OpenVPN client for ProtonVPN on Turris OS 5.3.1

Hi,

I read the docu OpenVPN client - Turris Documentation and it reads that only a non-interactive configuration is supported. What about ProtonVPN which requires username and password?

I tried to search for some older guides, pointing to using luci, but my luci interface doesn’t show the required packages like luci-app-openvpn among available packages.
Is there a way to configure it, e.g. not using reforis, but via ssh console?

Try using opkg update before installing luci-app-openvpn and yes you need to create auth file and use it for the vpn client [OpenWrt Wiki] OpenVPN client using LuCI

1 Like

Thx. I managed to set it up. Although since I first uploaded protonvpn config via reforis, some steps were different. I also recommend to change file permissions of the config and especially the file with credentials (.auth). Reforis created automatically the VPN tun interface and I just had to add it to WAN zone covered devices within firewall. The default config from protonvpn doesn’t have these options:
auth-nocache
comp-lzo no

the first one prevents the credentials from being stored in memory
the latter prevents compression which was found to be the attack vector in the past. It also solves two warnings if you connect without it. One which claims that the remote server is configured for compression and another which points out discrepancy between local and remote link-mtu. I opened a support ticket with protonvpn because their servers are supposedly configured with compression off and yet it gives these errors if the client doesn’t have the “comp-lzo no”.

Mark topic as solved.

With “auth-nocache” and “comp-lzo” it depends what version of client you are using vs version of openvpn on server side. Deprecated options can cause some issues: https://community.openvpn.net/openvpn/wiki/DeprecatedOptions

As comp-lzo and compress are not compatible, you have to find option combination suitable for you, if you want to use compression. https://community.openvpn.net/openvpn/ticket/952 (I do not use compression on client side at all,not needed these days …). So ideally just remove that option from your config and default (no compression) will be used.

With link-mtu , check “mssfix” and “fragment” options , by default mtu is 1450 on tunnel, TOS it self have 1500, so depending on your setup, you might have MTU over 1500 causing tunnel to break at some point (very shortly after handshake)

OS: TurrisOS
OS Version: 5.3.1
Device Model: Turris Omnia
Kernel Version: 4.14.254
Client Version: openvpn-openssl 2.4.11-1

warning from the omnia log when “compl-lzo no” is not in the client config:

Dec 7 20:34:54 omnia openvpn(ch_<mark>protonvpn</mark>_com_udp)[22864]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1633', remote='link-mtu 1634'
Dec 7 20:34:54 omnia openvpn(ch_<mark>protonvpn</mark>_com_udp)[22864]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'

when I added “comp-lzo no” to client config both warnings are no more in the log during connection establishment.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.