WireGuard ProtonVPN Road Warrior Setup


ProtonVPN is a cloud-based VPN provider, offering secure tunneling with respect to privacy. To set up a WireGuard VPN to ProtonVPN we assume you are familiar with the concepts of WireGuard that you have read the basic howto WireGuard Road Warrior Setup.

Step 1 - Download ProtonVPN configuration

The configuration is available in the ProtonVPN website. The landing page appears after signing in. Click on Downloads from the left hand panel or go to the downloads page and scroll down to the WireGuard configuration

The existing WireGuard configurations appear first with their expiration dates and following are the options to generate new ones.

  • Select a name for the generated configuration


If a name is not provided a unique ID will be generated by ProtonVPN

  • Select Router as a platform

  • Select VPN options

    • There are 3 options for NetShield blocker filtering

      • No filtering

      • Block malware

      • Block malware, ads and trackers

    • There are also options to enable Moderate NAT, NAT-PMP (Port Forwarding) and VPN accelerator as well. The features are documented in the ProtonVPN website.

    • Pick the options that satisfy your requirements and move on to the next section.

  • Select a server to connect to

    • ProtonVPN proposes the best server or allows the user to select manually.

    • When selecting manually there are 2 main choices:

      • Standard vs Secure Core configuration

      • Exit country

    • Pick the one that satisfies your requirements and click on Create to generate the configuration.

    • Upon successful completion a window like the following will appear on the screen.


The full configuration looks like this:

# Bouncing = 0
# NetShield = 1
# Moderate NAT = off
# NAT-PMP (Port Forwarding) = off
# VPN Accelerator = on
PrivateKey = 2Kh7TlGz+7PCFa0jEHat8IWkYZgPmDLAiagGq+dyLks=
Address =

# NO#21
PublicKey = KOITt3KQ72LHPbpVp7kp4cQo/qw2qvKPrN732UTWWFw=
AllowedIPs =
Endpoint =


The private key disappears after creating the configuration so it must be stored. It will be used in the following section to generate the public key. Both are needed for successful configuration.


Do not re-use the private keys in these examples

Step 2 - Generate public key from private key

ProtonVPN, unlike Mullvad or other WG implementations, only provides a private key. The private key appears briefly when generating the configuration in the web UI. The public key will be derived from the private key with the “wg pubkey” command.


echo wgPrivateKey | wg pubkey


wg pubkey < wgPrivateKey

Step 3 - Setup WireGuard Instance

  • Go to VPN ‣ WireGuard ‣ Settings ‣ Instances

  • Click + to add a new Instance configuration

  • Turn on “advanced mode”

  • Configure the Instance from the downloaded ProtonVPN configuration as follows (if an option is not mentioned below, leave it as the default):




    Call it whatever you want (eg ProtonVPN-ExitCountry )

    Public Key

    Insert the derived public key from the previous step

    Private Key

    Insert the PrivateKey field from the [Interface] section

    Listen Port

    51820 or a higher numbered unique port


    Needs to be 80 bytes shorter than normal MTU. Default 1420

    DNS Server

    Insert the DNS field from the [Interface] section as is (without subnet mask)

    Tunnel Address

    Insert the Address field from the [Interface] section` in CIDR format, eg


    Leave blank for now

    Disable Routes



    Insert the same address as in the DNS Server field above

  • Save the Instance configuration, and then click Apply

Step 4 - Configure the peer

  • Go to VPN ‣ WireGuard ‣ Settings ‣ Peers

  • Click + to add a new Peer

  • Configure the Peer from the downloaded ProtonVPN configuration as follows (if an option is not mentioned below, leave it as the default):




    Call it whatever you want (eg ProtonVPN_Location )

    Public Key

    Insert the PublicKey field from the [Peer] section

    Allowed IPs

    Endpoint Address

    Insert the IP address from the Endpoint field in the [Peer] section

    Endpoint Port

    Insert the port number from the Endpoint field in the [Peer] section


    Select the instance configured in the previous step



  • Save the Peer configuration, and then click Apply


The UI for configuring the Instances and Peers changed with OPNsense verion 23.7.9 so some of the fields may be in different places.

Step 5 - Turn on WireGuard

Turn on WireGuard under VPN ‣ WireGuard ‣ Settings ‣ General if it is not already on

Step 6 - Configure assignments, gateways and routing

The rest of the steps are mostly the same as described in the how-to on selective routing WireGuard Selective Routing to External VPN Endpoint

ProtonVPN DNS leaks

Since ProtonVPN provides a DNS server an extra firewall rule may be required to route the DNS traffic to the WireGuard gateway.

  • Go to Firewall ‣ Rules ‣ [Name of interface for network in which hosts/network resides, eg LAN for LAN hosts]

  • Click Add to add a new rule

  • Configure the rule as follows (if an option is not mentioned below, leave it as the default):






    Whatever interface you are configuring the rule on



    TCP/IP Version




    Source / Invert



    IP of your DNS server

    Destination / Invert



    Select the RFC1918_Networks Alias you created above in the dropdown

    Destination port range

    DNS - DNS


    Add one if you wish to


    Select the WireGuard gateway created according to the selective routing how-to page (eg WAN_ProtonVPN )

  • Save the rule, and then click Apply Changes

  • Then make sure that the new rule is above any other rule on the interface that would otherwise interfere with its operation. For example, you want your new rule to be above the “Default allow LAN to any rule”

In layman terms if the DNS server makes any requests to a non-local address it will go through the VPN gateway.

All images from ProtonVPN website are the property of ProtonVPN and are used with written permission.