Port forwarding with proton

I got Proton setup as the VPN for my home network. I am trying to get port forwarding to work as well.

I have been using this guide https://protonvpn.com/support/port-forwarding-manual-setup/

I installed the natpmpc package for openwrt so that I could see which port is open (see natpmpc command below). The problem I am running into, is it still does not appear open. I am assuming I may need a PBR policy or firewall policy just not sure what.

while true ; do date ; natpmpc -a 1 0 udp 60 -g 10.2.0.1 && natpmpc -a 1 0 tcp 60 -g 10.2.0.1 || { echo -e "ERROR with natpmpc command \a" ; break ; } ; sleep 45 ; done

The other problem is proton states

Port forwarding is now activated. Note that closing your terminal window will terminate the loop process. You will need to re-run this loop script each time you want to start a new port forwarding session or the port will only stay open for 60 seconds.

I don't really want to have to SSH into my router and continuously run this loop every time I need to torrent something.

@egc

Please post output of

ubus call system board

from your OpenWrt device.
Proton's guide contains 2 options before one you elected that do not involve typing a single command.

I guess I am misunderstanding this guide more then I thought. For some additional context I am using the wireguard setup for Proton via this guide.

root@router:~# ubus call system board
{
        "kernel": "6.6.73",
        "hostname": "router",
        "system": "ARMv8 Processor rev 4",
        "model": "FriendlyElec NanoPi R4S",
        "board_name": "friendlyarm,nanopi-r4s",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.0",
                "revision": "r28427-6df0e3d02a",
                "target": "rockchip/armv8",
                "description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
                "builddate": "1738624177"
        }
}

I tried it and it worked fine. Proton Wireguard.

That's great for you, hoping at some point I can say the same. Any advice?

Nothing special, I followed the instructions from the link in the first post.

yeah not sure what causing the issue. For now, I just have the desktop clients split tunneling to just include qbit since the port forwarding through the client works as it always has.

Regarding PBR if your default route is via the VPN then you do not need to do anything regarding PBR

You do have to setup the normal port forwarding but not with the wan as interface but with the VPN as interface to open up the firewall and redirect the traffic to your LAN client

Can you ping the 10.2.0.1 from the host running the torrent client?

So when I make that port forward rule I would set the ports to whatever ports, the command I listed above shows is opened by Proton?

Yes.

Emailed proton about it since I am basically following their guides but they said

The Port forwarding feature is not officially tested and supported for routers, therefore, I will be unable to provide any specific steps for setting it up on your router, nor guarantee that it will work as intended.

Correct that is the port which will arrive on the VPN interface.

Next step is that you forward that port to your local LAN server

Lets say Proton opens port 6161 for you.
The VPN interface is added to the firewall zone vpn_client
Local LAN server is 192.168.1.9 on firewall zone lan and listens on port 443

The rule you are looking for is something like

config redirect
	option dest 'lan'
	option target 'DNAT'
	option src 'vpn_client'
	option src_dport '6161'
	option dest_ip '192.168.1.9'
	option dest_port '443'

But take note the local LAN server in this case must also have its default route or at least its source port routed via the VPN as return traffic must also return via the VPN interface

theoretically this shouldnt require an extra step since the all traffic is routed via the vpn interface already, right? Or I am misunderstanding this part.

You are right, no extra step required
If all traffic is routed via the VPN and you only make exceptions with PBR and you did not make exceptions for the local lan server in question then you should be fine

Ill give it a shot and report back.

The only exception made was to bypass the VPN for the guest network. Clients on that network wont be torrenting.

This worked!

my final question is, if I am using two different machines...

After adding another forwarding rule, would I just set the 2nd machine to use the same open port? I am assuming if I request a new open port it would close the port I am currently using, since I think Proton only allows one open port per config.

No, I do not think so, you can only use one port to forward to one machine, so you need another port

Anyway great to hear you solved it and it is working

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!

Just adding this in case anyone else finds it helpful.

I had to make a cron job to run

while true ; do date ; natpmpc -a 1 0 udp 60 -g 10.2.0.1 && natpmpc -a 1 0 tcp 60 -g 10.2.0.1 || { echo -e "ERROR with natpmpc command \a" ; break ; } ; sleep 45 ; done

otherwise the port closes and then you need to map a new port and edit the firewall rule or be continuously SSH into the router with this running. I also tried increasing the time but Proton will only allow mapping for 60 secounds at a time.

Cronjob may not be a good idea, as it will exit in case of mistake only.
This keeps running every minute anyway, so you need to re-run it only if it exits.
If you run it every minutes with cron, you need to keep the natpmpc -a 1 0 udp 60 -g 10.2.0.1 && natpmpc -a 1 0 tcp 60 -g 10.2.0.1 part only.
For now I am running it in screen, but another option is to run it as a startup script or add it as a service.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.