Add a ProtonVPN Road Warrior setup page (opnsense#521)

* Add ProtonVPN WireGuard page

---------

Co-authored-by: Dimitris Paraskevopoulos <[email protected]>

Author: satrapes

source/manual/how-tos/images/proton_configuration_1.png

@@ -0,0 +1,199 @@
+=======================================
+WireGuard ProtonVPN Road Warrior Setup
+=======================================
+
+------------
+Introduction
+------------
+
+ProtonVPN is a cloud-based VPN provider, offering secure tunneling with respect to privacy. 
+To set up a WireGuard VPN to ProtonVPN we assume you are familiar with the concepts of WireGuard that
+you have read the basic howto :doc:`wireguard-client`.
+
+-----------------------------------------
+Step 1 - Download ProtonVPN configuration
+-----------------------------------------
+
+The configuration is available in the ProtonVPN website.
+The `landing page <https://account.protonvpn.com/dashboard>`__ appears after signing in. 
+Click on Downloads from the left hand panel or go to the `downloads page <https://account.protonvpn.com/downloads>`__ and
+scroll down to the `WireGuard configuration <https://account.protonvpn.com/downloads#wireguard-configuration>`__
+
+The existing WireGuard configurations appear first with their expiration dates and following are the options to generate new ones.
+
+.. image:: images/proton_wireguard_configuration.png
+   :width: 100%
+
+- Select a name for the generated configuration
+
+.. Note::
+    If a name is not provided a unique ID will be generated by ProtonVPN
+
+- Select Router as a platform
+- Select VPN options
+
+  - There are 3 options for NetShield blocker filtering
+
+    -  No filtering
+    -  Block malware
+    -  Block malware, ads and trackers
+
+  - There are also options to enable Moderate NAT, NAT-PMP (Port Forwarding) and VPN accelerator as well. The features are documented in the ProtonVPN website.
+  - Pick the options that satisfy your requirements and move on to the next section.
+
+- Select a server to connect to
+
+  - ProtonVPN proposes the best server or allows the user to select manually.
+  - When selecting manually there are 2 main choices:
+
+    -  Standard vs Secure Core configuration
+    -  Exit country
+
+  - Pick the one that satisfies your requirements and click on `Create` to generate the configuration.
+  - Upon successful completion a window like the following will appear on the screen.
+
+.. image:: images/proton_configuration_1.png
+   :width: 100%
+
+The full configuration looks like this:
+
+.. code-block:: none
+
+    [Interface]
+    # Bouncing = 0
+    # NetShield = 1
+    # Moderate NAT = off
+    # NAT-PMP (Port Forwarding) = off
+    # VPN Accelerator = on
+    PrivateKey = 2Kh7TlGz+7PCFa0jEHat8IWkYZgPmDLAiagGq+dyLks=
+    Address = 10.2.0.2/32
+    DNS = 10.2.0.1
+
+    [Peer]
+    # NO#21
+    PublicKey = KOITt3KQ72LHPbpVp7kp4cQo/qw2qvKPrN732UTWWFw=
+    AllowedIPs = 0.0.0.0/0
+    Endpoint = 146.70.170.18:51820
+
+.. Note::
+    The private key disappears after creating the configuration so it must be stored. It will be used in the following
+    section to generate the public key. Both are needed for successful configuration.
+
+.. Warning::
+    **Do not re-use the private keys in these examples**
+
+---------------------------------------------
+Step 2 - Generate public key from private key
+---------------------------------------------
+
+ProtonVPN, unlike Mullvad or other WG implementations, only provides a private key. The private key appears briefly when generating the configuration in the web UI.
+The public key will be derived from the private key with the "wg pubkey" command.
+
+`Windows`
+
+.. code-block:: sh
+
+    echo wgPrivateKey | wg pubkey
+
+`Linux`
+
+.. code-block:: sh
+
+    wg pubkey < wgPrivateKey
+
+----------------------------------
+Step 3 - Setup WireGuard Instance
+----------------------------------
+
+- Go to :menuselection:`VPN --> WireGuard --> Settings --> Instances`
+- Click **+** to add a new Instance configuration
+- Turn on “advanced mode"
+- Configure the Instance from the downloaded ProtonVPN configuration as follows (if an option is not mentioned below, leave it as the default):
+
+    ===================== ===============================================================================================
+     **Enabled**           *Checked*
+     **Name**              *Call it whatever you want (eg* :code:`ProtonVPN-ExitCountry` *)*
+     **Public Key**        *Insert the derived public key from the previous step*
+     **Private Key**       *Insert the* :code:`PrivateKey` *field from the* :code:`\[Interface\]` *section*
+     **Listen Port**       *51820 or a higher numbered unique port*
+     **MTU**               *Needs to be 80 bytes shorter than normal MTU. Default 1420*
+     **DNS Server**        *Insert the* :code:`DNS` *field from the* :code:`\[Interface\]` *section as is (without subnet mask)*
+     **Tunnel Address**    *Insert the* :code:`Address` *field from the* :code:`\[Interface\]` *section` in CIDR format, eg 10.2.0.2/32*
+     **Peers**             *Leave blank for now*
+     **Disable Routes**    *Checked*
+     **Gateway**           *Insert the same address as in the DNS Server field above*
+    ===================== ===============================================================================================
+
+- **Save** the Instance configuration, and then click **Apply**
+
+-------------------------------
+Step 4 - Configure the peer
+-------------------------------
+
+- Go to :menuselection:`VPN --> WireGuard --> Settings --> Peers`
+- Click **+** to add a new Peer
+- Configure the Peer from the downloaded ProtonVPN configuration as follows (if an option is not mentioned below, leave it as the default):
+
+    ====================== ====================================================================================================
+     **Enabled**            *Checked*
+     **Name**               *Call it whatever you want (eg* :code:`ProtonVPN_Location` *)*
+     **Public Key**         *Insert the* :code:`PublicKey` *field from the* :code:`\[Peer\]` *section*
+     **Allowed IPs**        *0.0.0.0/0*
+     **Endpoint Address**   *Insert the IP address from the* :code:`Endpoint` *field in the* :code:`\[Peer\]` *section*
+     **Endpoint Port**      *Insert the port number from the* :code:`Endpoint` *field in the* :code:`\[Peer\]` *section*
+     **Instances**          *Select the instance configured in the previous step*
+     **Keepalive**          *25*
+    ====================== ====================================================================================================
+
+- **Save** the Peer configuration, and then click **Apply**
+
+.. Note::
+    The UI for configuring the Instances and Peers changed with OPNsense verion 23.7.9 so some of the fields may be in different
+    places.
+
+--------------------------
+Step 5 - Turn on WireGuard
+--------------------------
+
+Turn on WireGuard under :menuselection:`VPN --> WireGuard --> Settings --> General` if it is not already on
+
+----------------------------------------------------
+Step 6 - Configure assignments, gateways and routing
+----------------------------------------------------
+
+The rest of the steps are mostly the same as described in the how-to on selective routing :doc:`wireguard-selective-routing`
+
+-------------------
+ProtonVPN DNS leaks
+-------------------
+Since ProtonVPN provides a DNS server an extra firewall rule may be required to route the DNS traffic to the
+WireGuard gateway.
+
+- Go to :menuselection:`Firewall --> Rules --> [Name of interface for network in which hosts/network resides, eg LAN for LAN hosts]`
+- Click **Add** to add a new rule
+- Configure the rule as follows (if an option is not mentioned below, leave it as the default):
+
+    ============================ ====================================================================================================================
+     **Action**                   *Pass*
+     **Quick**                    *Checked*
+     **Interface**                *Whatever interface you are configuring the rule on*
+     **Direction**                *in*
+     **TCP/IP Version**           *IPv4*
+     **Protocol**                 *TCP/UDP*
+     **Source / Invert**          *Unchecked*
+     **Source**                   *IP of your DNS server*
+     **Destination / Invert**     *Checked*
+     **Destination**              *Select the* :code:`RFC1918_Networks` *Alias you created above in the dropdown*
+     **Destination port range**   *DNS - DNS*
+     **Description**              *Add one if you wish to*
+     **Gateway**                  *Select the WireGuard gateway created according to the selective routing how-to page (eg* :code:`WAN_ProtonVPN` *)*
+    ============================ ====================================================================================================================
+
+- **Save** the rule, and then click **Apply Changes**
+- Then make sure that the new rule is **above** any other rule on the interface that would otherwise interfere with its operation. For example, you want your new rule to be above the “Default allow LAN to any rule”
+
+In layman terms if the DNS server makes any requests to a non-local address it will go through the VPN gateway.
+
+
+All images from `ProtonVPN` website are the property of `ProtonVPN` and are used with written permission.
+

