Setting up ProtonVPN with Wireguard on OpenWrt

an ilustration of how this setup works

Download the configuration file

Go to https://account.protonvpn.com/downloads#wireguard-configuration and download the wireguard config file.

Install Wireguard on OpenWrt

# First of all, update the package mirrors
opkg update

#Then install Wireguard
opkg install wireguard-tools

Configuring Wireguard

Here’s a quick and dirty script to read the config file and set up Wireguard:

# Based on the OpenWrt documentation:
# https://openwrt.org/docs/guide-user/services/vpn/wireguard/client

# This script is licensed under CC-BY-SA 4.0:
# https://creativecommons.org/licenses/by-sa/4.0/

if [[ "$#" -ne 1 ]]; then
  printf "\nUsage: <script name> <protonvpn wireguard config>\n\n"
  exit 1
fi

PUBLIC_KEY=`cat $1 | grep PublicKey | sed 's/PublicKey = //'`
PRIVATE_KEY=`cat $1 | grep PrivateKey | sed 's/PrivateKey = //'`

# Interface
VPN_IF="protonvpn"

# Server address
VPN_SERV=`cat $1 | grep Endpoint | sed 's/Endpoint = //' | sed 's/:.*//'`

VPN_PORT=`cat $1 | grep Endpoint | sed 's/Endpoint = .*://'`

# Address
VPN_ADDR=`cat $1 | grep Address | sed 's/Address = //'`

# Configure firewall
uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci del_list firewall.wan.network="${VPN_IF}"
uci add_list firewall.wan.network="${VPN_IF}"
uci commit firewall

/etc/init.d/firewall restart

# Configure network
uci -q delete network.${VPN_IF}
uci set network.${VPN_IF}="interface"
uci set network.${VPN_IF}.proto="wireguard"
uci set network.${VPN_IF}.private_key="${PRIVATE_KEY}"
uci add_list network.${VPN_IF}.addresses="${VPN_ADDR}"

# Add VPN peers
uci -q delete network.wgserver
uci set network.wgserver="wireguard_${VPN_IF}"
uci set network.wgserver.public_key="${PUBLIC_KEY}"
uci set network.wgserver.endpoint_host="${VPN_SERV}"
uci set network.wgserver.endpoint_port="${VPN_PORT}"
uci set network.wgserver.route_allowed_ips="1"
uci set network.wgserver.persistent_keepalive="25"
uci add_list network.wgserver.allowed_ips="0.0.0.0/0"
uci add_list network.wgserver.allowed_ips="::/0"
uci commit network
/etc/init.d/network restart

printf "\nProtonVPN + Wireguard configuration done!\n\n"

Copy it to OpenWrt over SSH:

scp -O -P <port> <path to local file> user@gateway:<path to store file on OpenWrt>

Run it from OpenWrt:

chmod +x script-name.sh
./script-name.sh

You should now be connected to ProtonVPN over Wireguard. You may check your IP at: https://ipchicken.com/

Enabling/Disabling ProtonVPN

To disable:

uci set network.protonvpn.auto='0'
uci commit network
/etc/init.d/network restart

To enable:

uci set network.protonvpn.auto='1'
uci commit network
/etc/init.d/network restart

Toggle script

# Script licensed under CC-BY-SA 4.0

if [[ `uci get network.protonvpn.auto` -eq 1 ]]; then
  uci set network.protonvpn.auto='0'
  uci commit network
  /etc/init.d/network restart
  printf "\nVPN Disabled\n"
else
  uci set network.protonvpn.auto='1'
  uci commit network
  /etc/init.d/network restart
  printf "\nVPN Enabled\n"
fi