Following numerous Q/A seen on r/ProtonVPN, I slowly took into consideration the needs for a general page to find answers to very frequent questions on ProtonVPN and its inner working. I finally take the step to do it, so there it is.

Note for ProtonVPN: Please document these points in your official documentation, these questions are really frequents.

NB: Post written in January 2023, some information might change in the coming years.

ProtonVPN and Port Forwarding

A question that comes often on Reddit is how to use Port Forwarding on other platforms than Windows, the only officially -supported client.

First, let’s discuss how Port Forwarding is implemented on ProtonVPN and what are its limitations.
Indeed, ProtonVPN features Port Forwarding on its P2P servers, the current implementation is based on NAT-PMP (NAT Port Mapping). This protocol is the master piece of Port Forwarding on ProtonVPN. A generally more known protocol is uPnP, but ProtonVPN chose to use NAT-PMP instead.

NAT-PMP is a protocol that lets a client connect to a gateway (generally a router, but in our case, the ProtonVPN server), and request either its exit IP or a port mapping. In case of a port mapping, the client will request to the gateway a specific local port (or any by using the 0 value) and a exit port (or any by using the 0 value) for some time (lease duration, in ProtonVPN case: 60s). The server will in response, opens the port for the client and forward the inbound traffic if the port is not already taken for the duration specified (60s maximum for ProtonVPN).

Note that this lend is only temporary and the gateway can not garanteed the ability for you to renew this particular port lease. In most cases, the local port and exit port should be equal, and you are able to renew the port lease during the port lease or a little after. Please note that the port mapping request also come with a the protocol you want to forward, either TCP or UDP.

For most NAT-PMP gateways, you are able to request more than a port mapping, nonetheless this is not the case of ProtonVPN gateway, and this aspect might confuse some NAT-PMP clients (like the built-ins in Qbittorrent or Deluge for instance).

After this little introduction to the inner working of NAT-PMP, let’s do a little recap. To use Port-Forwarding with ProtonVPN you need :

  • an active connection on a P2P ProtonVPN server. (read below there is other requirements).

  • a NAT-PMP client, that will request a port lease on your behalf. It needs the ability to connect to the NAT-PMP gateway, in our case accessible through the ProtonVPN tunnel.

If you are able to get all of this working, you should be able to forward a port on ProtonVPN tunnel, enjoy.

Now let’s discuss the specific requirements needed by the ProtonVPN tunnel for this to work:

  • First, you should not use the ProtonVPN client, you need either a Wireguard client or an OpenVPN client (and be somewhat okay with the setup needed).

  • Then, you will have to enable the NAT-PMP gateway, this means using a Wireguard config with NAT-PMP feature (see ProtonVPN dashboard to generate the needed config) or adding a special prefix to your OpenVPN credentials. Indeed for OpenVPN, you just have to use the normal OpenVPN config and credentials to which, you need to add +pmp to the end of your username, that’s all. Note that other special suffixes exist and are undocumented.

ProtonVPN and VPN Features

ProtonVPN provides several features that can be enable or disable by using a dedicated configuration (for Wireguard ONLY), or a special suffix (for OpenVPN ONLY).

Some features are availables directly on the dashboard when generating Wireguard config, some are not. In the latter, you will have to use a script and "hack your way" to enable these features : that was for instance the case for NAT-PMP in 2022. Note that this is not forbidden, the official clients use them but please do not abuse these endpoints.

The recommanded script to do this is: https://gist.github.com/fusetim/1a1ee1bdf821a45361f346e9c7f41e5a

Bonus point it lets you bulk-generate configs!

Now, OpenVPN special suffixes: the official apps use some undocumented username suffix to enable features, here is a little list, note that they can be concatenated:

  • Bouncing: +b:N (let you select a particular logical instance by using its label (replace N by the label number), helps for reconnection)

  • Port-Forwarding / NAT-PMP: +pmp (enable the NAT-PMP gateway — only works on P2P servers)

  • NetShield: +f0, +f1 (default) or +f2 (specify the NetShield level : 0 - disabled, 1 - Malware, 2 - Ads, Trackers, Malware)

  • VPN Accelerator (also known as Split TCP): With VPN Accelerator +nst, Without +st

  • Safe Mode: Yes +sm, No +nsm (disable the ability to open and forward "high port number" >= 50000)

  • Random-NAT: Yes (default), No +nr (not sure what it really does)

  • Platforms: Android +pa, Android TV +pt, Windows +pw, MacOS +pm, iOS: +pi, PlayStore build: +play

Interesting topics (and references)