OpenWRT, ProtonVPN, and PMP Port Forwarding for remote SSH access

Installing and Using OpenWrt Network and Wireless Configuration
1

When your ISP does not provide a routable address but you would like to establish SSH access to systems they serve while you are away, ProtonVPN can be used. There is not much documentation about how to do this, but this note may help.

Set up a ProtonVPN tunnel that supports PMP and activate it as documented with the +pmp on your username in the configuration file. Establish a tunnel and a dynamic DNS name to provide remote access to the public IP address of this tunnel.

In /etc/config/network:

config interface 'VPN'
    option proto 'none'
    option device 'tun0'
    option delegate '0'

In /etc/config/firewall:

config zone
    option name 'VPN'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    list network 'VPN'

config redirect
    option dest 'lan'
    option target 'DNAT'
    option name 'Proton Forward'
    option family 'ipv4'
    list proto 'tcp'
    option src 'VPN'
    option src_dport '22'
    option dest_ip ac.ce.de.193'
    option dest_port '22'

This will let you pull out the SSH traffic from the tunnel and route it to the computer assigned to the prototype IPv4 adddress ac.ce.de.193.

Now you'll need to open the port. Run this script in the background:

pmpconf&

#!/bin/sh
#
# Run natpmpc in a loop to support ProtonVPM's absurd 60 second refresh requirement.

while true;
do
        natpmpc -g 10.2.0.1 -a 1 22 TCP 60
        sleep 55
done >& /tmp/pmpconf.log

It will produce a log file, /tmp/pmpconf.log, which should contain something like this:

initnatpmp() returned 0 (SUCCESS)
using gateway : 10.2.0.1
sendpublicaddressrequest returned 2 (SUCCESS)
readnatpmpresponseorretry returned 0 (OK)
Public IP address : 95.173.221.70
epoch = 11223362
sendnewportmappingrequest returned 12 (SUCCESS)
readnatpmpresponseorretry returned 0 (OK)
Mapped public port 63146 protocol TCP to local port 22 liftime 60
epoch = 11223362
closenatpmp() returned 0 (SUCCESS)

That's it. The PMP port will close 60 or so seconds after the script exits. While it's open, you can establish a connection to the designated system: An established connection will persist after the PMP port has closed.

ssh -p port_number_from_log ddns_hostname

Proton's design leaves much to be desired. The random public address and port change each time the port is opened, and if you're away you'll have to figure out some way to get them. I suppose you could have your target system push them to a web server somewhere, or text or e-mail them.

The sixty second expiration time means five or ten seconds of congestion might cause the port to close.

Both of these problems could be addressed.

2 Likes