Support for Proton VPN port forwarding?

[bleomycin]

With mullvad disabling port forwarding a lot of people will be looking for new options. Have you considered adding support for port forwarding while using wireguard with Proton VPN?

A few links on the methods needed:
https://protonvpn.com/support/port-forwarding-manual-setup/
https://www.reddit.com/r/ProtonVPN/comments/10owypt/successful_port_forward_on_debian_wdietpi_using/

[Paillat-dev]

subscribing

[kieraneglin]

Has anyone had any luck here?

[Sispheor]

From the container it seems that the nat is not working

natpmpc -g 10.2.0.1
initnatpmp() returned 0 (SUCCESS)
using gateway : 10.2.0.1
sendpublicaddressrequest returned 2 (SUCCESS)
readnatpmpresponseorretry returned -7 (FAILED)
readnatpmpresponseorretry() failed : the gateway does not support nat-pmp
  errno=111 'Connection refused'

[Sispheor]

Ok for my issue it was just a missing suffix in the username.

To use port forwarding, add the suffix +pmp to your OpenVPN username. For example, if your OpenVPN username is “myusername2023”, use “myusername2023+pmp”.

[Sispheor]

The proton doc mention tu usage of the "natpmpc" client. But it's not working.

The python client is ok

[root@5a702a72cbb6 root]# python3 natpmp_client.py  -g 10.2.0.1 0 0
PortMapResponse: version 0, opcode 130 (130), result 0, ssec 3750182, private_port 41362, public port 41362, lifetime 60

The port is reserved only for 60 seconds. We must execute the command every 5à seonds to keep the port.

Need to glue now to port discovering/reservation with the deluge config and add the python lib to the Dockerfile.

[binhex]

Support for port forwarding for protonvpn has been included for a while, see Q31:-https://github.com/binhex/documentation/blob/master/docker/faq/vpn.md

[Sispheor]

The support of port forward is only for static port, right?
Because with proton it's dynamic. And need to be recalled every 60 seconds to be kept.

[binhex]

Nope it's full support for dynamic incoming port

[Sispheor]

Ok. Then maybe some glue are missing on deluge side to update the port on the fly.

[binhex]

Ok. Then maybe some glue are missing on deluge side to update the port on the fly.

Please do the following:- https://github.com/binhex/documentation/blob/master/docker/faq/help.md#other-users

EDIT - Also please refresh the configuration from protonvpn, i have seen a lot of times that protonvpn changes their server configuration resulting in the inability to get a incoming port or connect to the server at all.

[Paillat-dev]

Heyy, I just don't get one thing: is this supported for wireguard? If yes, does that mean we have to set the username anyways to any random string plus the +pmp suffix to have port forwarding working? Because wireguard dosen't need username and password right? Maybe a check should be added for when using protonvpn with wireguard, or adding a provider like protonvpn+pmp that enables port forwarding to avoid this kind of trick.

[nglrossi]

Not an expert, but I have been using this image succesfully for a couple of weeks with wireguard and port forwarding. Hope this helps:

Heyy, I just don't get one thing: is this supported for wireguard?

Yes. see Q31:-https://github.com/binhex/documentation/blob/master/docker/faq/vpn.md

If yes, does that mean we have to set the username anyways to any random string plus the +pmp suffix to have port forwarding working?

No, i doesn't mean that. You use your wireguard username not a random string, just append +pmp to the username. See below

Because wireguard dosen't need username and password right?

Wrong. Wireguard needs to authenticate that it is you using your account and not someone else. Follow the link above, Q31 and A31 include all the steps you need to setup Protonvpn with wireguard and port forwarding, including obtaining your username that you will append +pmp to.

Maybe a check should be added for when using protonvpn with wireguard, or adding a provider like protonvpn+pmp that enables port forwarding to avoid this kind of trick.

I am just an end user so just my opinion but there are no tricks here, you just need to configure the container to user wireguard with your account and enable port forwarding, the software shouldn't need to do any special checks to account for any of this. Just follow the documentation, it works (unless you hit the issue that OP reported of course, but fresh pull of the image fixed all the issue I had during the setup).

[Paillat-dev]

I don't get it in this case. Because it works with empty password and a random+pmp string as username with protonvpn. From my understanding wireguard is not necessarily secured by a password (https://serverfault.com/questions/948816/wireguard-user-authentication). That is more a server side additional implementation. And from what I could understand probably some remains from when PIA only supported port forwarding.

Also see:

• https://protonvpn.com/support/wireguard-configurations/
• https://protonvpn.com/support/wireguard-manual-linux/

TLDR: Empty username and password should still allow for wireguard port forwarding.

[Paillat-dev]

Also A31 does nowere explain anything about getting a username. It just mentions you need to set it.

[JakobEdvardsson]

Did anyone figure this out? I have tried both WireGuard and OpenVPN. WireGuard doesn't work at all and I get an error.
On OpenVPN everything seems to work however when I try to download a torrent, it won't download anything. natpmpc initnatpmp() returned 0 (SUCCESS) using gateway : 10.96.0.1 sendpublicaddressrequest returned 2 (SUCCESS) readnatpmpresponseorretry returned 0 (OK) Public IP address : *** epoch = 2807233 closenatpmp() returned 0 (SUCCESS)

[Paillat-dev]

When you create your credentials, make sure to select that you want the server to support port forwarding.

[JakobEdvardsson]

When you create your credentials, make sure to select that you want the server to support port forwarding. Jérémie Cotti Le samedi 1 juin 2024 à 21:49, Jakob Edvardsson @.> a écrit :
…
Did anyone figure this out? I have tried both WireGuard and OpenVPN. WireGuard doesn't work at all and I get this error: natpmpc -g 10.2.0.1 initnatpmp() returned 0 (SUCCESS) using gateway : 10.2.0.1 sendpublicaddressrequest returned 2 (SUCCESS) readnatpmpresponseorretry returned -7 (FAILED) readnatpmpresponseorretry() failed : the gateway does not support nat-pmp errno=111 'Connection refused' On OpenVPN everything seems to work however when I try to download a torrent, it won't download anything. natpmpc initnatpmp() returned 0 (SUCCESS) using gateway : 10.96.0.1 sendpublicaddressrequest returned 2 (SUCCESS) readnatpmpresponseorretry returned 0 (OK) Public IP address : *** epoch = 2807233 closenatpmp() returned 0 (SUCCESS) — Reply to this email directly, view it on GitHub [#367 (comment)], or unsubscribe [https://github.com/notifications/unsubscribe-auth/AR7R2YHY5V3HDLXIPSVGQ33ZFIQVBAVCNFSM6AAAAAAYTL3WBWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNBTGU3DIMRVG4]. You are receiving this because you commented.Message ID: @.>

I did do that, I tried with qBittorent instead and had no issues, will stay with that instead!