- Get a wireguard config, it has a private key and peer information
- Add a new wireguard interface, I called it proton1. Use the private key from the config file.
- Add ProtonVPN as peer, to interface proton1, use pubkey from config file, set up IP in endpoint, and port in port. Allowed address 0.0.0.0/0.
- In IP > Address add IP 10.2.0.2/30 to interface proton1
- Make sure this VLAN does not use internal DNS ranges (IP -> DHCP Server). Okay, now we need to get stuff to route into that actual interface.
- In Routing -> Tables add a new table vpntable (fib=yes).
- In Routing -> Rules add a new policy, source address is your guest VLAN IP range, destination 0.0.0.0/0, interface guest interface. Action lookup only in table. Table vpntable.
- In Firewall -> Mangle add a mangle rule, chain prerouting, source address VLAN IP range, action mark routing, use routing mark vpntable.
- Almost done, you just need a masquerade rule. In Firewall -> NAT, add a new NAT rule on chain srcnat, out interface proton1. Action masquerade.
That should work.
Relevant config (first part (wireguard interface) does not have privkey, remember to set it!)
/interface wireguard
add listen-port=13231 mtu=1420 name=proton1
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=x.x.x.x endpoint-port=\
51820 interface=proton1 public-key=\
"xxx="
/routing table
add fib name=vpntable
/ip address
add address=10.2.0.2/30 interface=proton1 network=10.2.0.0
/ip firewall mangle
add action=mark-routing chain=prerouting log-prefix=MANGLEVPN \
new-routing-mark=vpntable passthrough=yes src-address=10.0.80.0/24
add action=masquerade chain=srcnat comment="NAT Proton" out-interface=proton1