Proton VPN IPv6 Manual Setup

Proton VPN IPv6 Manual Setup.md

Proton VPN IPv6 Manual Setup

Over 80% of the servers support IPv6 but only the Linux & Android apps and the browser extension support it at the moment.

The Linux app supports IPv6 over the VPN but still connects to the VPN server using IPv4.

It's possible to make changes to the WireGuard configs that you can get from https://account.protonvpn.com/downloads to enable IPv6.

An easy way to test if a server supports IPv6 is to use the browser extension and then go to myip.wtf or test-ipv6.com, or you could check the list at https://mikaeldui.github.io/proton-vpn-server-list/.

Original .conf

Here's an example of a WireGuard profile I got for CH#600:

[Interface]
# Key for Reddit Test Config 2025-01-05
# Bouncing = 2
# NetShield = 1
# Moderate NAT = on
# NAT-PMP (Port Forwarding) = on
# VPN Accelerator = on
PrivateKey = *redacted*
Address = 10.2.0.2/32
DNS = 10.2.0.1

[Peer]
# CH#600
PublicKey = Ii6hAbnu84wZ8NzVt5+ylO4FnX+ANrKNzpFOSYq9dks=
Endpoint = 79.127.184.216:51820

# For Windows
AllowedIPs = 0.0.0.0/1, 128.0.0.0/1

# For Linux, Android, routers, etc.
AllowedIPs = 0.0.0.0/0 

IPv6 over VPN (Change Address and AllowedIPs)

I'll now make some changes to Address, DNS and AllowedIPs to enable IPv6 over VPN.

Note: 2a07:b944::2:2/128 and 2a07:b944::2:1 are the same for all servers, it's not specific to CH#600.

[Interface]
# Key for Reddit Test Config 2025-01-05
# Bouncing = 2
# NetShield = 1
# Moderate NAT = on
# NAT-PMP (Port Forwarding) = on
# VPN Accelerator = on
PrivateKey = *redacted*
Address = 10.2.0.2/32, 2a07:b944::2:2/128
DNS = 10.2.0.1, 2a07:b944::2:1

[Peer]
# CH#600
PublicKey = Ii6hAbnu84wZ8NzVt5+ylO4FnX+ANrKNzpFOSYq9dks=
Endpoint = 79.127.184.216:51820

# For Windows
AllowedIPs = 0.0.0.0/1, 128.0.0.0/1, ::/1, 8000::/1

# For Linux, Android, routers, etc.
AllowedIPs = 0.0.0.0/0, ::/0

Add dual stack to the VPN server (Change Endpoint)

If your ISP supports IPv6 then you can enable IPv6 connectivity to the VPN server, and to do that we need to look up the node's domain at https://api.protonmail.ch/vpn/logicals https://mikaeldui.github.io/proton-vpn-server-list/. For CH#600 the domain is node-ch-31.protonvpn.net. This can be used as the Endpoint to enable automatic switching between IPv4 and IPv6, useful on a phone or laptop using hotspots without IPv6.

[Interface]
# Key for Reddit Test Config 2025-01-05
# Bouncing = 2
# NetShield = 1
# Moderate NAT = on
# NAT-PMP (Port Forwarding) = on
# VPN Accelerator = on
PrivateKey = *redacted*
Address = 10.2.0.2/32, 2a07:b944::2:2/128
DNS = 10.2.0.1, 2a07:b944::2:1

[Peer]
# CH#600
PublicKey = Ii6hAbnu84wZ8NzVt5+ylO4FnX+ANrKNzpFOSYq9dks=
Endpoint = node-ch-31.protonvpn.net:51820

# For Windows
AllowedIPs = 0.0.0.0/1, 128.0.0.0/1, ::/1, 8000::/1

# For Linux, Android, routers, etc.
AllowedIPs = 0.0.0.0/0, ::/0

Or IPv6 only to the VPN Server (Change Endpoint)

Or, you can look up its IPv6 address (in the AAAA record) and force connections to the VPN over IPv6 like this:

You can also find IPv6 addresses for the nodes at https://mikaeldui.github.io/proton-vpn-server-list/.

