Wireguard using Proton configs and pfsense 2.7.2

parry

IS there a simple way to using proton's wireguard configs on pfsense 2.7.2 ? I have been trying for days, while following proton's instructions https://protonvpn.com/support/protonvpn-opnsense-wireguard
to no avail. For one thing, the NAT translation to the use of the proton WG gateway has a section called "interface" where the gateway or WAN can be selected (in this case recommendations are to select the WG gateway) and there is a section called "translation" that is not mentioned in the proton guide where again the choices are WAN or WG gateway. In any case once the NAT is set up, I cant ping even an IP address. Seting the firewall rules as per instructions does not help either. I did not see any IP addresses used to "monitor" the connection as seems to be discussed at great length in this discussion

https://forum.netgate.com/topic/199536/pfsense-with-multiple-proton-wireguard-tunnels/60

I know I am probably missing something (a brain ?) but 2 days with this keyboard will send anyone senile

Thanks, parry

Gertjan

@parry

Some general advise.
The link you've mentioned did say : 'Proton tested this and they made it work'.
That nice and fine and all that, but the software, and probably wireguard used is pretty ancient by now.
For example : you said 'I Use pfSense 2.7.2' and that makes we think "Why ? VPN stuff evolves very rapidly as it's a security thing' and 2.7.2 is old now. 2.8.x is out for months now.
So, I suggest you do the same thing as what Proton probably does : get and use the latest versions everywhere, don't stay behind, as older version can only be supported by ... yourself.

I say upfront : I don't know / never used Proton. I do presume they offer also the good old 'OpenVPN', whioch has it pros and cons, but a major factor is : half the planet uses OpenVPN. So, finding 'help' will be way easier. I really think it's worth trying, as as soon as you made it work, you become an actif VPN user, and you start to know and understand the small details. With these, you can make every type of VPN work (as they are all somewhat the same).

parry

Allow me to respond section by section
Some general advise.

Thank you for your advice
The link you've mentioned did say : 'Proton tested this and they made it work'.
That nice and fine and all that, but the software, and probably wireguard used is pretty ancient by now.

You are using platitudes and have no experience with Proton. They recommend wireguard and whats more they have not explained how to use it on pfsense 2.8.
netgate's explanations are too clinical to be able
to understand in the absence of good examples
Bob Dig and others provide that help on these fora
which is why I come here

For example : you said 'I Use pfSense 2.7.2' and that makes we think "Why ? VPN stuff evolves very rapidly as it's a security thing' and 2.7.2 is old now. 2.8.x is out for months now.

Have you ever tried using proton? Have you used pfsense ? My experience is that you need to be
very careful with new versions because they sometimes
emerge with bugs that can negate the whole idea
of privacy
So, I suggest you do the same thing as what Proton probably does : get and use the latest versions everywhere, don't stay behind, as older version can only be supported by ... yourself.
Your disdain and lack of knowledge are stultefying. Kindly READ what proton says, kindly listen to what others are saying about pfsense and proton . Dont barge in here with such outstanding arrogance

I say upfront : I don't know / never used Proton

Exactly you dont
. I do presume they offer also the good old 'OpenVPN', whioch has it pros and cons, but a major factor is : half the planet uses OpenVPN.
As I Said proton recommends wireguard so that's why I am trying to use wireguard
So, finding 'help' will be way easier.
I dont have any problems with protons openvpn on pfsense 2.7.2 It works, but PROTON RECOMMENDS WIREGUARD.
I really think it's worth trying, as as soon as you made it work, you become an actif
Why are you such a genius ??
VPN user, and you start to know and understand the small details. With these, you can make every type of VPN work (as they are all somewhat the same).
Really ?

Gertjan

@parry

Noop, not a genius.
Ask yourself this question : Who uses today pfSense 2.7.2 ?
Who uses pfSense 2.7.2 and Proton VPN and the wireguard protocol and sees this/your thread and starts posting here with potential answers ? My idea was : use the same versions and you get an answer faster, as this is seems logic for me.

"Proton" + pfSense 2.7.2 + "Wiregaurd" worked in the past. If nothing changed on both sides, it should still work.
There is one aspect that no one knows : while pfSense 2.7.2 is the same, wireguard is under very active development. If Proton uses a newer wireguard version right now, this might explain your issue. But you can Proton, as they don't support opensense - and (presume) pfSense.
Worse, pfSense doesn't support 2.7.2.
pfSense 2.8 comes with the latest version of the wireguard package, don't you think having the latest version gives more changes to make things work ?

I'm not aware of privacy issues.

Bob.Dig

I am with Gertjan on this, you should use the latest version.
And there is no simple way in pfSense. There are other routers, like OpenWRT, where it is much simpler.

If you stick to pfSense, follow this tutorial until number 5.
In number 5, click the "Add a new gateway" button and make it look like mine:

Spoiler

Then go to System>Routing>Gateways and tick "Disable Gateway Monitoring" for this newly added gateway.

Finally use this gateway in firewall rules (policy based routing) and forget 6. - 8. of the tutorial. You might have DNS-leakage but that is another Can of Worms you should only tackle if everything else is working for you.

parry

@Bob.Dig
Thanks again. Looks like pfsense does not work that well with proton's wireguard implementation. Does that mean that I can run proton on an x 86 platform ? I briefly checked openwrt and instead of listing familiar (to me images) there is a list of vaguely familiar images like rootfs etc. You don't have to answer, but I can see another steep hill to climb - with 4 VLANS one bypassing the VPN and a partridge in a pear tree ;)

I think I will stick to proton and openvpn and try openwrt or maybe tomato.

Bob.Dig

@parry said in Wireguard using Proton configs and pfsense 2.7.2:

Does that mean that I can run proton on an x 86 platform ?

OpenWRT you can, even FreshTomato.

@parry said in Wireguard using Proton configs and pfsense 2.7.2:

Looks like pfsense does not work that well with proton's wireguard implementation.

These days I say, it is actually protons fault. They have problems when running multiple tunnels with different IP-configurations and heavy ICMP-monitoring, like pfSense does. But if you disable or ignore the monitoring, it works just fine.

marcosm

I suggest following the Netgate docs for any steps related to pfSense. Unless Proton is using a custom WireGuard implementation I see no reason for there to be any compatibility issues. Part of what makes WireGuard configuration on pfSense more involved is the flexibility to support many scenarios. Granted an import/export feature like the OpenVPN service has would certainly be nice.
https://docs.netgate.com/pfsense/en/latest/recipes/wireguard-client.html