Skip to content

This document is a WORK IN PROGRESS.
This is just a quick personal cheat sheet: treat its contents with caution!



Table of contents


A correct kernel config is needed:

$ cd /usr/src/linux
# make nconfig # or `# make menuconfig`

    # Double check here:
    # <>

    > Device Drivers  --->
    >     [*] Network device support  ---> # Symbol: NETDEVICES [=y]
    >         [*] Network core driver support # Symbol: NET_CORE [=y]
    >         <*>   Universal TUN/TAP device driver support  # Symbol: TUN [=y]


After configuring the kernel don't forget to do a kernel make and rebuild!




# vi /etc/portage/package.accept_keywords
    > ...
    > # last protonvpn-cli
    > net-vpn/protonvpn-cli ~amd64
    > ...
# emerge -a net-vpn/protonvpn-cli
# nix-env -iA nixos.protonvpn-cli
# nix-env -iA nixpkgs.protonvpn-cli

Install with AUR:

$ mkdir -p ~/apps/aur-apps
$ cd ~/apps/aur-apps
$ git clone
$ cd protonvpn-cli-ng
$ makepkg -is # --syncdeps to auto-install deps, --install to install after building




Initialize protonvpn-cli:

# protonvpn init

During the initialization step, when being asked the username and the password, use your ProtonVPN - OpenVPN credentials (not your account username and password). I.e. go to ProtonVPN website -> login -> account -> OpenVPN / IKEv2.


Change protonvpn-cli configuration if needed:

# protonvpn configure


  • Get status:

    $ protonvpn status

  • Connect to a random server:

    # protonvpn c -r

  • Connect to the fastest server:

    # protonvpn c -f

  • Connect to the fastest P2P server:

    # protonvpn c --p2p

  • Connect to the fastest server in a specified country:

    # protonvpn c --cc [countrycode]

  • Connect to the fastest "secure core" server:

    # protonvpn c --sc

  • Reconnect to the last server used:

    # protonvpn r

  • Disconnect the current session:

    # protonvpn disconnect, d

  • Refresh OpenVPN configuration and server data:

    # protonvpn refresh

  • Print example commands:

    # protonvpn examples

  • Display version:

    # protonvpn --version

  • Show help message:

    # protonvpn --help



ProtonVPN can entirely be used through OpenVPN.

$ sudo pacman -S openresolv
$ sudo emerge -a net-dns/openresolv
$ sudo apt install resolvconf



  • Create a dedicated config directory:

    $ mkdir -p $HOME/.config/openvpn/protonvpn-server-configs

  • Download the desired configuration files:

    • Go to the ProtonVPN website
    • Login
    • Downloads
    • OpenVPN configuration files
      1. Select platform: GNU/Linux
      1. Select protocol: UDP (recommended) or TCP if you experience slow VPN speeds
      1. Select config file and download: Standard server configs
    • Download all configurations in $HOME/.config/openvpn/protonvpn-server-configs
  • Get your credentials:

  • Install the ProtonVPN update-resolv-conf script:

    $ sudo wget "" -O "/etc/openvpn/update-resolv-conf"
    $ sudo chmod +x "/etc/openvpn/update-resolv-conf"

  • Put you ProtonVPN credentials into a pass file:

    $ vi $HOME/.config/openvpn/protonvpn-pass.conf
        > OpenVPN-IKEv2-username
        > OpenVPN-IKEv2-password

  • Append the path to the pass file to all your downloaded .ovpn files:

    $ cd $HOME/.config/openvpn/protonvpn-server-configs
    $ for file in *; do echo "auth-user-pass /home/username/.config/openvpn/protonvpn-pass.conf" >> "$file"; done

  • Now you can connect to a ProtonVPN server like so (e.g. on server fr-36):

    $ sudo openvpn ~/.config/openvpn/protonvpn-server-configs/


Run the VPN per application

See vpnify.

Configure the VPN to accept traffic from public IP and respond on the same channel

TODO: /opt/update-duckdnsip

When a VPN is set up on a server, how to access it via SSH ? Or how to still let the server be available e.g. with Nginx ? I.e. how to accept traffic from public IP and respond on the same channel, not with the VPN channel ?

Find the interface name you are using to connect to the internet:

$ ifconfig
E.g. wlp2s0 is my interface.

Find your inet (/inet4) on your interface:

$ ip a show dev wlp2s0
    > ...
    > wlp2s0: ...
    >   ...
    >   inet ...
    >   ...
E.g. my inet is is the local address, 24 is the netmask, and is the subnet. (NOTE: you can configure your internet router to get a fixed inet)

Find your gateway:

$ ip route show dev wlp2s0
The gateway is the address next to "default via ...". E.g. is my gateway.

Add a table rule:

# ip rule add from [LOCAL ADDRESS] table 128

Add routing rules:

# ip route add table 128 to [SUBNET]/[NETMASK] dev [INTERFACE]
# ip route add table 128 default via [GATEWAY]

NOTE: These rules will only last until the system shuts down. Consider reapplying them when the system reboots.

How to undo this ?

Show table:

# ip rule show
# ip route show table 128
Remove table:
# ip rule del table 128
# ip route flush table 128

If this cheat sheet has been useful to you, then please consider leaving a star here.