Proton VPN using Wireguard

astroblob · January 30, 2026, 11:22pm

I am setting up a Raspberry Pi 4B with openWrt and adding Wireguard and Proton VPN. I have 2 ethernet adapters plugged in to the 3.x usb and I use them as LAN. They are bridged. The on board Ethernet is WAN. I get internet traffic but the VPN is not working since I get the Cox ip addr out. I have tinkered around in the Firewall setting but nothing seems to bring the Firewall into the VPN. I work from Luci but I'll include my /etc/config/network file with the keys 'x'ed out.

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	list ipaddr '127.0.0.1/8'

config globals 'globals'
	option dhcp_default_duid '0004e0df6614390042fbaf7df9f3d0f701bc'
	option ula_prefix 'fd83:8a72:cfc5::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'
	list ports 'eth2'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ip6assign '60'
	list ipaddr '192.168.2.1/24'
	list dns '192.168.1.5'
	list dns '8.8.8.8'

config interface 'wan'
	option proto 'dhcp'
	option device 'eth0'
	option peerdns '0'
	list dns '10.2.0.1'

config device
	option name 'eth0'

config device
	option name 'eth1'

config device
	option name 'eth2'

config interface 'proton'
	option proto 'wireguard'
	option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
	list addresses '10.2.0.2/32'
	list dns '10.2.0.1'
	option defaultroute '0'

config wireguard_proton
	option description 'wg-US-GA-523.conf'
	option public_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'
	option persistent_keepalive '25'
	option endpoint_host '89.222.103.2'
	option endpoint_port '51820'
	option route_allowed_ips '1'

Any help would be appreciated.

psherman · January 30, 2026, 11:27pm

What is the IP address of one of the computers that is being used for this test?

Remove the default route line below:

astroblob:

config interface 'proton'
	option proto 'wireguard'
	option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
	list addresses '10.2.0.2/32'
	list dns '10.2.0.1'
	option defaultroute '0'

let's see:

wg show
cat /etc/config/firewall

astroblob · January 30, 2026, 11:43pm

192.168.2.94

psherman · January 30, 2026, 11:45pm

Good, so that computer is certainly on the lan of this Pi4 router. That said, make sure it doesn't have any other network connections (such as wifi) that could be using your upstream network.

And please post the output of the other two commands I requested.

astroblob · January 30, 2026, 11:48pm

I turned off the wifi.

astroblob · January 31, 2026, 12:29am

Here is the firewall file


config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option mtu_fix '1'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'vpn'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	list network 'proton'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'vpn'

config forwarding
	option src 'wan'
	option dest 'vpn'

astroblob · January 31, 2026, 12:31am

Here is the wg show

interface: proton
  public key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx(redacted)
  private key: (hidden)
  listening port: 45468

peer: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx(redacted)
  endpoint: 89.222.103.2:51820
  allowed ips: 0.0.0.0/0, ::/0
  latest handshake: 5 seconds ago
  transfer: 5.48 KiB received, 20.24 KiB sent
  persistent keepalive: every 25 seconds

astroblob · January 31, 2026, 12:45am

Good news. Deleting the line in the network file fixed it. I now have Proton VPN.

mk24 · January 31, 2026, 12:52am

You have the wan network listed in two firewall zones-- that will give indeterminate results. It should be only in the wan zone. For the simple case of forwarding all Internet use to a commercial VPN service you can just add the wireguard interface to the wan zone instead of creating a separate zone.

Also way too many list dns. The only one you need is in one place (typically under the wireguard interface) to direct DNS to the Proton server.

astroblob · January 31, 2026, 1:38am

I was strictly using the Luci interface. That is how it was offered in the menu. Select both or it showed 'wan (empty)'.

egc · January 31, 2026, 8:52am

This is really bad, you are allowing all traffic into your router you might already been hacked, because your wan interface is in the vpn zone

Remove the wan interface list network 'wan':

and place list network 'wan' in its own wan zone
Also add MTU fix to this zone.

Unless you route all traffic via the VPN you need to add:

config forwarding
	option src 'lan'
	option dest 'wan'

Remove

You do not need to allow traffic started from proton into your network, who knows what is lurking there.

For the record, my way to setup a a proton WireGuard client:
WireGuard Client Setup Guide

astroblob · January 31, 2026, 4:15pm

Well, they say ignorance is bliss and I may have been ignorant but I was in bliss. Then I removed the other lines mentioned and it is so broke that doing a restore to the point where it worked doesn't fix it.

astroblob · January 31, 2026, 4:20pm

I guess I'll start over using the guide from 'egc'.

After several minutes of sitting there it stated working again so I'm going to back out one line at a time and see where it breaks.

astroblob · February 2, 2026, 9:17pm

So I worked through your guide and found that it is hard to follow. I think I got everything relevant for my setup. Nothing. Dinked with the firewall settings. Nothing. I'm beginning to doubt whether this is doable by anything short of a network engineer or an openWrt expert.