[Interface]
# Key for Reddit Test Config 2025-01-05
# Bouncing = 2
# NetShield = 1
# Moderate NAT = on
# NAT-PMP (Port Forwarding) = on
# VPN Accelerator = on
PrivateKey = *redacted*
Address = 10.2.0.2/32, 2a07:b944::2:2/128
DNS = 10.2.0.1, 2a07:b944::2:1

[Peer]
# CH#600
PublicKey = Ii6hAbnu84wZ8NzVt5+ylO4FnX+ANrKNzpFOSYq9dks=
Endpoint = [2a02:6ea0:d411:5432::10]:51820

# For Windows
AllowedIPs = 0.0.0.0/1, 128.0.0.0/1, ::/1, 8000::/1

# For Linux, Android, routers, etc.
AllowedIPs = 0.0.0.0/0, ::/0

Put this conf in any WireGuard app and enjoy your fully IPv6 enabled VPN!

thanks for reverse engineering this. do you have any idea how to adapt this for systemd-networkd? I have tried the following but it doesn't seem to be working for ipv6 (but works for ipv4):

It works for me with these configs. Though I also add some routing policies to route traffic through wireguard by default; you'll need to change that if you don't want it.

wg0.netdev:

[NetDev]
Name=wg0
Kind=wireguard

[WireGuard]
PrivateKey=<snip>
RouteTable=1000

[WireGuardPeer]
# DE#447 / node-de-17.protonvpn.net
PublicKey=9+CorlxrTsQR7qjIOVKsEkk8Z7UUS5WT3R1ccF7a0ic=
AllowedIPs=0.0.0.0/0, ::/0
Endpoint=194.126.177.14:51820

wg0.network:

[Match]
Name=wg0

[Network]
Address=10.2.0.2/32
Address=2a07:b944::2:2/128
DNS=10.2.0.1
DNS=2a07:b944::2:1
DNSDefaultRoute=true
Domains=~.

# route all traffic through the vpn
[RoutingPolicyRule]
Table=1000
Family=both
Priority=10

# ...except for traffic to the wireguard endpoint
[RoutingPolicyRule]
To=194.126.177.14/32
Priority=5

# ...and internal traffic
[RoutingPolicyRule]
To=10.0.0.0/16
Priority=6

[RoutingPolicyRule]
To=fe80::1/10
Priority=6

Oh and thanks for the writeup!

Thank you so much for extracting such an important from the code, I test if on opnsense and it indeed works!

I currently have Wireguard working with ProtonVPN in OPNsense as well as IPv6 from my ISP. Would you mind sharing what additional steps you took to achieve IPv6 tunneling through ProtonVPN? I've tried a few things over the past few days and can't seem to get it working.

Thanks

If someone is curious the endpoint / ipv6 address of the protonvpn servers, I have grabbed these and resolved it, making a quick search list from the api.

https://github.com/huzky-v/proton-vpn-server-list

Yeah, I've been having major issues too with Proton and IPv6 in OPNsense 25.1 and 25.7. Remember, that Proton advises:

…for now, while data inside the VPN tunnel is routed using IPv6, the initial connection to the VPN server is made over IPv4.

So, the only way I've found to work is to setup the Wireguard tunnel using IPv4 first then add IPv6 to the same tunnel:

[Peer]
Allowed IP = 0.0.0.0/0

[Instance]
Tunnel Address = 10.2.0.2/32

Create IPv4 Gateway with 10.2.0.1 then restart Wireguard.
Confirm that is working e.g., netstat -nr4 and ping 10.2.0.1.
Add to the same Wireguard tunnel:

[Peer]
Allowed IP = ::/0

[Instance]
Tunnel Address = 2a07:b944::2:2/128
Gateway = 2a07:b944::2:1

Then, add IPv6 Gateway using 2a07:b944::2:1 then reset Wireguard.
The IPv6 IPs should come up in netstat -nr6 and respond ping 2a07:b944::2:1

For some weird reason adding the Wireguard instance Gateway is the only way to create the IPv6 Gateway address. Also, sometimes it can take several minutes for Proton to start responding to IPv6 traffic, so don't despair immediately.

