How to get ProtonVPN working with OpenVPN WAN

Rick-DC · February 7, 2021, 11:29am

We’ve been asked to get OpenVPN working with ProtonVPN for one of our customers and have had no difficulty doing so. We were particularly interested in this VPN provider since they (and we) use Proton Mail. For anyone interested, here are the steps:

Upgrade FW to 8.1.1
Obtain and install the Open VPN WAN license, “LIC-OPN-WAN” (inexpensive – only $20 in the USA.)
Start the OpenVPN setup at Network → WAN → OpenVPN.
If you have not obtained an account with ProtonVPN do so now at https://account.protonvpn.com/login.
Get the .ovpn file at https://account.protonvpn.com/downloads#openvpn-configuration-files after selecting the options you want (same procedure for free or paid versions.) In Step 1 be certain to select “Router.”
Enter your credentials where called for on the OpenVPN config page. Note that this is not your ProtonVPN log-on as explained here – How to log in to ProtonVPN? - ProtonVPN Support.
Set the other parameters on the OpenVPN set-up page as needed.
Set outbound policy (Network → Outbound Policy) to direct the desired traffic to the OpenVPN WAN.

This set-up was not difficult and it seems to work well. Kudos to the Peplink product management folks and engineers for implementing this feature.

Michael234 · January 14, 2021, 9:39pm

Once a link is established, how do you connect the router to a different ProtonVPN server?

Rick-DC · January 15, 2021, 12:05am

Hi Michael. It appears that one selects the target server during the process of building the .ovpn file – step 5 in my posting. That’s also where you will select TCP or UDP, for example. If you want to use a different server you’ll need to change .ovpn’s. I experimented with building multiple .ovpn files, downloading them and loading each in-turn to the Peplink router. I did not find any issues.

Michael234 · January 15, 2021, 1:56am

First thing, ProtonVPN is an excellent choice.

With some OpenVPN providers, you can create a single .ovpn file that refers to multiple VPN servers. Not sure if ProtonVPN supports that. For example, you might create an ovpn config file that would connect to any of multiple servers in a chosen country.

Rick-DC · January 15, 2021, 12:37pm

Hi Michael. As I understand it one selects the desired configuration and the .ovpn file is built with those parameters. It does not work like, for example, the iOS “app” where one can select which server is to be used on start-up. Having said that, it’s easy to have multiple .ovpn files on a client desktop and load the desired one when needed.

tetranz · January 15, 2021, 2:43pm

I’m pleased it works with Proton. I’ll be interested to hear if anyone manages to get it working properly on Windscribe. I haven’t had much luck. It works on some websites but others time out with no connection. I’ve tried different Windscribe servers, fiddled with MTU and tried both UDP and TCP but never got it working well. I use Windscribe’s WireGuard service on a Raspberry Pi and it works perfectly.

jlanderson227 · January 16, 2021, 3:46am

I have a Surf Soho MK3, have updated the firmware to 8.1.1, and purchased and installed the OpenVPN license key. I’m using a free ProtonVPN account and have a connection to the VPN server, which shows as being in standby. I’m unable to do 3 things shown in the quick start guide linked in the email announcing 8.1.1 or discussed in your instructions.

The OpenVPN WAN 1 that was set up automatically at the time I installed the license key does not appear in the Uplink Connection Priority dropdown, so the default WAN is being used for the uplink.
The Quick Start indicates that the WAN and the OpenVPN WAN 1 should both be Priority One. When I drag the OpenVPN WAN 1 to Priority One, the WAN becomes Priority Two, and vice-versa.
I don’t find Network…Outbound Policy so am unable to direct desired traffic to the VPN.

The FAQ indicates that all Peplink routers support OpenVPN client, so I’m stumped as to how to proceed. Perhaps an updated firmware is needed? Any help would be appreciated.

Thanks in advance,

Jim

Dam · January 19, 2021, 8:08am

Hello,

I am on a Pepwave Surf SOHO MK3 Firmware: 8.1.1 build 4994.

Followed the Peplink/Pepwave OpenVPN guide and purchased the license, activated it, rebooted, configured, saved settings, ping test, etc… (Firmware Release for OpenVPN WAN).

Shows as connected, however no network traffic is going through the OpenVPN WAN. The Surf SOHO UI is slightly different from the one in the guide when it comes to the “Outbound Policy” setting.

Respectfully,
Dam

TK_Liew · January 20, 2021, 4:44am

@Dam, the provided screenshots from Firmware Release for OpenVPN WAN is based on Balance Two. So it is a bit different from SOHO MK3. Have you created an outbound policy to route traffic to the OpenVPN WAN? How you notice no network traffic is going through the OpenVPN WAN?

Kenny · January 20, 2021, 6:34am

Please refer to following instruction to set the outbound policy rule: pass all traffic to OpenVPN WAN if connected, pass to ethernet WAN otherwise.

Dam · January 20, 2021, 7:05am

@TK_Liew @Kenny

Thanks for the info. However my Admin UI does not match the 8.1.1 Manual.

A screen shot of my options… I am missing “Outbound Policy” in the Advance menu.

I am missing the option/feature entirely?

Thanks for the help.
-Dam

Dam · January 20, 2021, 7:06am

The manual displays a different set of options and features in the advanced menu.

TK_Liew · January 20, 2021, 10:08am

@jlanderson227 and @Dam, this likely a bug. Please PM your serial number for me to take a look.

jlanderson227 · February 9, 2021, 1:10am

2933-XXXX-XXXX

TIA for your assistance!

Dam · January 21, 2021, 5:22am

@TK_Liew

Forum says … I cannot send you a personal message.

Screenshot 2021-01-20 210808

EDIT: Resolved … was able to send PM

slonoed · February 2, 2021, 2:37am

Hello!

I have exactly the same problem. Cam someone help me as well?

TK_Liew · February 2, 2021, 8:23am

@slonoed, I replied to you below.

stego · February 4, 2021, 3:09am

Hi @Rick-DC, @Michael234,

I’m interested in doing this on my B20x.

I have NextDNS CLI running on a RaspBerry Pi however as a resolver for my LAN. from what I’ve read, seems they don’t work very well together.

ProtonVPN is using its own DNS servers to deliver its ad blocking as well, so a little redundant, but what is nice is it would cover all my devices across vlans.

My only concern is bandwidth if every device on my home network is funneling through the wan VPN. I know some overhead is incurred with VPN. ProtonVPN also offers a feature to Plus plan members called Secure Core. Basically directing your VPN traffic to their Secure Core servers before heading to your target VPN server. Great for security, but bad for speed and latency.

Unless i selectively direct some devices to VPN and others to regular WAN.

I guess it depends on various use cases. eg. routing streaming devices through WAN VPN to bypass region blocks for instance.

pepmike · February 7, 2021, 12:52am

@Rick-DC - Would you be able to share an OVPN file you used for ProtonVPN. I’m attempting to configure my router for ProtonVPN using the downloaded files, but I keep getting an ‘invalid ovpn file’ error on the peplink, but not using an openvpn client.

Any ideas? Any screen shots? Did you have to create a certificate and install it on the SOHO?

Rick-DC · February 7, 2021, 11:34am

Hi. As a matter of policy we don’t save sensitive client information so we do not have that .ovpn file. Sorry. I do know we did the same thing a couple more times after I wrote that original message and all was OK. I just reread what I wrote and I clarified/added one thing – in Step 5 one should select “Router.”