This document is a WORK IN PROGRESS.
This is just a quick personal cheat sheet: treat its contents with caution!

ProtonVPN¶

Reference(s)

Table of contents¶

Install
Config
Use
OpenVPN
Tips
- Run the VPN per application
- Configure the VPN to accept traffic from public IP and respond on the same channel
  - How to undo this ?

Install¶

Gentoo Kernel

A correct kernel config is needed:

$ cd /usr/src/linux
# make nconfig # or `# make menuconfig`

    # Double check here:
    # <https://wiki.gentoo.org/wiki/OpenVPN#Kernel>

    > Device Drivers  --->
    >     [*] Network device support  ---> # Symbol: NETDEVICES [=y]
    >         [*] Network core driver support # Symbol: NET_CORE [=y]
    >         <*>   Universal TUN/TAP device driver support  # Symbol: TUN [=y]

Warning

After configuring the kernel don't forget to do a kernel make and rebuild!

apkaptdnfemergenix~~pacman~~ AUR (by hand)yumxbpszypper

TODO

# vi /etc/portage/package.accept_keywords
    > ...
    > # last protonvpn-cli
    > net-vpn/protonvpn-cli ~amd64
    > ...
# emerge -a net-vpn/protonvpn-cli

on NixOSon non-NixOS

# nix-env -iA nixos.protonvpn-cli

# nix-env -iA nixpkgs.protonvpn-cli

Install with AUR:

$ mkdir -p ~/apps/aur-apps
$ cd ~/apps/aur-apps
$ git clone https://aur.archlinux.org/protonvpn-cli-ng.git
$ cd protonvpn-cli-ng
$ makepkg -is # --syncdeps to auto-install deps, --install to install after building

TODO

Initialize protonvpn-cli:

# protonvpn init

During the initialization step, when being asked the username and the password, use your ProtonVPN - OpenVPN credentials (not your account username and password). I.e. go to ProtonVPN website -> login -> account -> OpenVPN / IKEv2.

Config¶

Change protonvpn-cli configuration if needed:

# protonvpn configure

Use¶

Get status:
```
$ protonvpn status
```
Connect to a random server:
```
# protonvpn c -r
```
Connect to the fastest server:
```
# protonvpn c -f
```
Connect to the fastest P2P server:
```
# protonvpn c --p2p
```
Connect to the fastest server in a specified country:
```
# protonvpn c --cc [countrycode]
```
Connect to the fastest "secure core" server:
```
# protonvpn c --sc
```
Reconnect to the last server used:
```
# protonvpn r
```
Disconnect the current session:
```
# protonvpn disconnect, d
```
Refresh OpenVPN configuration and server data:
```
# protonvpn refresh
```
Print example commands:
```
# protonvpn examples
```
Display version:
```
# protonvpn --version
```
Show help message:
```
# protonvpn --help
```

OpenVPN¶

Reference(s)

https://protonvpn.com/support/linux-vpn-setup/

ProtonVPN can entirely be used through OpenVPN.

Install prerequisite (resolvconf):

Create a dedicated config directory:

$ mkdir -p $HOME/.config/openvpn/protonvpn-server-configs

Download the desired configuration files:
- Go to the ProtonVPN website
- Login
- Downloads
- OpenVPN configuration files
- 1. Select platform: GNU/Linux
- 1. Select protocol: UDP (recommended) or TCP if you experience slow VPN speeds
- 1. Select config file and download: Standard server configs
- Download all configurations in $HOME/.config/openvpn/protonvpn-server-configs
Get your credentials:
- Go to the ProtonVPN website
- Login
- Account
- OpenVPN / IKEv2

Install the ProtonVPN update-resolv-conf script:

$ sudo wget "https://raw.githubusercontent.com/ProtonVPN/scripts/master/update-resolv-conf.sh" -O "/etc/openvpn/update-resolv-conf"
$ sudo chmod +x "/etc/openvpn/update-resolv-conf"

Put you ProtonVPN credentials into a pass file:

$ vi $HOME/.config/openvpn/protonvpn-pass.conf
    > OpenVPN-IKEv2-username
    > OpenVPN-IKEv2-password

Append the path to the pass file to all your downloaded .ovpn files:

$ cd $HOME/.config/openvpn/protonvpn-server-configs
$ for file in *; do echo "auth-user-pass /home/username/.config/openvpn/protonvpn-pass.conf" >> "$file"; done

Now you can connect to a ProtonVPN server like so (e.g. on server fr-36):

$ sudo openvpn ~/.config/openvpn/protonvpn-server-configs/fr-36.protonvpn.com.udp.ovpn

Tips¶

Run the VPN per application¶

See vpnify.

Configure the VPN to accept traffic from public IP and respond on the same channel¶

TODO: /opt/update-duckdnsip

When a VPN is set up on a server, how to access it via SSH ? Or how to still let the server be available e.g. with Nginx ? I.e. how to accept traffic from public IP and respond on the same channel, not with the VPN channel ?

Find the interface name you are using to connect to the internet:

$ ifconfig

E.g. wlp2s0 is my interface.

Find your inet (/inet4) on your interface:

$ ip a show dev wlp2s0
    > ...
    > wlp2s0: ...
    >   ...
    >   inet 192.168.1.42/24 ...
    >   ...

E.g. my inet is 192.168.1.42/24. 192.168.1.42 is the local address, 24 is the netmask, and 192.168.1.0 is the subnet. (NOTE: you can configure your internet router to get a fixed inet)

Find your gateway:

$ ip route show dev wlp2s0

The gateway is the address next to "default via ...". E.g. 192.168.1.1 is my gateway.

Add a table rule:

# ip rule add from [LOCAL ADDRESS] table 128

Add routing rules:

# ip route add table 128 to [SUBNET]/[NETMASK] dev [INTERFACE]
# ip route add table 128 default via [GATEWAY]

NOTE: These rules will only last until the system shuts down. Consider reapplying them when the system reboots.

How to undo this ?¶

Show table:

# ip rule show
# ip route show table 128

Remove table:

# ip rule del table 128
# ip route flush table 128

If this cheat sheet has been useful to you, then please consider leaving a star here.