feat(protonvpn): Wireguard support

[qdm12]

• Initial implementation
• Feedback received
• Wiki updated

Image is qmcgaw/gluetun:pr-2390

You can use it by using VPN_SERVICE_PROVIDER=protonvpn, VPN_TYPE=wireguard, and then set WIREGUARD_PRIVATE_KEY.

[TheRealBix]

Currently running this PR but it just switch servers constantly by beeing unhealthy :

env settings :

      - SERVER_HOSTNAMES=node-fr-13.protonvpn.net,node-fr-14.protonvpn.net,node-fr-07.protonvpn.net         #config openvpn/test
      - VPN_SERVICE_PROVIDER=protonvpn                                                         #config test
      - VPN_TYPE=wireguard                                                                     #config test
      - WIREGUARD_PRIVATE_KEY=********************************************                     #config test
      - WIREGUARD_ADDRESSES=10.2.0.2/32                                                        #config test
      - PORT_FORWARD_ONLY=on                                                                   #config test
      - VPN_PORT_FORWARDING_PROVIDER=protonvpn                                                 #config test

logs : https://hastebin.skyra.pw/imarehilod.yaml

[qdm12]

@TheRealBix thanks for trying it out!
Funnily the first try worked for a few seconds:

INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
INFO [healthcheck] healthy!
INFO [dns] downloading DNS over TLS cryptographic files
INFO [dns] downloading hostnames and IP block lists
INFO [dns] init module 0: validator
INFO [dns] init module 1: iterator
INFO [dns] start of service (unbound 1.20.0).
INFO [dns] generate keytag query _ta-4a5c-4f66-9728. NULL IN
INFO [dns] generate keytag query _ta-4a5c-4f66-9728. NULL IN
INFO [dns] ready
INFO [ip getter] Public IP address is 185.246.211.78 (France, Île-de-France, Paris)
INFO [vpn] There is a new release v3.38.0 (v3.38.0) created 129 days ago

Perhaps drop the MTU WIREGUARD_MTU=1300? Also, as far as I understood, all their Protonvpn servers do support both openvpn and wireguard correct?

[TheRealBix]

I'll try dropping the MTU after work. Indeed they support both openvpn and wireguard, openvpn config with those same servers works fine.

[dougNetD]

Looks good to me! I don't really have any traffic on it at the moment though. I'll try some more servers I'd usually use.

logs: https://hastebin.skyra.pw/icoyaceyis.yaml

[dougNetD]

I added country and city to get on faster/closer servers and it's been fine for a few hours. I changed servers a few times by restarting container it's come back up fine every time.

  gluetun:
    image: qmcgaw/gluetun:pr-2390
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    ports:
      - 8888:8888/tcp # HTTP proxy
      - 8388:8388/tcp # Shadowsocks
      - 8388:8388/udp # Shadowsocks
      - 8080:8080/tcp #QBittorrent WebUI
    volumes:
      - /gluetun/config:/gluetun
      - /gluetun/config:/tmp/gluetun
    environment:
      - PUID=1000
      - PGID=1000
      - VPN_SERVICE_PROVIDER=protonvpn
      - VPN_TYPE=wireguard
      - WIREGUARD_PRIVATE_KEY= ***************************
      - WIREGUARD_ADDRESSES=10.2.0.2/32
      - VPN_DNS_ADDRESS=10.2.0.1
      - VPN_PORT_FORWARDING=on
      - VPN_PORT_FORWARDING_PROVIDER=protonvpn
      - SERVER_COUNTRIES=United States
      - SERVER_CITIES=Los Angeles
      - TZ=America/Los_Angeles
      - UPDATER_PERIOD=24h

[TheRealBix]

I added "VPN_PORT_FORWARDED=on" and "VPN_DNS_ADDRESS=10.2.0.1" that I missed on first try, plus allowed more servers for the night (whole Paris servers). Did not tried to change MTU yet but I will.

