How to set up VPN Client for ProtonVPN?

[XIII]

After having successfully set up a VPN server (for quite some time) I would now like to try configuring a VPN client on the router. Since my paid provider does not support OpenVPN (I use it only on iOS, using IKEv2) I would like to experiment with the free variant of ProtonVPN.

I read the instructions for NordVPN which seem a good start: https://nordvpn.com/tutorials/asustwrt-merlin/openvpn/

From ProtonVPN I downloaded this OPVN configuration file:

client
dev tun
proto udp
remote nl-free-01.protonvpn.com 1194
remote-random
resolv-retry infinite
nobind
cipher AES-256-CBC
auth SHA512
comp-lzo
verb 3
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
remote-cert-tls server
auth-user-pass
pull
fast-io
block-outside-dns
<ca>REMOVED</ca>
key-direction 1
<tls-auth>REMOVED</tls-auth>

After importing that and entering my ProtonVPN credentials the OpenVPN client would not start due to an invalid configuration. Removing the block-outside-dns directive seemed to solve that.

The OpenVPN client does start now, but I can't access any site. I first thought that DNS did not work. However, accessing a site via its IP does not work either.

Any tips on how to investigate/solve this?

Note: I use unbound (via Entware) with DNSSEC for DNS over TLS and also run AB-Solution and SkyNet.

 

[Billy Chaney]

I was just wondering what DNS you were using. I tried using 10.8.8.1 from ProtonVPN, but it kept locking up my AC68U.

 

[Xentrk]

Try adding this line to custom configuration section to seeing helps

dhcp-option dns some.dns.ip.address

E.g. dhcp-option dns 9.9.9.9

 

[Billy Chaney]

That worked. Thank you very much. I was really bummed out about having to use googles dns.

 

[Xentrk]

That worked. Thank you very much. I was really bummed out about having to use googles dns.

If you route all traffic over the tunnel, set Accept DNS Configuration to Exclusive. That should force all vpn clients to use DNS of VPN provider.

If you use Policy Rules, DNS acts differently. I have to set Accept DNS Configuration to Strict and add the dhcp-option line in the Custom Config section. Otherwise I have routing issues. wget will not work for example and AB-Solution will not work over the VPN tunnel. Unfortunately, the downside is DNS will leak.

 

[Xentrk]

After having successfully set up a VPN server (for quite some time) I would now like to try configuring a VPN client on the router. Since my paid provider does not support OpenVPN (I use it only on iOS, using IKEv2) I would like to experiment with the free variant of ProtonVPN.

I read the instructions for NordVPN which seem a good start: https://nordvpn.com/tutorials/asustwrt-merlin/openvpn/

From ProtonVPN I downloaded this OPVN configuration file:

client
dev tun
proto udp
remote nl-free-01.protonvpn.com 1194
remote-random
resolv-retry infinite
nobind
cipher AES-256-CBC
auth SHA512
comp-lzo
verb 3
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
remote-cert-tls server
auth-user-pass
pull
fast-io
block-outside-dns
<ca>REMOVED</ca>
key-direction 1
<tls-auth>REMOVED</tls-auth>

After importing that and entering my ProtonVPN credentials the OpenVPN client would not start due to an invalid configuration. Removing the block-outside-dns directive seemed to solve that.

The OpenVPN client does start now, but I can't access any site. I first thought that DNS did not work. However, accessing a site via its IP does not work either.

Any tips on how to investigate/solve this?

Note: I use unbound (via Entware) with DNSSEC for DNS over TLS and also run AB-Solution and SkyNet.

It is still on my to do list to test unbound on AsusWRT Merlin.

 

[Billy Chaney]

If you route all traffic over the tunnel, set Accept DNS Configuration to Exclusive. That should force all vpn clients to use DNS of VPN provider.

If you use Policy Rules, DNS acts differently. I have to set Accept DNS Configuration to Strict and add the dhcp-option line in the Custom Config section. Otherwise I have routing issues. wget will not work for example and AB-Solution will not work over the VPN tunnel. Unfortunately, the downside is DNS will leak.

I used 10.8.8.1 and checked with dnsleak.com and no leaks. Try that DNS.

 

[XIII]

I was just wondering what DNS you were using.

Quad9.

But I'm going to try the suggestions I got here this weekend. Thanks!

 

[LostFreq]

After importing that and entering my ProtonVPN credentials the OpenVPN client would not start due to an invalid configuration. Removing the block-outside-dns directive seemed to solve that.

The OpenVPN client does start now, but I can't access any site. I first thought that DNS did not work. However, accessing a site via its IP does not work either.

Any tips on how to investigate/solve this?

See also my post here: https://www.snbforums.com/threads/382-2-beta3-vpn-client-working.44171/#post-375106
Although I use ProtonVPN my config never had that block-outside-dns line.
I use 'Policy Rules (strict)' and have 'Accept DNS Configuration' set to Exclusive. Without a dhcp-option line.
My external DNS servers are configured only on the 'WAN - Internet Connection' page (i.e. not on the 'LAN - DHCP Server' page).

 

[Billy Chaney]

Try adding this line to custom configuration section to seeing helps

dhcp-option dns some.dns.ip.address

E.g. dhcp-option dns 9.9.9.9

You know, when I did it this way it worked good until I rebooted my router. And then no joy. The router started acting up again. Asuswrt Merlin just doesn't like ProtonVPN DNS 10.8.8.1.

 

[XIII]

I would like to give this another try. Any tips?

