Text only | Text with Images

OPNsense Forum

English Forums => Virtual private networks => Topic started by: frozen on October 24, 2023, 04:55:33 AM

Title: Cannot determine Monitor IP when connected to Proton VPN
Post by: frozen on October 24, 2023, 04:55:33 AM
Hi all, I am following this guide: https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html

And on step 6, it says

Quote
Monitor IP

Insert the endpoint VPN tunnel IP (NOT the public IP) of your VPN provider - see note below

Note

Specifying the endpoint VPN tunnel IP is preferable. As an alternative, you could include an external IP such as 1.1.1.1 or 8.8.8.8, but be aware that this IP will only be accessible through the VPN tunnel (OPNsense creates a static route for it), and therefore will not accessible from local hosts that are not using the tunnel

Some VPN providers will include the VPN tunnel IP of the endpoint in the configuration data they provide. For others (such as Mullvad), you can get the IP by running a traceroute from a host that is using the tunnel - the first hop after OPNsense is the VPN provider's tunnel IP

This worked fine on WindScribe, when I connect using their wireguard .conf traceroute showed me the next hop as this guide implies.  But on ProtonVPN, they must be doing something to prevent you from tracing it - it just shows up as * * * for 30 attempts in a row, then exits.  It doesn't find even one successful hop properly..  Rest of the internet is working great though, pings included, so I have no idea what to do

What do I put in for Monitor IP when I can't traceroute?  There's an Endpoint listed in the .conf with the port I connect to, but the note specifically says not to use that

Thanks very much, I'm at a standstill now for adding ProtonVPN
Title: Re: Cannot determine Monitor IP when connected to Proton VPN
Post by: tiermutter on October 24, 2023, 07:30:05 AM
You can use any, but as stated in tutorial be aware that this is IP will not be reachable for clients via "normal WAN". Just use an IP that you usually do not need to connect to...
I put 9.9.9.9 since I do not need to connect there (Quad 9) with any client * .

* In my "special" situation I would not have problems connecting to this IP from any client since I use policy based routing that would route all traffic to WAN/ failover, except for clients that are routed explicit to the VPN.
Title: Re: Cannot determine Monitor IP when connected to Proton VPN
Post by: tiermutter on October 24, 2023, 07:34:49 AM
Just for information:
Also without policy based routing, clients will still be able to connect to 9.9.9.9, but this traffic will always leave the sense via VPN, not via "normal internet".
Title: Re: Cannot determine Monitor IP when connected to Proton VPN
Post by: frozen on October 24, 2023, 07:55:42 AM
Appreciate that, I don't use those 8.8.8.8 style DNS servers normally so I set it to 8.8.8.8 as per the notes, thanks very much! I just need to figure out why my public IP is being exposed via DNS leak tests while using my VPN now! My mind is blown, how did they find my home IP even when IP check sites clearly show I'm on the VPN
Text only | Text with Images