I still had some unhealthy states and ipgetter seems to fail somehow

https://hastebin.skyra.pw/ajolabopom.yaml

edit bonus : unbelievable how wireguard is light compared to openvpn

[qdm12]

@TheRealBix Great thanks for the feedback! A bit odd how it stays online only for 5 minutes then dies... (except the last one!??)
Do you have any keep alive value in your wireguard configurations!??? If yes, that could be why the connection drops.
EDIT: never mind found #134 (comment) so I guess I won't know what's wrong on your end 😕
If not, I don't know what's wrong on your side of things sadly, and will go ahead and merge this 😉 !

[qdm12]

I'm currently adding documentation to the wiki, can anyone please describe a little few steps (just text and links please) on how to get your wireguard configuration file? A bit like described for Mullvad at https://github.com/qdm12/gluetun-wiki/blob/main/setup/providers/mullvad.md#wireguard-only Thank you 🙏 !

[TheRealBix]

Well indeed it's not stable. Here a try with 1300 bytes MTU

https://hastebin.skyra.pw/cubewiqiwa.yaml

Guess I'll try messing with private keys now.

[dougNetD]

@qdm12
WIREGUARD_PRIVATE_KEY is your 32 bytes key in base64 format. The private key can only be obtained by generating a Wireguard configuration file. Generate a Wireguard configuration file, copy the displayed PrivateKey value and optionally download the conf file. Note this value is the same for all ProtonVPN servers. 💁 Guide how to generate configuration file

I think private key is all you need from the config downloaded, as address and DNS (optional?) are the same for all servers.

config file:               required environment vars:
PrivateKey = ************* (WIREGUARD_PRIVATE_KEY)
Address = 10.2.0.2/32      (WIREGUARD_ADDRESSES)
DNS = 10.2.0.1             (VPN_DNS_ADDRESS)

The protonVPN configuration downloads page is terribly laggy to load the server lists.😄

@TheRealBix Was wireguard with protonVPN as a custom provider stable for you previously on :latest image?

[qdm12]

@dougNetD Great, address is automatically set to 10.2.0.2/32 for ProtonVPN from now on, and thanks for the instructions 💯. Waiting for @TheRealBix feedback before merging this and the wiki update. And yes DNS is optional to use Protonvpn's DNS (which I don't recommend).

[TheRealBix]

edit about OpenVPN : I finally have the same connection unstability with openvpn https://hastebin.skyra.pw/bijepotahu.yaml definitely an issue on my end...

I did not run a lot with gluetun on wg config file, only for testing purposes.
I was previously using a build of qbt with integrated vpn, indeed it wasn't stable and I had to change config file pretty often, which made me switch to gluetun w/openvpn (to get a server rotation).
I don't remember having issues with openvpn, it did change servers from time to time but nothing like this. This night connection was unstable from 23:00 to 2:46 then went stable (12:39 it's still good)

It could very well be an issue on my end, maybe with my ISP peering with proton servers.

As for the wiki (removed VPN_PORT_FORWARDING_PROVIDER as I believe it shoudln't be used anymore) :

ProtonVPN

TLDR

docker run -it --rm --cap-add=NET_ADMIN -e VPN_SERVICE_PROVIDER=protonvpn \
-e OPENVPN_USER=abc -e OPENVPN_PASSWORD=abc \
-e SERVER_COUNTRIES=Netherlands qmcgaw/gluetun

version: "3"
services:
  gluetun:
    image: qmcgaw/gluetun
    cap_add:
      - NET_ADMIN
    environment:
      - VPN_SERVICE_PROVIDER=protonvpn
      - OPENVPN_USER=abc
      - OPENVPN_PASSWORD=abc
      - SERVER_COUNTRIES=Netherlands

Required environment variables

• VPN_SERVICE_PROVIDER=protonvpn

OpenVPN

• OPENVPN_USER is your OPENVPN specific username. Find it at account.proton.me/u/0/vpn/OpenVpnIKEv2.
• OPENVPN_PASSWORD

