Tech Log Entry — VPN Deployment: ProtonVPN Across Windows, Linux, and iOS
Tech Log Entry — VPN Deployment: ProtonVPN Across Windows, Linux, and iOS
Background and Context
With the three-machine homelab LAN and automated backup infrastructure complete, the next security priority was VPN coverage — particularly for travel use with the portable Linux laptop. This entry documents the evaluation, selection, installation, and configuration of ProtonVPN across all personal computing devices: one Windows 11 desktop, two Linux Mint laptops, and an iPhone.
Prior state: BitDefender Premium VPN was active on the desktop only. Neither Linux laptop had VPN coverage. The iPhone had no VPN. BitDefender does not support Linux for consumer devices, making it unsuitable as a cross-platform solution.
Goals
Replace BitDefender Premium VPN with a cross-platform solution covering all devices
Prioritize Linux Mint compatibility for both laptops
Have VPN operational on the travel laptop before an upcoming trip (~2.5 weeks away)
Evaluate free tier before committing to a paid annual plan
Enable NetShield (DNS-based ad/tracker/malware blocking) across all devices
VPN Provider Selection
Two primary candidates evaluated: Mullvad and ProtonVPN.
Mullvad: €5/month flat, strong privacy reputation, WireGuard support, anonymous accounts. Limitation: 5-device maximum — insufficient for a potential household deployment of ~10 devices.
ProtonVPN: $4/month billed annually ($48/year first year, $84/year thereafter), Swiss-based, open-source clients, strong privacy reputation, 10-device maximum, free tier available for evaluation. Selected for its device limit headroom, free tier evaluation option, and NetShield feature.
CompTIA Network+ note: VPN provider selection involves evaluating tunneling protocols, encryption standards, and privacy policies — topics covered under Network Security. Understanding the difference between consumer VPN services and enterprise VPN solutions (site-to-site vs remote access) is directly relevant.
Protocol Selection: WireGuard
ProtonVPN supports WireGuard, OpenVPN (TCP and UDP), and a Stealth mode. WireGuard was selected as the primary protocol for all devices for the following reasons:
Modern cryptographic design with a minimal codebase (~4,000 lines vs OpenVPN's ~100,000+) — easier to audit for security vulnerabilities
Faster connection establishment and lower latency than OpenVPN
Lower battery consumption on mobile devices
Built into the Linux kernel since version 5.6
OpenVPN TCP retained as a fallback option for restrictive networks (hotels, corporate environments) where VPN traffic may be blocked — TCP port 443 mimics HTTPS traffic and is rarely filtered.
The iPhone uses Smart protocol — automatic selection that prioritizes WireGuard and falls back to alternatives as needed for mobile network conditions.
CompTIA Network+ note: Tunneling protocols, the distinction between TCP and UDP transport, port-based traffic filtering, and VPN protocol comparison are covered under Network Security and Network Implementations. WireGuard, OpenVPN, IPSec, and SSL/TLS VPNs are all relevant technologies.
Free Tier Evaluation — Linux Laptop #1
Before committing to the annual paid plan, ProtonVPN's free tier was tested on Linux Laptop #1 (Linux Mint).
Installation issue encountered: Initial install command used incorrect repository URL (repo.proton.me) — domain did not resolve. Correct URL is repo.protonvpn.com. Diagnostic: nslookup repo.proton.me 8.8.8.8 returned NXDOMAIN, confirming the domain didn't exist rather than a local DNS issue.
Correct installation process (Debian/Ubuntu-based):
wget https://repo.protonvpn.com/debian/dists/stable/main/binary-all/protonvpn-stable-release_1.0.8_all.deb
sudo dpkg -i protonvpn-stable-release_1.0.8_all.deb
sudo apt update
sudo apt install proton-vpn-gnome-desktop
Note for Linux Mint Cinnamon: skip the optional system tray icon steps during installation — they pull in GNOME desktop dependencies that conflict with the Cinnamon environment.
Speed test results (free tier, Los Angeles server):
The elevated ping (158ms) reflected routing from Texas to a Los Angeles free server. Download speeds remained adequate for all intended use cases (browsing, video streaming, Coursera). No sites blocked access during a 6-site evaluation.
Evaluation conclusion: Free tier functional for travel use, at the least. Paid tier decided for geographically closer servers, extra devices, and reduced latency.
CompTIA Network+ note: VPN overhead, latency introduced by tunneling, and the relationship between geographic server distance and round-trip time are practical concepts covered under Network Troubleshooting and Operations. Ping as a latency measurement tool is a common troubleshooting tool.
Upgrade to VPN Plus — Paid Annual Plan
Upgraded to VPN Plus ($48/year) based on evaluation results. Key paid features activated:
Full server selection including geographically close US state servers
NetShield: DNS-based filtering blocking ads, trackers, and malware domains before they load
Kill Switch: cuts internet access if VPN connection drops, preventing unprotected traffic
10-device allowance
Immediate effect: reconnecting on Linux Laptop #1 after upgrade connected via a Texas server rather than Los Angeles. Ping dropped significantly due to geographic proximity.
Installation on All Devices
Linux Laptop #1 (Linux Mint): Installed via official Debian repository as above. VPN Plus confirmed in Settings. Connected to Texas server.