Update on IPv4 and IPv6 Wireguard tunnels in OPNsense 25.1/25.7:

opnsense/core#9021
https://forum.opnsense.org/index.php?topic=48211.0

This works sometimes. 2a07:b944::2:2 doesn't work for me at all now.

It uses ULA - fd54:20a4:d33b:b10c:0:2:0:2

For me it works for 10 seconds, then it turns itself off for another 10. Needs more testing.

I'm testing it now with CH#514

I've been seeing weird misdirected ping responses. When I leaked some traffic with the wrong source address, the wireguard server decided to direct all response traffic to that address. So the ping requests would go out, but the replies would come back with a different destination address. I encourage you to check and see with wireshark.

I've been able to make both addresses work 2a07:b944::2:2/128 and fd54:20a4:d33b:b10c:0:2:0:2 (My config). The server will remember your alleged IP for an hour or so, reconnecting does nothing to help reset it. You just have to wait it out.

Note that you can only ping the DNS server that's the network address of your currently alleged IP. So if the server alleges you are at IPv6 fd54:20a4:d33b:b10c:0:2:0:2 then you can ping fd54:20a4:d33b:b10c:0:2:0:1 but not 2a07:b944::2:1, and vice versa.

This gets me both IPv6 and IPv4 connectivity over ProtonVPN. All I need is AllowedIPs = 0.0.0.0/0, ::/0:

❯ sudo cat /etc/wireguard/protonvpn.conf | sed 's/^PrivateKey = .*/PrivateKey = ***/'
[Interface]
PrivateKey = ***
Address = 10.2.0.2/32

PostUp = resolvectl dns %i 10.2.0.1; resolvectl domain %i '~.'; resolvectl dnsovertls %i no
PreDown = resolvectl revert %i

[Peer]
# NL-FREE#12
PublicKey = 1s5mwMp3fZKNucEO3GeHRSUrhGLu/BYeC0UdusyxSWU=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = 138.199.7.159:51820
sol@atri ~ 
❯ wg-quick up protonvpn
[#] ip link add dev protonvpn type wireguard
[#] wg setconf protonvpn /dev/fd/63
[#] ip -4 address add 10.2.0.2/32 dev protonvpn
[#] ip link set mtu 1420 up dev protonvpn
[#] wg set protonvpn fwmark 51820
[#] ip -6 rule add not fwmark 51820 table 51820
[#] ip -6 rule add table main suppress_prefixlength 0
[#] ip -6 route add ::/0 dev protonvpn table 51820
[#] nft -f /dev/fd/63
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] ip -4 route add 0.0.0.0/0 dev protonvpn table 51820
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] nft -f /dev/fd/63
[#] resolvectl dns protonvpn 10.2.0.1; resolvectl domain protonvpn '~.'; resolvectl dnsovertls protonvpn no
sol@atri ~ 
❯ curl -4s ifconfig.co/json --connect-timeout 1 | jq -r '. | {ipv4: .ip, ipv4_ISP: .asn_org, ipv4_city: .city, ipv4_country: .country}'
  curl -6s ifconfig.co/json --connect-timeout 1 | jq -r '. | {ipv6: .ip, ipv6_ISP: .asn_org, ipv6_city: .city, ipv6_country: .country}'
{
  "ipv4": "138.199.7.163",
  "ipv4_ISP": "Datacamp Limited",
  "ipv4_city": "Amsterdam",
  "ipv4_country": "The Netherlands"
}
{
  "ipv6": "2a02:6ea0:c041:2193::14",
  "ipv6_ISP": "Datacamp Limited",
  "ipv6_city": "Amsterdam",
  "ipv6_country": "The Netherlands"
}

@the-solipsist You didn't mention how you configured your local IPv6 address? Are you using SLAAC, configuring it manually, or something else?

If its auto-configured you'll want to make sure its not a privacy address, since that'll randomize every time you reboot and break the VPN for a little while (in my experience anyway).