 

[Billy Chaney]

I've been using ProtonVPN Plus servers with much success. I use Cloudflare dns under my Wan dns. The problem I was having was that I didn't point my windows ethernet dns settings to my routers ip address. Once I did that all my problems went away. With ProtonVPN's plus servers I just load the default settings and it works fine. Also, I use policy rules. ProtonVPN Plus is a little pricey but I like it. Hope this helps.

 

[XIII]

This week a PIA VPN OpenVPN file worked out of the box, so I wanted to give ProtonVPN another chance.

Still fails... (hopefully I can learn something from the PIA setup?)

 

[Skeptical.me]

Hey, thanks for all the good advice in this thread, I got everything working in an OpenVPN client. I checked with ipleak.net and everything is good.

However, I have a line speed on 32Mbps and with ExpressVPN and AirVPN I get around 25(ish)Mbps using an OpenVPN client on mt RT-AC87U but with ProtonVPN I'm only getting 10Mbps.

remote-random
resolv-retry infinite
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ping 15
ping-restart 0
ping-timer-rem
remote-cert-tls server
pull
fast-io
dhcp-option dns 10.8.8.1

I've got "Accept DNS Configuration" set to "Exclusive"
LAN>DHCP>DHCP SERVER>DNS 1 10.8.8.1>DNS 2 10.7.7.1
I use Policy Routing - I have to as some devices need WAN access

Do you guys know how I can tweak the settings to get faster speeds?

Edit: I set up a second client with a California server rather than the US .ovpn config file and didn't add the "dhcp-option dns 10.8.8.1" line and I', getting about 15Mbps (I have really crappy broadband speeds in general :-( )

Edit 2: I'm getting 27Mbps on the American .ovpn config now - thats much better.

 

[XIII]

Finally got OpenVPN to work on my router via this Reddit post and adding this to the Custom Configuration field:

script-security 2
dhcp-option DNS 9.9.9.9
dhcp-option DOMAIN example.lan

("example.lan" is not the real name I use; just an "obfuscated" example)

With these settings OpenVPN uses Quad9 directly.

Using 192.168.1.1 instead of 9.9.9.9 to also use AB-Solution and pixelserv-tls does not seem to work...

 

[XIII]

Using 192.168.1.1 instead of 9.9.9.9 to also use AB-Solution and pixelserv-tls does not seem to work...

Forgot I 'm using a non-standard port (65053) for unbound. This solves that:

dhcp-option DNS 192.168.1.1:65053

 

[unclebuk]

Hey, thanks for all the good advice in this thread, I got everything working in an OpenVPN client. I checked with ipleak.net and everything is good.

However, I have a line speed on 32Mbps and with ExpressVPN and AirVPN I get around 25(ish)Mbps using an OpenVPN client on mt RT-AC87U but with ProtonVPN I'm only getting 10Mbps.

remote-random
resolv-retry infinite
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ping 15
ping-restart 0
ping-timer-rem
remote-cert-tls server
pull
fast-io
dhcp-option dns 10.8.8.1

I've got "Accept DNS Configuration" set to "Exclusive"
LAN>DHCP>DHCP SERVER>DNS 1 10.8.8.1>DNS 2 10.7.7.1
I use Policy Routing - I have to as some devices need WAN access

Do you guys know how I can tweak the settings to get faster speeds?

Edit: I set up a second client with a California server rather than the US .ovpn config file and didn't add the "dhcp-option dns 10.8.8.1" line and I', getting about 15Mbps (I have really crappy broadband speeds in general :-( )

Edit 2: I'm getting 27Mbps on the American .ovpn config now - thats much better.

the best tweak to increase vpn speed is to hook up an AC86U....world of difference over AC87U.

 

[Billy Chaney]

Hey, thanks for all the good advice in this thread, I got everything working in an OpenVPN client. I checked with ipleak.net and everything is good.

However, I have a line speed on 32Mbps and with ExpressVPN and AirVPN I get around 25(ish)Mbps using an OpenVPN client on mt RT-AC87U but with ProtonVPN I'm only getting 10Mbps.

remote-random
resolv-retry infinite
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ping 15
ping-restart 0
ping-timer-rem
remote-cert-tls server
pull
fast-io
dhcp-option dns 10.8.8.1

I've got "Accept DNS Configuration" set to "Exclusive"
LAN>DHCP>DHCP SERVER>DNS 1 10.8.8.1>DNS 2 10.7.7.1
I use Policy Routing - I have to as some devices need WAN access

Do you guys know how I can tweak the settings to get faster speeds?

Edit: I set up a second client with a California server rather than the US .ovpn config file and didn't add the "dhcp-option dns 10.8.8.1" line and I', getting about 15Mbps (I have really crappy broadband speeds in general :-( )

Edit 2: I'm getting 27Mbps on the American .ovpn config now - thats much better.

Whenever I use the dhcp-option, I can't use router.asus.com. I can only use 192.168.x.x to log in. Is there a work around for this?

 

[Skeptical.me]

the best tweak to increase vpn speed is to hook up an AC86U....world of difference over AC87U.

That's actually my next buy ... or I was also looking at the 88, what do you think about the 88u in comparison to the 86u?


Sent from my iPad using Tapatalk Pro

 

[Skeptical.me]

Whenever I use the dhcp-option, I can't use router.asus.com. I can only use 192.168.x.x to log in. Is there a work around for this?

I wish I could tell you, unfortunately I do not know.


Sent from my iPad using Tapatalk Pro