How to Use Proton VPN WireGuard with NextDNS on Linux

If you're using Linux and want to combine the security of Proton VPN with the advanced DNS features of NextDNS, here's a quick guide to set it up.

Steps for updating the Proton VPN WireGuard configuration

  1. Download your Proton VPN WireGuard config from the Proton VPN WireGuard configuration.
  2. Get your NextDNS configuration ID and Endpoints from the NextDNS dashboard.
  3. In the downloaded wireguard config remove the DNS = line from the [Interface] section.
  4. Add a PostUp command to configure NextDNS using resolvectl and your NextDNS ID and Endpoints: PostUp = resolvectl dns %i 172.16.80.142#ubuntu-1234a5.dns.nextdns.io 2001:db8:a0b:12f0::1#ubuntu-1234a5.dns.nextdns.io 172.16.83.142#ubuntu-1234a5.dns.nextdns.io 2001:db8:a0b:12f1::1#ubuntu-1234a5.dns.nextdns.io; resolvectl dnsovertls %i yes; resolvectl domain %i ~.
  5. Save the modified config file.

Here's how it might look:

[Interface]
# Key for GB#1
# Bouncing = 0
# NetShield = 0
# Moderate NAT = off
# NAT-PMP (Port Forwarding) = off
# VPN Accelerator = on
PrivateKey = <PrivateKey>
Address = <Address>
PostUp = resolvectl dns %i 172.16.80.142#ubuntu-1234a5.dns.nextdns.io 2001:db8:a0b:12f0::1#ubuntu-1234a5.dns.nextdns.io 172.16.83.142#ubuntu-1234a5.dns.nextdns.io 2001:db8:a0b:12f1::1#ubuntu-1234a5.dns.nextdns.io; resolvectl dnsovertls %i yes; resolvectl domain %i ~.

[Peer]
# GB#1
PublicKey = <PublicKey>
AllowedIPs = 0.0.0.0/0
Endpoint = <Address>

NB: I removed personal values and used random ones for IPv4, IPv6 and NextDNS ID. Make sure to use your own.

This setup leverages systemd-resolved, which some Linux distributions use by default. The PostUp command configures NextDNS when the WireGuard connection is established.

Now you can enjoy the combined benefits of Proton VPN's security and NextDNS's advanced filtering and analytics!

Managing WireGuard Configuration and Connection

Configuration File Location

After modifying your WireGuard configuration file, you should place it in the appropriate directory:

  1. Save the configuration file with a .conf extension (e.g., wg0.conf).
  2. Move the file to /etc/wireguard/. You may need root privileges for this:
    sudo mv wg0.conf /etc/wireguard/
    

WireGuard CLI Commands

Here are some useful WireGuard CLI commands to manage your VPN connection:

  1. Start the WireGuard connection:

    sudo wg-quick up wg0
    
  2. Stop the WireGuard connection:

    sudo wg-quick down wg0
    
  3. Check the status of your WireGuard interfaces:

    sudo wg show
    

Enabling/Disabling Autostart on System Boot

To enable autostart of your WireGuard connection on system boot:

  1. Enable the WireGuard service:

    sudo systemctl enable wg-quick@wg0.service
    
  2. Start the service immediately:

    sudo systemctl start wg-quick@wg0.service
    

To disable autostart:

  1. Disable the WireGuard service:

    sudo systemctl disable wg-quick@wg0.service
    
  2. Stop the service if it's currently running:

    sudo systemctl stop wg-quick@wg0.service
    

Remember to replace wg0 in these commands with the actual name of your configuration file (without the .conf extension) if it's different.

And that's about it. You're all set up to use Proton VPN WireGuard with NextDNS on Linux.

You can use https://ip.me to verify that your IP address is now that of the Proton VPN server you're connected to. And https://test.nextdns.io or https://ping.nextdns.io to verify that your DNS queries are now going through NextDNS.


If you have any further questions or need help with this setup, feel free to send me an email. I'm always happy to help!