Mikrotik (ROS6) IPSec with ProtonVPN

Sometimes, you just want to set up the router and that’s just it. But sometimes, you want to put on some security on some ports or wifi, that you can’t be trackable so easily, or you want to watch some content that isn’t accessible in your country. So, today I gonna give a tip on how to set up ProtonVPN on Mikrotik. This tutorial will work on (RBD52G-5HacD2HnD-TC) MikroTik RouterBoard hAP ac² on Router OS version 6. (ROS 6)

This small tutorial will go over how to set up Mikrotik ground, if there’s something you don’t need, just don’t paste it or use it. And this tutorial will make all active connections go through a VPN. This script is made so that it works straight from the console. also, it’s tested on at least 4 devices, so, it works.

so, first thing first- connect the device and change your password (connect via mac address with winbox. trust me, that will save your nerves. Also, you can’t paste anything from the browser GUI.). After that, go to the console and make these changes.

/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk,wpa2-eap mode=\
    dynamic-keys supplicant-identity=MikroTik wpa2-pre-shared-key=actuallygoodpassword

/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=WIFINAME wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=WIFINAME wireless-protocol=\
    802.11

/ip address set [find comment="defconf"] address=10.10.10.1/24 comment=defconf interface=bridge network=10.10.10.0
/ip dhcp-server network set [find 1] address=10.10.10.0/24 comment=defconf dns-server=10.10.10.1 gateway=10.10.10.1 netmask=24
/ip pool set [find name=default-dhcp] name=dhcp ranges=10.10.10.10-10.10.10.254
/ip dns static set [find comment="defconf"] address=10.10.10.1 comment=defconf name=router.lan

/system reboot

So, what do these commands mean? We create a wifi security profile, which basically will make the wifi passwords be actuallygoodpassword . Also, the wifi names will be WIFINAME (change these as you want. I would recommend naming them separately, because if you will set them with the same SSID (wifi name), the device will connect to the 2.4GHz version (you can know what kind of “speed” access point it is by looking at the band. (for example band=5ghz-a/n/ac) )) We set the network range to 10.10.10.1/24, we give out ip addresses from 10.10.10.10-10.10.10.254 and give the router address 10.10.10.1

and then we restart the router. if you connected via ip address, you’ll need to reconnect to the device with the correct IP address.

Now… the second part.

/tool fetch url="https://protonvpn.com/download/ProtonVPN_ike_root.der"
/certificate import file-name=ProtonVPN_ike_root.der name="ProtonVPN CA" passphrase=""

/ip firewall address-list add address=10.10.10.0/24 list=under_protonvpn
/ip firewall mangle add action=mark-connection chain=prerouting src-address-list=under_protonvpn new-connection-mark=under_protonvpn passthrough=yes

/ip ipsec mode-config add connection-mark=under_protonvpn name="ProtonVPN mode config" responder=no
/ip ipsec policy group add name=ProtonVPN
/ip ipsec profile add dh-group=modp4096,modp2048,modp1024 dpd-interval=disable-dpd enc-algorithm=aes-256 hash-algorithm=sha256 name="ProtonVPN profile"
/ip ipsec peer add address=lv.protonvpn.net exchange-mode=ike2 name="ProtonVPN LV server" profile="ProtonVPN profile"
/ip ipsec peer add address=ee.protonvpn.net exchange-mode=ike2 name="ProtonVPN EE server" profile="ProtonVPN profile"
/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=0s name="ProtonVPN proposal" pfs-group=none
/ip ipsec identity add auth-method=eap certificate="ProtonVPN CA" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config="ProtonVPN mode config" password=PASSWORD_GOES_HERE peer="ProtonVPN LV server" policy-template-group=ProtonVPN username=USERNAME_GOES_HERE
/ip ipsec identity add auth-method=eap certificate="ProtonVPN CA" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config="ProtonVPN mode config" password=PASSWORD_GOES_HERE peer="ProtonVPN EE server" policy-template-group=ProtonVPN username=USERNAME_GOES_HERE
/ip ipsec policy add dst-address=0.0.0.0/0 group=ProtonVPN proposal="ProtonVPN proposal" src-address=0.0.0.0/0 template=yes

/interface bridge add name=protonvpn_blackhole protocol-mode=none
/ip route add gateway=protonvpn_blackhole routing-mark=protonvpn_blackhole
/ip firewall mangle add chain=prerouting src-address-list=under_protonvpn action=mark-routing new-routing-mark=protonvpn_blackhole passthrough=yes

/ip firewall filter add action=accept chain=forward connection-mark=under_protonvpn place-before=[find where action=fasttrack-connection]
/ip firewall filter disable [find action=fasttrack-connection]
/ip firewall mangle add action=change-mss chain=forward new-mss=1360 passthrough=yes protocol=tcp connection-mark=under_protonvpn tcp-flags=syn tcp-mss=!0-1360

/system reboot

First things first. IPSEC passwords for proton are under https://account.protonvpn.com/account#openvpn

First, you’ll get the required certs and make a firewall rule that will mark all the packets which go through this router mark as under_protonvpn

then you add 2 protonvpn ipsec accounts (one for redundancy, just to be sure, you can add more). in this example, I’m adding Latvian and Estonian VPN as my possible sources.

change the PASSWORD_GOES_HERE and USERNAME_GOES_HERE to your OpenVPN details.

You should now have a working VPN. But, there are some other things. the “protonvpn_blackhole” is a really good feature (if you don’t need it, you can remove these 3 lines). basically, if your VPN is down, or all the servers are down, the internet won’t work for you and your actual IP address won’t be found.

and lastly, turn off the FastTrack, add the forward rule for all the under_protonvpn packets and you’re set, you just need to reset the device.

And after all that, your device is set.

I haven’t got it working on ROS7, but I’ll try later to do it, but I’m already giving you a heads up that this won’t work correctly.