source/manual/how-tos/images/proton_wireguard_configuration.png

@@ -120,7 +120,7 @@ Step 6 - Create a gateway
 
 .. Note::
 
-    Specifying the endpoint VPN tunnel IP is preferable. As an alternative, you could include an external IP such as 1.1.1.1 or 8.8.8.8, but be aware that this IP will *only* be accessible through the VPN tunnel (OPNsense creates a static route for it), and therefore will not accessible from local hosts that are not using the tunnel
+    Specifying the endpoint VPN tunnel IP is preferable. As an alternative, you could include an external IP such as 1.1.1.1 or 8.8.8.8, but be aware that this IP will *only* be accessible through the VPN tunnel (OPNsense creates a static route for it), and therefore will not be accessible from local hosts that are not using the tunnel
 
     Some VPN providers will include the VPN tunnel IP of the endpoint in the configuration data they provide. For others (such as Mullvad), you can get the IP by running a traceroute from a host that is using the tunnel - the first hop after OPNsense is the VPN provider's tunnel IP
 

source/manual/how-tos/wireguard-client-proton.rst

@@ -721,7 +721,8 @@ This paragraph offers examples for some commonly used implementation scenarios.
    how-tos/wireguard-client
    how-tos/wireguard-client-azire
    how-tos/wireguard-client-mullvad
-
+   how-tos/wireguard-client-proton
+   how-tos/wireguard-selective-routing
 
 --------------------------
 Plugin VPN options