ProtonVPN + Wireguard + NAT-PMP

[opnooz]

Hi all,

I've read through several topics in this forum about setting up ProtonVPN in OPNSense, however none of them seem to go over any procedures to get NAT-PMP port forwarding setup. Has anyone successfully set up ProtonVPN's wireguard config in OPNSense and also got automatic port forwarding working with it? I tried to leverage UPNP to automatically update the port forward in OPNSense, but the forward only seems to work locally within my network (eg. if I tried from my local network to hit the public proton IP, it works), but if trying to publically connect to my forwarded port using the pubic address assigned to my Proton wireguard interface it times out as if it's not being NAT'd properly at the firewall.

Any assistance is appreciated.

Thanks

[ssalvato]

I was able to set up ProtonVPN Port Forwarding, but it's by using the manual steps listed for MacOS on the ProtonVPN site, https://protonvpn.com/support/port-forwarding-manual-setup/#macos.

I'm on Windows, but since Python is platform agnostic I was able to leverage the same commands for setting the Port from my PC, and I just run the loop command whenever I want to Port Forward.

For firewall setup, I added a NAT Port Forward rule from the VPN_WAN interface to my PC, and then set a local tag called "PORT_FORWARD_VPN". Then, I added a Floating Rule with Match local tag set to the previously mentioned tag, and also reply-to set to the VPN gateway (I was having issues with inbound traffic from the VPN having reply-to go out the WAN gateway).

[opnooz]

I was able to set up ProtonVPN Port Forwarding, but it's by using the manual steps listed for MacOS on the ProtonVPN site, https://protonvpn.com/support/port-forwarding-manual-setup/#macos.

I'm on Windows, but since Python is platform agnostic I was able to leverage the same commands for setting the Port from my PC, and I just run the loop command whenever I want to Port Forward.

For firewall setup, I added a NAT Port Forward rule from the VPN_WAN interface to my PC, and then set a local tag called "PORT_FORWARD_VPN". Then, I added a Floating Rule with Match local tag set to the previously mentioned tag, and also reply-to set to the VPN gateway (I was having issues with inbound traffic from the VPN having reply-to go out the WAN gateway).

Hey @ssalvato

I got around to testing this out, I can't seem to get it to work. Would you mind taking a few snapshots of how you got your floating rule setup? Did you follow the wireguard roadrunner opnsense guide? Assuming you are using wireguard?

Thanks

[ssalvato]

I was able to set up ProtonVPN Port Forwarding, but it's by using the manual steps listed for MacOS on the ProtonVPN site, https://protonvpn.com/support/port-forwarding-manual-setup/#macos.

I'm on Windows, but since Python is platform agnostic I was able to leverage the same commands for setting the Port from my PC, and I just run the loop command whenever I want to Port Forward.

For firewall setup, I added a NAT Port Forward rule from the VPN_WAN interface to my PC, and then set a local tag called "PORT_FORWARD_VPN". Then, I added a Floating Rule with Match local tag set to the previously mentioned tag, and also reply-to set to the VPN gateway (I was having issues with inbound traffic from the VPN having reply-to go out the WAN gateway).

Hey @ssalvato

I got around to testing this out, I can't seem to get it to work. Would you mind taking a few snapshots of how you got your floating rule setup? Did you follow the wireguard roadrunner opnsense guide? Assuming you are using wireguard?

Thanks

Hi @opnooz,

I followed the ProtonVPN specific WireGuard road warrior guide: https://docs.opnsense.org/manual/how-tos/wireguard-client-proton.html

See my attachments for the floating rules and the port forwarding advanced details.

[TheShrubbery]

Hi @ssalvato

Could you share your port forward rule settings you referred to? You attached the settings for your floating rules.

When I run the py-natpmp command I get 'The gateway does not support NAT-PMP'

Thanks

[BondiBlueBalls]

Hey, all. I'm not sure if this meets your needs, but I wrote a little script that grabs the forwarded port from protonvpn and syncs it with OPNsense and qBittorrent. It's been keeping everything running perfectly for me for over a year. Hope it helps! https://github.com/clajiness/qbop

[TheChrisK]

Hey, all. I'm not sure if this meets your needs, but I wrote a little script that grabs the forwarded port from protonvpn and syncs it with OPNsense and qBittorrent. It's been keeping everything running perfectly for me for over a year. Hope it helps! https://github.com/clajiness/qbop

Can you share how your port forwarding is set up? The guide above is a few months old and I don't think the rule is exactly the same anymore. I am setting up your script now.

[FlyinDuke]

Hey, all. I'm not sure if this meets your needs, but I wrote a little script that grabs the forwarded port from protonvpn and syncs it with OPNsense and qBittorrent. It's been keeping everything running perfectly for me for over a year. Hope it helps! https://github.com/clajiness/qbop

Hi Bondi,

I posted an issue on your github page, with what I'm looking to do.

[ssalvato]

Hi @ssalvato

Could you share your port forward rule settings you referred to? You attached the settings for your floating rules.

When I run the py-natpmp command I get 'The gateway does not support NAT-PMP'

Thanks

I believe this may be due to not using a ProtonVPN server that is enabled for Port Forwarding, or the gateway you're specifying is not the VPN gateway.