and tap <enter>. To find your private key, look for the line starting PrivateKey= in the WireGuard config file you downloaded in step 1.

/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard-inet private-key=”your private key”

All following steps will involve you entering commands into the command line.

4. Add an IP address to the interface you just created:

/ip address
add address=10.2.0.2/30 interface=wireguard-inet network=10.2.0.0  

5. Add a WireGuard server as a peer

Add the endpoint address, endpoint port, and public key from the WireGuard config file. Look for the lines starting PublicKey= and Endpoint=. 

For example, if the config says Endpoint=103.107.197.2:51820, enter endpoint-address=103.107.197.2 and endpoint-port=51820

/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=x.x.x.x endpoint-port=xxxxx interface=wireguard-inet persistent-keepalive=25s public-key="your public key" 

6. Enable masquerade for that interface

Note: This setup assumes that you are using the default local network address used by MikroTik. If you have changed this, use that address for scr-address=  instead.

/ip firewall nat
add action=masquerade chain=srcnat out-interface=wireguard-inet src-address=192.168.88.0/24

7. Redirect all internet traffic through WireGuard

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/1 gateway=10.2.0.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=128.0.0.0/1 gateway=10.2.0.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10

8. Configure DNS settings

/ip dns
set servers=10.2.0.1
/ip dhcp-client
set 0 use-peer-dns=no

9. Redirect the WireGuard IP address through main provider’s gateway

Replace x.x.x.x with the endpoint address from the config file (Endpoint=). 

/ip route
add disabled=no dst-address=x.x.x.x/32 gateway=[/ip dhcp-client get [find interface=ether1] gateway] routing-table=main suppress-hw-offload=no

If this doesn’t work, you’ll need to replace gateway=[/ip dhcp-client get [find interface=ether1] gateway] with gateway=x.x.x.x, where x.x.x.x is your own internet gateway address. Your internet service provider (ISP) should be able to provide this address.

10. Restart your router

And you’re done! Your router should now protect all internet connections it provides with Proton VPN.