Proton VPN (IKEv2)
5.X
1. Download / convert RSA certificate
wget https://protonvpn.com/download/ProtonVPN_ike_root.der -O /tmp/proton.der
openssl x509 -inform der -in /tmp/proton.der -out /tmp/proton.pem
mv /tmp/proton.pem /etc/ipsec.d/cacerts/
2. Add configuration (/etc/ipsec.conf)
conn proton
left=%defaultroute
leftsourceip=%config
leftauth=eap-mschapv2
eap_identity=USERNAME
right=nl-free-02.protonvpn.com
rightsubnet=0.0.0.0/0
rightauth=pubkey
rightid=%nl-free-02.protonvpn.com
rightca=/etc/ipsec.d/cacerts/proton.pem
keyexchange=ikev2
type=tunnel
auto=add
3. Add authentication (/etc/ipsec.secrets)
USERNAME : EAP "PASSWORD"
6.X
- Download RSA certificate
wget https://protonvpn.com/download/ProtonVPN_ike_root.der -O /etc/swanctl/x509ca/protonvpn.der
- Add client configuration (/etc/swanctl/conf.d/proton.conf):
connections {
proton {
version=2
local_addrs=%defaultroute
remote_addrs=node-nl-02.protonvpn.net
vips=0.0.0.0,::
local {
auth=eap-mschapv2
eap_id="USERNAME"
}
remote {
auth=pubkey
cacerts=protonvpn.der
id=%any
}
children {
proton {
remote_ts=0.0.0.0/0
}
}
}
}
secrets {
eap {
id=USERNAME
secret=PASSWORD
}
}
Connection example
service strongswan start
swanctl --init --child nl
...
swanctl --terminate --ike nl # terminating child does not restore resolv.conf
ipsec-like alias
.bashrc
ipsec() {
case "$1" in
"start")
command service strongswan start;;
"stop")
command service strongswan stop;;
"up")
command swanctl --init --child "$2";;
"down")
command swanctl --terminate --ike "$2";;
"status")
command systemctl is-active strongswan.service;;
*)
echo "Usage: ipsec [stop | start | status | up CONN | down CONN]";;
esac
}