How to configure Proton VPN on pfSense using WireGuard

How to configure Proton VPN on pfSense using WireGuard – Proton VPN Support

In this guide, we show you how to set up Proton VPN on pfSense 2.7.x using the WireGuard® VPN protocol. This allows your router to protect any device connected to it with a Proton VPN connection.

Learn more about WireGuard

You can also configure Proton VPN on pfSense 2.7.x using the OpenVPN protocol, but we recommend using WireGuard.

1. Create a WireGuard configuration file

Sign in to Proton VPN using your Proton Account username and password at account.protonvpn.com, go to Downloads → WireGuard configuration, and download a WireGuard configuration file. Be sure to select Platform: Router.

Learn how to download a WireGuard configuration file from Proton VPN

To configure pfSense, you’ll need the private key from this config file. To find it, go to Downloads → WireGuard configuration and select the WireGuard key you just created. Look for the line that says PrivateKey =.

Get the private key from the WireGuard config

You’ll also need the Endpoint = IP address.

Get the Endoin IP address from the WireGuard config

2. Install the WireGuard package on pfSense

Enter 192.168.1.1 into your browser’s URL bar to open the pfSense frontend. Sign in and go to System → Package Manager → Available Packages tab. Locate the WireGuard package and click Install.

To verify that WireGuard is successfully installed, go to System → Package Manager → Installed packages.

3. Create a new WireGuard tunnel

Still in pfSense, go to VPN → WireGuard → Tunnels and create a new tunnel with the following settings.

Tunnel configuration:

Description: Choose a suitable description
Listen port: 51820
Interface Keys: Private key from your configuration file (see step 1)
Public key: This will be automatically generated

Interface configuration:

Interface Addresses: 10.2.0.2/32

Click Save Tunnel when you’re done.

4. Add a peer

Still on the Tunnels tab, click Add Peer (see above), which will take you to the Peers tab. Configure the following settings.

Peer Configuration:

Tunnel: the tunnel created in the previous step
Description: choose a descriptive name, for example, the server name
Dynamic Endpoint: uncheck
Endpoint: endpoint IP address from your downloaded WireGuard configuration
Port: 51820
Keep Alive: 25
Public Key: public key from your downloaded WireGuard configuration file (see step 1)

Address Configuration:

Allowed IPs: 0.0.0.0 / 0

Click Save Peer when you’re done.

5. Go to the Settings tab, check Enable WireGuard, then click Save and Apply Changes.

5. Create a WireGuard interface

The VPN client is now running, but no traffic is being routed through it. To route all your network traffic through the secure Proton VPN tunnel, you’ll need to configure the Interfaces and Firewall rules.

Go to Interfaces → Interface Assignments → Available network ports and select tun_wg0 → Add.

This will create an interface named OPTx (where x depends on how many physical interfaces your router has). Click on the newly created one to configure it.

Enter the following configuration settings·

General Configuration:

Enable: checked
IPv4 configuration type: Static IPv4

Static IPv4 configuration:

IPv4 address: 10.2.0.2 / 32

Click Save and Apply.

6. Add a new gateway

Go to System → Routing → Gateways and click Add to add a new gateway.

Enter the following configuration settings:

Interface: OPT1 (or name of the interface from the previous step)
Address Family: ipv4
Name: descriptive name
Gateway: 10.2.0.1

Click Display Advanced and check Use non-local gateway → Use non-local gateway through interface specific route. Click Save and Apply Changes.

7. Configure firewall rules

We use firewall rules to route all traffic through the Proton VPN interface we set up in Step 5. Go to Firewall → NAT → Outbound and select Manual Outbound NAT rule generation. Then click Save and Apply Changes.

Now click the ✓ icon next to the last two rules to disable them.

Auto created rule for ISAKMP – OPT1 to WAN
Auto created rule OPT1 to WAN

Click the Edit (pencil) icon next to the following two rules:

Auto created rule – LAN to WAN
Auto created rule for ISAKMP – LAN to WAN

In both cases, change the Interface to VPN interface (OPT1) and the Address family to IPv4. When you’re done, click Save and Apply Changes.

Go to Firewall → Rules → LAN → Default allow LAN to any rule → Edit (pencil icon).

Click Display advanced → Gateway and select the gateway we created in step 6. Click Save.

Click the ✓ icon next to Default allow LAN IPv6 to any rule to disable it, and then click Save and Apply Changes.

8. Configure DNS Settings

All internet traffic passing through the pfSense firewall will now be routed through a Proton VPN server. However, DNS requests are not. To fix this, we need to change the DNS settings in pfSense.

In pfSense, go to System → General setup → DNS Server Settings and configure the following settings:

DNS Servers: 10.2.0.1
Gateway: the name of the gateway we configured in step 6.
DNS Server Override: unchecked

Click Save when you’re done.

Now go to Services → DNS Resolver → General Settings and change the following:

Outgoing Network Interfaces: OPT1 (the WireGuard interface we’ve created)
DNS Query Forwarding: check Enable Forwarding mode

Click Save and Apply Changes when you’re done.

Your setup is now complete. All traffic from your network is now securely routed through the Proton VPN server you chose. You can test this by visiting ip.me from any device on your network.

Arif Akyüz Sistem Network Yöneticisi ve Siber Güvenlik Uzmanı

Arif Akyüz
Bilgi Teknolojileri
Sistem Network Yöneticisi
ve Siber Güvenlik Uzmanı
[email protected]