[SOLVED] ProtonVPN configuration

Hello friends, I am a newbie on the VPN issue and I need help.
I tell you my idea to correct me if necessary:
Until a while ago, my ISP delivered public IP, but for a few days it does not, it only delivers private IP. With this change I can no longer remotely access my LAN devices (I cannot do port forwarding).
My idea, if possible, will be to use a free VPN service to be able to access again the services of my devices on the LAN (SSH for example) but I cannot find the correct configuration.
I am trying to configure ProtonVPN but I can't make it work, this is my configuration and outputs by LOG:

Router:
TP-Link TL-WR1043N/ND v1
OpenWrt 18.06.5 r7897-9d401013fc / LuCI openwrt-18.06 branch (git-19.334.34552-3a3d8f4)

VPN:
config openvpn 'ProtonVPN'
option float '1'
option client '1'
option reneg_sec '0'
option verb '3'
option persist_key '1'
option nobind '1'
option remote_cert_tls 'server'
list remote 'nl-free-01.protonvpn.com'
option remote_random '1'
option tun_mtu '1500'
option cipher 'AES-256-CBC'
option tun_mtu_extra '32'
option auth 'SHA512'
option persist_tun '1'
option pull '1'
option auth_user_pass '/etc/openvpn/userpass.txt'
option fast_io '1'
option tls_auth '/etc/openvpn/tlsauth.key'
option tls_client '1'
option proto 'udp'
option ca '/etc/openvpn/cbid.openvpn.ProtonVPN.ca'
option comp_lzo 'no'
option port '443'
option redirect_gateway 'def1'
option resolv_retry 'infinite'
option ifconfig_nowarn '1'
option dev 'tun'
option enabled '1'

Log:
Thu Dec 5 12:08:10 2019 daemon.notice openvpn(ProtonVPN)[5043]: OpenVPN 2.4.5 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Thu Dec 5 12:08:10 2019 daemon.notice openvpn(ProtonVPN)[5043]: library versions: OpenSSL 1.0.2t 10 Sep 2019, LZO 2.10
Thu Dec 5 12:08:10 2019 daemon.notice openvpn(ProtonVPN)[5043]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Dec 5 12:08:10 2019 daemon.notice openvpn(ProtonVPN)[5043]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Dec 5 12:08:10 2019 daemon.notice openvpn(ProtonVPN)[5043]: TCP/UDP: Preserving recently used remote address: [AF_INET]46.166.142.214:443
Thu Dec 5 12:08:10 2019 daemon.notice openvpn(ProtonVPN)[5043]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Thu Dec 5 12:08:10 2019 daemon.notice openvpn(ProtonVPN)[5043]: UDP link local: (not bound)
Thu Dec 5 12:08:10 2019 daemon.notice openvpn(ProtonVPN)[5043]: UDP link remote: [AF_INET]46.166.142.214:443

Network:
config interface 'ProtonVPN'
option proto 'none'
option ifname 'tun0'
option auto '1'
option delegate '0'

Firewall:
config zone
option name 'VPNFW'
option input 'ACCEPT'
option forward 'REJECT'
option output 'ACCEPT'
option network 'ProtonVPN'
option masq '1'
option mtu_fix '1'

config forwarding
option dest 'VPNFW'
option src 'lan'

config forwarding
option dest 'VPNFW'
option src 'wan'

config forwarding
option dest 'lan'
option src 'VPNFW'

config forwarding
option dest 'wan'
option src 'VPNFW'

ifconfig:
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
UP POINTOPOINT NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

Somebody could help me?
Also, if this idea is possible, I would use DDNS to obtain a domain and access from outside as I did with public IP (dynamic)
Anyway, I might be trying to do something impossible ... Feel free to correct my crazy idea or propose some other solution !!!

Thank you!!!

Make sure that the configuration provided to you by Proton is correctly applied, as I don't see it initializing properly in the logs and the tun0 interface does not get an IP.
Other than that you can delete these:

config forwarding
option dest 'VPNFW'
option src 'wan'

config forwarding
option dest 'lan'
option src 'VPNFW'

config forwarding
option dest 'wan'
option src 'VPNFW'

and change this option input 'ACCEPT' into REJECT.

Also make sure that Proton will provide you a public IP, or will agree to forward you some ports.

Thanks for answering!!!

I looked for information about port fordwarding on ProtonVPN and I find it is not possible (at least with free accounts). I think I should have started researching this point before trying the rest, sorry
With this information present, I discard my current attempt as it would have no results.

Since we are ... Any way to get to my lan from the outside taking into account that my ISP delivers private IP? I found something about ngrok and localtunnel ... Any of those options may be valid for what I'm looking for?

Thank you very much and sorry for the English, I use the Google translator.

Google translator does a fine work here.

It depends what are your expectations. For example teamviewer or nomachine can give you access to some host inside your LAN and could be for free.
Other ways like reverse ssh tunneling need some ssh server on the internet.

Thanks for the info!!!

Investigating a little more, I found this information:
localtunnel: only http ports (without SSH)
ngrok: dynamic port and url with free account

These options had occurred to me to use in my Raspberry Pi but with this new information I think they would not work for me either.

What I am looking for is for experimentation and learning (I like all this and play a bit with the settings), but I think I will have to give up my ideas ... unless my ISP administrator is good people and reallocates me a public IP, but I doubt it.

Thanks again.

If your problem is solved, feel free to mark the relevant post as the solution; and edit the title to add "[SOLVED]" to the beginning (click the pencil behind the topic).

What is IP of your tun0 interface? Common case is private IP like 10.X.X.X, so it is not solution. To solve your issue I recommend you to buy VPS with real IP, and configure OpenVPN-server on it. You can use, e.g. CloudAtCost provider.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.