Replies: 1 comment
-
|
Further testing needed. Closing. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
With the recent health check update, I ended up going down quite the rabbit hole looking at issues and PRs as well as a ton of testing and troubleshooting in my own environment. This resulted in discovering a few issues or variables affecting ProtonVPN that have not, to my knowledge and findings, been resolved or mentioned. This results in certain features or functions being unusable or causing issues getting a connection to be reliable.
I'm curating this list to hopefully assist new and existing users to find workarounds or what settings do and don't work. Others may want to add their findings as well. Please correct me where I'm wrong or add info I'm missing.
If there is a better or more suitable spot to put this, let me know. I didn't want to open another bug report since the bug reports already exist.
Now, the list:
From what I can gather and am seeing in my deployment, DoT with ProtonVPN is problematic to say the least. Whether you use WireGuard or OpenVPN, it seems to cause i/o timeout and context deadline exceeded errors. Even if you lower max connections in your torrent client like some have said, I still saw issues.
I also tested setting specific DoT providers with no change or improvement.
This can be overcome by using the following env variables and values:
Do note that this completely disables encrypted DNS and may cause leaks. That's why using Quad9's DNS address would be recommended due to their no logging policies. This is my current setup and seems to be working well. I haven't received any Cease and Desists or threatening emails, however, USE AT YOUR OWN RISK.
See issues #2504, #2805
See Bug: API ProtonVPN - Invalid access token - 401 Unauthorized #2788, Altered ProtonVPN API Updater to Use Auth Tokens #2789, fix(protonvpn): authenticated servers data updating #2878, then Protonvpn servers updating API fix #2864 (in order of oldest to newest updates)
There isn't really any simple workaround here, yet, from what I can see. However, the dev has been looking into it. If certain IPs don't work, let gluetun do it's thing until it finds one from the original servers list that does. It may restart once or twice when you first create or start it up.
My recommendation here would be to use
- SERVER_COUNTRIES=and put in 3-5 countries supported by Proton in a comma separated list. That way it doesn't have to cycle as long to find a working IP. You might have to play around with it if it's not finding good servers.This will work with WireGuard or OpenVPN. For WireGuard, your single PrivateKey is all that is needed and is working in my config. It will work no matter what server you connect to.
If you're wanting to use WireGuard with ProtonVPN, there are a couple things to note before creating your config from Proton.
a. Turn off NetShield entirely (set it to
No Filter). Gluetun has built in malware and add blocking when using DoT and I saw issues with this setting on. It might work since DoT seems to need to be off, but I haven't tested this so I can't say.b. Moderate NAT and NAT-PMP cannot both be on at the same time per Proton. If you need port forwarding, only enable NAT-PMP. If you don't need either, leave them off.
Note for port forwarding: You still need these env variables and values in your gluetun config:
With the new healthcheck code on
latestas of 10/16/2025, I am seeing issues with the new ICMP checks. Changing the default for the env variable:- HEALTH_ICMP_TARGET_IPto something other than the VPN IP still throws errors for me. See feat(healthcheck): combination of ICMP and TCP+TLS checks #2923Setting my image version to
v3.40.0instead of latest gives me a reliable tunnel for the moment. Setting- HEALTH_VPN_DURATION_INITIAL=120sin my env variables also seems to help keep the tunnel reliable. 60s may also work as I've seen from others.These are all steps and findings that I am currently using for my live container using ProtonVPN with WireGuard. This gets me a stable and reliable tunnel with very minimal restarts.
Beta Was this translation helpful? Give feedback.
All reactions