ProtonVPN on Manjaro Linux

During the pandemic, I let my previous VPN subscription expire simply because I used it so infrequently with all of my time at home. While there’s something to be said for using a VPN all the time in an attempt to limit your ISP from learning as much about your browsing history, it wasn’t a step I took very often, and a VPN service you only use when away from home isn’t nearly as essential when you’re spending almost every waking moment at home. I recently went on a trip, however, in my first major foray back into the world in over 14 months, and it very quickly revived my need for a VPN since I frequently found myself leveraging public WiFi. I ended up going with ProtonVPN, which seemed sensible given my affinity for ProtonMail. (Look for a post on the recently available ProtonDrive in the near future!)

Do This

One of the ProtonVPN developers was awesome enough to comment on Twitter that the process in my original post — now under the “Don’t Do This” heading — was a bit silly (my words, not theirs) because the official clients have been available in the AUR since spring. I leave the original post in case anyone needs it for some random reason, but the steps in this section are the way to go.

First off, make sure the packages in the AUR are updated. As a relative Manjaro noob, I’m terrible about remembering to do this:

pamac update --force-refresh

Next, still following the instructions linked above, I searched to ensure that I could see the ProtonVPN packages:

pamac search --aur protonvpn-cli

There will likely be a handful in the list. In my case, I still wanted to roll with the CLI client so that I could feel like I was awesome. I was able to build it via:

sudo pamac build protonvpn-cli

This prompts for all of the dependencies needed for the build. I hit Y to accept them all, and after a few moments the package was built successfully. I then verified that I saw the package in my PATH:

which protonvpn-cli

Note: Unlike the original steps I had written, this client doesn’t require sudo when running. In fact, running it with sudo will give you a nice message letting you know that you shouldn’t be doing it, which is super helpful for people like me who make assumptions or immediately start poking around instead of RTFM.

Running ProtonVPN as root is not supported and is highly discouraged, as it might introduce undesirable side-effects.

I first tried running essentially the exact same command that I used originally to see if this client used the same configuration file. This didn’t work since the configuration process has been streamlined:

protonvpn-cli c -f

This told me:

No session was found. Please login first.

At this point I decided to actually do what I’m supposed to and look at the options of the command with:

protonvpn-cli -h

This gives all of the sub-commands and also showcased that I can keep using -h with those sub-commands for more specific assistance. I logged in via:

protonvpn-cli login <ProtonVPN account>

Where “ProtonVPN account” is the normal account I use to log in to the web UI, not the OpenVPN account. After next providing my password, the authentication completed successfully. At this point, I can try to connect. I ran the following both before and after connecting to watch my public-facing IP change:

curl icanhazip.com

I just wanted to connect to the fastest server for my location, so I ran:

protonvpn-cli c -f

This gave me some quick output letting me know the connection was successful and telling me which server was selected. I could see additional details by running:

protonvpn-cli status

Disconnecting is similarly done via:

protonvpn-cli d

Don’t Do This

As mentioned above, the remaining part of this post was the original process I used. I leave it here in case someone needs it for whatever reason, but one of the ProtonVPN developers tweeted to let me know the official packages for ProtonVPN have been available in the AUR since spring. It’s likely that the process above is what you should really be using rather than what follows. Hence the heading.

ProtonVPN worked quite well for the week of my trip on my MacBook Pro, but after I got home I wanted to also get it up and running on one of my personal laptops, the Star Lite Mk III running Manjaro Linux. I quickly discovered that the official instructions to get ProtonVPN running on Linux don’t mention Manjaro, which is a little surprising considering how insanely popular Manjaro has become over the past few years as a desktop operating system. I’m eagerly awaiting the day when official documentation is available for more than just Red Hat-based and Debian-based systems.

In lieu of official instructions, I decided to just install the package for the ProtonVPN CLI via pip3 and take it from there.

sudo pip3 install protonvpn-cli

After running this, I confirmed that the package was successfully added by my PATH via:

which protonvpn

If your system returns a path to the package, everything is fine. If it returns nothing, then either the package wasn’t installed or your PATH wasn’t updated properly. The former is far more likely since the location for me, /usr/bin/, should already be in your PATH.

With the package installed, the next step is to configure it. The protonvpn client supports sub-commands, and I got the ball rolling on configuration via:

sudo protonvpn init

The first thing I was prompted to supply were my OpenVPN credentials for ProtonVPN. You should be able to find those for your own account here. Be mindful of the fact that the OpenVPN credentials are completely separate from your main Proton account credentials you would use to log in to ProtonMail; do not use those!

After supplying my OpenVPN credentials, I was prompted for which ProtonVPN plan I have. The options are defined on the official site, with the differences typically revolving around which servers are available, what your maximum throughput can be, and the number of concurrent connections permitted. The options to choose from at the prompt are:

  • Free
  • Basic
  • Plus
  • Visionary

I briefly wondered what may happen if you pick a different plan than what you’ve actually subscribed do, but I didn’t mess around with it to find out; I just picked the plan that I actually have.

After the plan, I was prompted to pick if I wanted the baseline protocol to be TCP or UDP. UDP is the default that I went with off the bat, though TCP is more difficult to block. I imagine the choice will mainly come down to the use case for each individual. If speed is your main consideration, just be mindful of the difference between the two if you happen to find yourself connecting from a location which blocks VPN connectivity; I’ve run into a — admittedly small — number of businesses which do this.

With the protocol prompt out of the way, all of my previous selections were displayed on the screen at one time so that I could review them and confirm my configuration. I just hit Y to accept them all after verifying they were correct. It took my system a couple of moments to write my configuration to disk. If you ever want to review the config outside of the application, I found it written on my system to:

~/.pvpn-cli/pvpn-cli.cfg

To check out the full suite of options available for the CLI application, I ran:

sudo protonvpn -h

In my case, I typically just want to connect to whichever server happens to be fastest; I overwhelmingly use my VPN service to secure my connectivity on insecure WiFi rather than doing things like connecting to other countries in order to access content not available in my own. As a result, the best connection method for me is to simply run:

sudo protonvpn c -f

This results in a few lines of output notifying me that the connection was successful and printing which server was selected; it’s typically the one physically closest. For additional confirmation that my VPN connection was successful, I ran the following command both before and after connecting so that I could verify that my public-facing IP address had indeed been changed from the perspective of Internet-facing services.

curl icanhazip.com

When I need to kill my VPN connection, for example to gracefully disconnect prior to shutting down my laptop, I run:

sudo protonvpn d