Linux Laptop #2 (Linux Mint): Identical installation process. One unrelated warning during apt update — a third-party PPA (git-core) failed to fetch; this was determined to be a pre-existing issue unrelated to ProtonVPN, unnecessary for current usage, and does not affect the installation. VPN Plus confirmed. Connected to Texas server.
iPhone (iOS): Installed via App Store. Log in with ProtonVPN credentials. VPN Plus confirmed. Connected to Dallas, TX server via WireGuard.
Per-Device Configuration
Both Linux laptops:
Protocol: WireGuard
NetShield: On (block ads, trackers, malware)
Kill Switch: Advanced (internet accessible only when VPN is active)
Port Forwarding: Off
Moderate NAT: Off
Auto Connect: Off (manual connection preferred)
iPhone:
Protocol: Smart (automatic — prioritizes WireGuard)
Always-on VPN: On (system-enforced)
NetShield: On
Kill Switch: Off at home (enabled manually when traveling — enabling Kill Switch disables LAN access on iOS; this is a tradeoff as the two settings are mutually exclusive)
Allow LAN Connections: On
Allow Alternative Routing: On (assists connection on restrictive networks)
Moderate NAT: Off
Kill Switch note for travel: Kill Switch set to Advanced on both Linux laptops — appropriate for travel on untrusted public Wi-Fi. iPhone Kill Switch enabled manually before travel and disabled on return home.
CompTIA Network+ note: Kill switches, split tunneling, and always-on VPN are enterprise VPN concepts increasingly relevant to personal security. The distinction between full tunnel (all traffic through VPN) and split tunnel (selective routing) maps directly to security practices. DNS-based filtering (NetShield) is an application of DNS security covered under security topics.
VPN and LAN Interaction
An important network topology consideration emerged during iPhone testing: the homelab switch operates on subnet 192.168.2.x, while the home Wi-Fi operates on 192.168.1.x. The iPhone connects via Wi-Fi only and has no path to the 192.168.2.x subnet, as there is no router included in the LAN. SMB file share access from iPhone therefore uses the desktop's Wi-Fi IP address (192.168.1.254) rather than its switch IP address (192.168.2.1).
Signal path for iPhone → desktop file share: iPhone → building router (wireless) → desktop Wi-Fi adapter → shared folder. Traffic never leaves the home network.
CompTIA Network+ note: Subnet isolation, inter-VLAN routing requirements, and the reason devices on different subnets cannot communicate without a router are fundamental concepts covered under Network Fundamentals and Network Implementations. This real-world example illustrates exactly why subnet design matters in practice.
BitDefender Premium VPN — Cancellation
With ProtonVPN covering all devices, BitDefender Premium VPN ($70/year, desktop only, no Linux support) was cancelled:
Auto-renewal disabled in BitDefender account dashboard
Prorated refund requested via BitDefender support contact form (~5 months remaining on subscription)
Ticket number received; monitoring for response
Reasoning provided to retention process: BitDefender does not support Linux for consumer devices; ProtonVPN provides cross-platform coverage
The basic VPN included with BitDefender Antivirus Plus (retained for desktop antivirus) was not affected — it remains available as a minimal fallback but will not be used actively.
Device Coverage Summary
Watch Out For (Future)
Kill Switch Advanced on Linux laptops means internet is inaccessible when VPN is disconnected — if VPN connection fails, reconnect before expecting internet access
iPhone Kill Switch and Allow LAN Connections are mutually exclusive on iOS — enable Kill Switch before travel, disable on return home
During travel, Linux Laptop #1's 8:00 AM cron backup will fail to connect to the homelab LAN — this is expected; backup resumes automatically on return home
ProtonVPN free tier remains available if the paid subscription lapses — free tier limited to 3 server locations and lower priority bandwidth
BitDefender Premium VPN subscription ends December, 2026 — auto-renewal disabled; no action needed unless refund process requires follow-up
ProtonVPN annual plan renews at ~$84/year after the first year (introductory rate was ~$48) — evaluate at renewal time whether to continue or switch
NetShield blocks at DNS level only — it does not block all ads (inline ads served from first-party domains may still appear) and does not replace a dedicated browser ad blocker
Lessons Learned
Verify repository URLs before troubleshooting DNS. The install failure was caused by an incorrect domain in the wget command — confirmed by testing the domain directly with nslookup domain 8.8.8.8, which bypasses local DNS and points to the root cause immediately.
Free tier evaluation before annual commitment is always worth doing for subscription services. One day of testing on the actual target platform confirmed compatibility and set realistic performance expectations.
Subnet design has practical consequences for device connectivity. The iPhone could not reach the homelab switch subnet — not a configuration error, but a fundamental result of two separate subnets without inter-subnet routing. Understanding this saved time troubleshooting what appeared to be a connection failure.
Kill Switch behavior differs between platforms. Linux ProtonVPN's Advanced Kill Switch and iOS's Kill Switch have different implications for LAN access — knowing the platform-specific behavior before enabling prevents unexpected loss of local network connectivity.
Next Steps / To-Do
AirPrint from iPhone to Canon printer (pending building router admin access — AP isolation setting)
Add household devices to ProtonVPN account (pending family coordination)
Begin Claude Code introductory projects on Laptop #2
Evaluate and uninstall CUDA toolkit on desktop
Address C: drive storage on desktop (88% full)
Complete reused-password cleanup in Bitwarden
Monitor BitDefender refund ticket response
Comments
Post a Comment