Note: These directions assume your using either an clean OEM or librecmc.org image and have no other configuration on the router other than the stock default configuration. If you need to reset the router see other direction on our site for your particular router.
The following directions have been vetted on a TPE-R1400 router running libreCMC 6.5, but should work on any router running libreCMC 6.x release including the TPE-R1100, TPE-R1200, and TPE-R1300 routers. If you have any questions reach out to support.
1. Create an account: https://protonvpn.com/
2. Login at https://account.protonvpn.com/login and go to Account -> OpenVPN / IKEv2 username and grab your ProtonVPN OpenVPN username and password.
3. Go to Downloads -> OpenVPN configuration files and download an OpenVPN configuration file.
Note: Select Platform: Router, Protocol UDP, and then click the Download button for one of the OpenVPN configurations.
4. Connect a libreCMC router running libreCMC 6.x release, connect the power, and connect an ethernet cable between the LAN port and a computer's LAN port that your using to configure the router.
5. Give the router a minute to boot up and then on the computer go to the network applet and dissconnect from the wifi/network and then reconnect in the applet to the hardwired network.
6. Open a web browser like Firefox or LibreWolf.
7. By default the stock configuration of the router has a default IP address of 192.168.10.1 which means we need to enter https://192.168.10.1 into the browser to access the router's web user interface called Luci.
Note: There is a self-signed certificate in use on the router for security reasons. This results in a warning message appearing and the need to select the Advanced... button and then another button that says Accept the Risk and Continue. It may differ for browsers other than Firefox / LibreWolf and those not based on Firefox in particular.
8. There is no password set by default. Just click the Log in button when the router login prompt appears.
9. It's a wise idea to set a router log in password. Click the Go to password configuration... button and set a password now. Enter the password twice and hit the Save button.
10. Go to Network -> Interfaces and click the Edit button next to lan.
11. In the IPv4 address box change the IP from 192.168.10.1 to 192.168.3.1
Note: This ensures your router's static IP won't conflict with an upstream router or device assuming you have no other devices with the 192.168.3.1 IP anyway. If you plug the router into another libreCMC router with a stock configuration for instance it'll probably have the IP of 192.168.10.1 and so this ensures you can do that and not have any conflicts.
12. Click the Save button and then the Save & Apply button. Then click the Apply and keep settings button.
13. The router will take a minute or two to apply the configuration changes. Wait until it times out and then connect an ethernet cable between the WAN port on the router your configuring and a LAN port on an upstream routing device/modem.
Note: You will get a Device unreachable! message when the countdown times out. This is normal.
14. On your computer go to the network applet and disconnect from the wired network connect. Then reconnect. This is needed so your system obtains a new IP in the 192.168.3.x range. Without doing this you won't be able to connect to the router's new IP.
15. In the address bar enter the router's new IP address: https://192.168.3.1 and hit enter. Log in to the router using your new password that you previously set above.
Note: You will again have to accept the warnings.
16. Go to System -> Software and click the Update lists... button.
17. In the filter box enter openvpn-wolfssl and click the Installed tab. Then click the Remove button.
18. In the filter box enter the name of the following two packages (one at a time): openvpn-openssl luci-app-openvpn (the 2nd package is probably already included with at least OEM images)
18. It should show you whether or not the package is installed. If it an Install... button comes up next to the package click the Install... button. Then click the Install button that pops up asking you to confirm that you want to install this new package. Click the Dismiss button.
19. Go to System -> Reboot and click the Reboot button to reboot the router.
20. Give the router a minute or two to boot up and then enter https://192.168.3.1 into the address bar and hit enter. Log back into the router.
21. In the LibreCMC Luci web user interface go to VPN -> OpenVPN -> OpenVPN configuration file upload and enter ProtonVPN in the interface name box. Then click the Browse… button. Select the OpenVPN configuration file you downloaded in step 3. Click the Upload button.
22. Go to OpenVPN instances and click Edit next to the ProtonVPN configuration file you just uploaded.
23. Look for the line beginning auth-user-pass and add the full path to the username/password .auth file.
Note: You can find the full path to the username/password .auth file lower down on the page (it should be /etc/openvpn/ProtonVPN.auth).
24. In the "Section to add an optional ‘auth-user-pass’ file with your credentials" add the username obtained in step 2 on the first line and the password on the 2nd line.
Note: This is NOT the username and password you use to login to your ProtonVPN account.
25. Click Save.
26. Go to VPN -> OpenVPN and click the Save & Apply button.
27. Go to OpenVPN instances -> then tick the Enabled checkbox.
28. Click the Start button for the VPN interface.
29. Click the Save & Apply button.
30. Go to Network -> Firewall -> Zones -> Zones => Forwardings -> wan (red zone) and click the Edit button.
31. Go to the Advanced Settings tab -> Covered devices drop down and select the tun0 interface.
32. Click the Save button and then the Save & Apply button.
33. Go to Network -> Interfaces -> wan and click the Edit button.
34. Go to the Advanced Settings tab.
35. Uncheck the box that says Use DNS servers advertised by peers
36. In the Use custom DNS servers box enter 10.2.0.1 and then click the + icon
37. Click the Save button and then the Save & Apply button.
38. You can now verify that your connected through ProtonVPN by visiting a website that provides location information data like https://www.infosniper.net/
39. It's advisable to go to Network -> Interfaces and delete the wan6 or DHCPv6 client interface. Then click the Save & Apply button.
40. Go to System > Administration and click on the SSH Access tab. Select the lan interface under the Dropbear Instance interface box. Click the Save & Apply button.
41. To hinder TunnelVision or DHCP Option 121 attacks we're going to ssh into the router and add a manual tweak to the network configuration file:
ssh root@192.168.3.1
42. Now to stop TunnelVision edit /etc/config/network and under config interface 'wan' add option option classlessroute '0':
vi /etc/config/network
option classlessroute '0'
Notes abut vi:
Hit the a key to edit
To save and exit hit the escape key and then enter :wq! [enter]
43. Back in the luci web user interface for the router Under Network -> Interface click the Edit button for the LAN
44. Go to the Advanced Settings tab and change IPv6 assignment length to disabled
45. Uncheck Delegate IPv6 prefixes
46. Under the DHCP Sever section go to the IPv6 Settings and select disabled in the drop down for RA-Service and DHCPv6-Service
47. Click the Save button and Save & Apply button
48. Go to System > Reboot and click the Perform reboot button
49. After the router reboots go to Network > Interfaces > LAN > DHCP Server > Advanced Settings > "Force DHCP on this network even if another server is detected" (enable). Click the Save button. Click the Save & Apply button.
50. System > Reboot and click Perform reboot button