Wireguard

• VPN_TYPE=wireguard
• WIREGUARD_PRIVATE_KEY is your 32 bytes key in base64 format. The private key can only be obtained by generating a Wireguard configuration file. Generate a Wireguard configuration file, copy the displayed PrivateKey value and optionally download the conf file. Note this value is the same for all ProtonVPN servers. 💁 Guide how to generate configuration file
• WIREGUARD_ADDRESSES=10.2.0.2/32

Optional environment variables

• SERVER_COUNTRIES: Comma separated list of countries
• SERVER_CITIES: Comma separated list of cities
• SERVER_HOSTNAMES: Comma separated list of server hostnames
• FREE_ONLY: Filter only free tier servers by setting it to on. It defaults to off.
• STREAM_ONLY: Filter only free tier servers by setting it to on. It defaults to off.
• SECURE_CORE_ONLY: Filter only secure core servers by setting it to on. It defaults to off.
• TOR_ONLY: Filter only TOR servers by setting it to on. It defaults to off.
• PORT_FORWARD_ONLY: Filter only port-forwarding enabled (aka p2p) servers by setting it to on. It defaults to off.
• VPN_ENDPOINT_PORT: Custom OpenVPN server endpoint port to use
  • For TCP: 443, 5995 or 8443
  • For UDP: 80, 443, 1194, 4569, 5060
  • Defaults are 1194 for UDP and 443 for TCP
• VPN_PORT_FORWARDING: defaults to off and can be set to onto enable port forwarding on the VPN server.
• VPN_DNS_ADDRESS=10.2.0.1 to use the default Proton DNS, not recommended.

VPN server port forwarding

Requirements:

• For OpenVPN, add +pmp to your username (thanks to @mortimr)
• VPN_PORT_FORWARDING=on

Multi hop regions

Simply set the SERVER_HOSTNAMES environment variable to a hostname corresponding to a multi hop region (see Servers).

For example setting SERVER_HOSTNAMES=ch-us-01a.protonvpn.com would set a multi hop with entry in Switzerland and exit in the US.

Moderate NAT/NAT Type 2

Paid ProtonVPN subscribers can optionally use Moderate NAT on their connections.

To do so, the OpenVPN username assigned by ProtonVPN should have +nr appended to the end of it.

Servers

To see a list of servers available, list the VPN servers with Gluetun.

[qdm12]

It could very well be an issue on my end, maybe with my ISP peering with proton servers.

💩 happens 🤷

For the wiki:

• VPN_PORT_FORWARDING_PROVIDER indeed, I forgot to remove it on my end (local file changes for now), done 👍
• VPN_TYPE=wireguard I forgot that as well, thanks!
• WIREGUARD_ADDRESSES removed since it's always the same for everyone and all servers
• VPN_DNS_ADDRESS actually doesn't exist 😄 It's DNS_ADDRESS, and it's documented in the setup/options/dns.md document. No need to mention it I would say, people can figure it out if they really want to use that.

Merging this ⛵ !

[heronimoo]

I think a detail has gone wrong here. The wiki still includes the following paragraph (directly under the docker compose) that should not be there anymore, since that info has been redacted and put in the Wireguard section further down. Particularly the "custom provider" part makes this confusing.

💁 To use with Wireguard, download a configuration file from account.proton.me/u/0/vpn/WireGuard and head to the custom provider Wireguard section. Thanks to @pvanryn for pointing this out. Note however you cannot filter servers as easily as with OpenVPN since each server uses its own private key and/or peer address.

I just switched to Wireguard and it seems to be working fine. Thank you as always!

[notDavid]

Hi all, thank you for this implementation!
Just wanted to report back that everything is working fine for me, except, keeping the Proton DNS address by setting: DNS_ADDRESS=

I tried (every combination of):

- DNS_ADDRESS=10.2.0.1
- DOT=off
- DNS_KEEP_NAMESERVER=on

But, as soon as i set DOT=off i get the known loop program has been unhealthy for 6s: restarting VPN.

Does this work correctly for anyone else ?