FreeBSD Gateway to Access ProtonVPN

Read Time:2 Minute, 41 Second

Note, this is not a tutorial, so it does not contain a complete list of steps to be performed. It’s intended to give you ideas how to go about doing this by sharing my experiences. The complete setup is, as they say, left as an exercise to the reader.

I was playing around with different setups to connect several devices to ProtonVPN being aware of the limit of one or two devices with the Free and Basic ProtonVPN packages. The obvious way is to configure the VPN on your router/gateway. If you have one that allows for OpenVPN to be configured, you can do it there. Mine doesn’t so I had to find another way.
I also didn’t want to rout all my traffic through the VPN, just basically be able to browse the web.

So I came up with the idea of installing a FreeBSD gateway with two network interfaces, one connected directly to the Internet over which I route the traffic to a ProtonVPN server or servers.

Of course, the machine is running PF firewall software with the appropriate rules, and name resolution happens with unbound which basically just forwards requests to public DNS servers. I am not going to describe either here, because you can use other software to do these task (e.g. use IPFW and hardcode public nameservers in the /etc/resolv.conf file).

Since ProtonVPN runs best with OpenVPN, I had to install the software package with

pkg install openvpn

and had to add the following lines to the /etc/rc.d file:

openvpn_enable="YES"
openvpn_configfile="/usr/local/etc/openvpn/protonvpn.conf"
openvpn_if="tun"

The file protonvpn.conf is a softlink to a ProtonVPN server configuration file, for example ar-01.protonvpn.com.udp.ovpn (for the sake of example) which is downloadable from the ProtonVPN website.

I also needed a file with my IKE2 credentials, named it my.creds, with two lines. First line is you IKE2 password, second line your IKE2 password. You’ll find yours on the “Account” page of your ProtonVPN account under the section “OpenVPN / IKEv2 username”. This file needs to be saved in the same directory as your protonvpn.conf file. It will look something like this:

NoTMY_ReAlIkE2-UsErNamE
nOtMyReaLiKe2PasSw0rD


In the *.udp.ovpn file I have chosen, here it is ar-01.protonvpn.com.udp.ovpn, the line auth-user-pass needs to be changed to:

auth-user-pass my.creds

This is pretty simple to setup and now the FreeBSD gateway establishes the VPN connection automatically when the FreeBSD box reboots (which happens rarely, it’s FreeBSD).

However, it’s not quite finished yet. The PF firewall rules need to be configured properly to allow connection to the VPN and to make name resolution working.
You can, of course, use another firewall software, e.g. IPFW, works just as well on FreeBSD.

Like this, I can use the FreeBSD box either as my default gateway for some of the machines, or, since I am also running Squid proxy server on it, I can just connect my browsers (at least those that allow me to configure a proxy server manually) to it and surf the web via the VPN connection.

About Post Author

Analyst

Happy
Happy
0 %
Sad
Sad
0 %
Excited
Excited
0 %
Sleepy
Sleepy
0 %
Angry
Angry
0 %
Surprise
Surprise
0 %
Previous post To VPN or not to VPN
Next post Why Contact Tracing Apps Are Not Anonymous