Warning: These directions have not been updated to include how to protect yourself against the TunnelVision / DHCP option 121 attack like our instructions for our Penguin VPN 2.0 Wireguard instructions have. If you have any questions about it please contact support and if needed let us know that you'd like updated directions that include how to protect yourself from TunnelVision / DHCP Option 121 attacks for the ProtonVPN OpenVPN instructions for libreCMC.
Sign up for vpn account
https://protonvpn.com/free-vpn/linux
Get the Proton VPN config files:
Log into your Proton VPN dashboard at account.protonvpn.com
Select Downloads on in the left navigation bar.
Find the OpenVPN configuration files section and chose:
Platform: Router
Protocol: UDP (recommended. TCP uses port 443. Use it if you experience slow VPN speeds or your VPN connection is dropped)
Select config file and download: This probably does not matter, but the directions have been tested with 'Free server configs'
Click on one of the download buttons for the server you wish to use.
If you selected “Download All configurations”, extract the zip file to your desired location.
Extract the ovpn config file you want to use and make note of its location
Open the ovpn config file that you downloaded in a text editor
Find and replace the "auth-user-pass" line with "auth-user-pass /etc/openvpn/key.txt", save the file, and exit
Download and extract our default OpenVPN configuration for ProtonVPN & NordVPN on libreCMC 1.5+ (it is the same as the one for nord-vpn)
https://www.thinkpenguin.com/files/default-openvpn-config-nord-vpn-1.5-o...
Copy the ovpn file you downloaded and edited for ProtonVPN into the previously extracted directory etc/openvpn
Rename the ovpn file to client.ovpn
Login to protonvpn.com and then go to Account section and scroll down to OpenVPN / IKEv2 username
Open a text editor and copy your OpenVPN / IKEv2 username to the first line and the OpenVPN / IKEv2 password to the 2nd line
Save the file as key.txt in the previously extracted etc/openvpn directory
Open a file archiver utility such as the GNOME archive manager and create an archive named etc.tar.gz containing the etc folder previously extracted
Connect the USB power cable to your mini wireless router
Connect an ethernet cable from the LAN port on the router to the LAN port on your computer
Give the router a minute to boot up and then open a web browser and login to the router at https://192.168.10.1 (no password set by default, just hit login)
If you see "Warning: Potential Security Risk Ahead" click the Advance button and then Accept the Risk and Continue
Click the Go to password configuration... button and set a password, and don't forget to hit the Save followed by dismiss buttons once the setting have been successfully saved
Go to Network > Interfaces and click the Edit button next to LAN
In the IPv4 address box replace 192.168.10.1 with 192.168.3.1
Click the Save & Apply Button at the bottom of the page
Give the router 30 seconds to apply the configuration, but expect it to fail, and give it another 30 seconds to "roll back"
You should get "Configuration has been rolled back!" hit Apply anyway button
You will probably see a a message that says "Device unreachable!" at this point. This is normal.
Now disconnect and re-connect your PC ethernet connection via your network applet.
Connect an ethernet cable from the mini wireless router's WAN port to a LAN port on a modem or upstream router
Open https://192.168.3.1 in your web browser and log back into your router with your new password
If you see "Warning: Potential Security Risk Ahead" click the Advanced... button and Accept the Risk and Continue
Go to System > Software and click Update lists... button and then Dismiss once completed
Enter openvpn-openssl in the filer box and click the Install button next to openvpn-openssl when it appears
* You can also just enter openvpn-openssl into the Download and install package box and click OK to do the same thing
* If it doesn't work you probably copy and pasted openvpn-openssl and have an extra space in the box alongside the name openvpn-openssl
Go to System > Backup / Flash Firmware
Click the Browse button under the Restore section, then select the etc.tar.gz file you created earlier
Click the Upload Archive button to upload your configuration
Give the router a minute to restart and then log back in
* Even after the login page appears it may need a minute before it'll actually let you login
Go to Network > Interfaces and click the Add new interface button
In the Name of the new interface box enter VPN
In the Cover the following interface drop down select the Custom Interface: option and enter tun0
Hit the enter key and click the Submit button to continue
In the Use custom DNS servers box enter 8.8.8.8 (Google may not be ideal, but it's good for testing with) or whatever your preference is for a DNS server, then hit the + button next to it
Click the Save & Apply button at the bottom of the page
Click the Delete button next to the WAN that shows Protocol: DHCPv6 client
Go to Network > Firewall
Under Zones click the Add button to add a new zone
Enter VPN in the Name box
In the Input drop down select reject
In the Output drop down select accept
In the Forward drop down select reject
Check the boxes that say Masquerading and MSS clamping
Under Covered networks select VPN
Under Allow forward from source zones: select lan: lan
Now click the Save & Apply button
Go back to Network > Firewall
Under Zones click Edit button next to lan > wan VPN
Under the Forward drop down select reject
Remove wan: wan from Allow forward to destination zones:
Click Save & Apply button
Click the Edit button next to wan > reject
Under the input drop down select reject
Under the forward drop down select reject
Uncheck Masquerading and MSS clamping
Click the Save & Apply button
Go to Network > Interfaces and click the Edit button next to WAN
Go to the Advanced Settings tab and uncheck the box Use DNS servers advertised by peer.
Enter your prefered DNS server in the Use custom DNS servers box, example: 8.8.8.8 & then click the Save & Apply button
Go to Network > Wireless and click the Edit button next to where it says the SSID name (libreCMC)
Next to Wireless network is disabled click the Enable button
Under Interface Configuration enter libreCMC-VPN into the ESSID box
Click the Wireless Security tab and select WPA2-PSK
In the box that says Key enter a password to use for when you want to connect to your libreCMC-VPN access point
Click Save & Apply button
Go to System > Reboot and click Perform reboot button
Give the router a minute to reboot, but if everything worked you should be able to see that websites think you are located in another country/state/region... to test it visit https://infosniper.net/
Change your VPN username and password
1. Open a terminal and run the command:
ssh root@192.168.3.1
2. Run the command:
vi /etc/openvpn/key.txt
3. Hit the 'a' key on your keyboard to append a new line
4. Enter your username on the first line and hit enter
5. Enter your password on the 2nd line
6. Hit the Esc key on your keyboard
7. Type in :wq! and hit the enter key
8. Type reboot and hit enter
If all you are doing is changing the username and password then a reboot should result in the VPN connecting automatically assuming you've followed the directions on this page for the initial setup. If it doesn't connect after a minute then you probably have a username or password that isn't correct or you didn't save it correctly as is described here. Try again.