Support Center

Categories

 

Support Center / Setup and use / How to setup Proton VPN on MikroTik routers using IKEv2

How to setup Proton VPN on MikroTik routers using IKEv2

A step-by-step guide to setting up Proton VPN on your MikroTik router using IKEv2

Proton VPN can be set up on your MikroTik router so that it will automatically connect to a Proton VPN server (available on your subscription) whenever an internet connection is established. 

Below is a step-by-step guide to connecting a MikroTik router to a Proton VPN server using the IKEv2 VPN protocol.  Please note that we recommend using WireGuard instead.

Learn how to setup Proton VPN on MikroTik routers using WireGuard

You can make these changes using the web configuration panel of your router. 

1. To open the MikroTik configuration panel, open your terminal and enter:

ssh user@192.168.88.1

Read more about using the command line interface with MikroTik

2. Get your service credentials from here, and use them for this setup.

3. Import Proton VPN CA to your router:

/tool fetch url="https://protonvpn.com/download/ProtonVPN_ike_root.der"
/certificate import file-name=ProtonVPN_ike_root.der name="Proton VPN CA" passphrase=""

4. Mark ALL traffic that you want to route through VPN server:

/ip firewall address-list add address=192.168.88.0/24 list=under_protonvpn
/ip firewall mangle add action=mark-connection chain=prerouting src-address-list=under_protonvpn new-connection-mark=under_protonvpn passthrough=yes

5. IPsec/IKEv2 configuration

/ip ipsec mode-config add connection-mark=under_protonvpn name="Proton VPN mode config" responder=no
/ip ipsec policy group add name=ProtonVPN
/ip ipsec profile add dh-group=modp4096,modp2048,modp1024 dpd-interval=disable-dpd enc-algorithm=aes-256 hash-algorithm=sha256 name="Proton VPN profile"
/ip ipsec peer add address=<your_chosen_server_IP> exchange-mode=ike2 name="Proton VPN server" profile="Proton VPN profile"
/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=0s name="Proton VPN proposal" pfs-group=none
/ip ipsec identity add auth-method=eap certificate="Proton VPN CA" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config="Proton VPN mode config" password=<openvpn_ikev2_password> peer="Proton VPN server" policy-template-group=ProtonVPN username=<openvpn_ikev2_username>
/ip ipsec policy add dst-address=0.0.0.0/0 group=ProtonVPN proposal="Proton VPN proposal" src-address=0.0.0.0/0 template=yes

In “/ip ipsec policy” you should be able to see a new dynamic rule added next to your Proton VPN policy. It MUST exist, otherwise configuration is not working.

Note: To use our NetShield DNS filtering feature, you need to add suffixes to your OpenVPN/IKEv2 username. Add the suffix +f1 to block malware only or +f2 to block malware, ads, and trackers (for example: openvpn_ikev2_username+f2). NetShield is only available with our Plus, Unlimited, Family, or Visionary plans.

6. (OPTIONAL) Implement our kill switch

The instructions for implementing a kill switch are different for RouterOS6 and RouterOS7.

For RouterOS6, enter :

/interface bridge add name=protonvpn_blackhole protocol-mode=none
/ip route add gateway=protonvpn_blackhole routing-mark=protonvpn_blackhole
/ip firewall mangle add chain=prerouting src-address-list=under_protonvpn action=mark-routing new-routing-mark=protonvpn_blackhole passthrough=yes

For RouterOS7, enter :

/interface/bridge/add name=protonvpn_blackhole protocol-mode=none
/routing/table/add name=protonvpn_blackhole fib
/ip/firewall/mangle/add chain=prerouting src-address-list=under_protonvpn action=mark-routing new-routing-mark=protonvpn_blackhole passthrough=yes
/ip/route/add routing-table=protonvpn_blackhole gateway=protonvpn_blackhole

7. (IMPORTANT) Exclude such VPN traffic from fasttrack

To list all firewall rules:

/ip firewall filter print

To remove the two fasttrack rules (the default rule and the dummy rule), add the appropriate numbers you found from the command above to the following command:

/ip firewall filter remove

8. Reduce MSS

/ip firewall mangle add action=change-mss chain=forward new-mss=1360 passthrough=yes protocol=tcp connection-mark=under_protonvpn tcp-flags=syn tcp-mss=!0-1375

9. Don’t forget to disable the fasttrack rule in FIREWALL RULES and reboot your router!

system reboot

Secure
your internet

Get Proton VPN
Get Proton VPN

Contact us

Support form

Tell us about the problem and we'll get back to you as soon as we can.

Open support form

Live chat

Get help from a support agent in real time. Available with a paid VPN subscription.

Chat with us

Secure email

Send us an encrypted message at contact@protonvpn.com. It may take us longer to respond.

Email us