Privacy Tools Guide

When you use ProtonMail without a VPN, your traffic leaves their encrypted servers and travels across the open internet to reach its destination. While ProtonMail secures the contents of your emails through end-to-end encryption, metadata such as IP addresses, connection timestamps, and access patterns remain visible to your ISP and potentially to network observers. Combining ProtonMail with a VPN creates layered protection that shields this metadata while maintaining the cryptographic security ProtonMail provides.

This guide covers the technical integration methods, configuration patterns, and automation approaches that developers and power users can implement to maximize privacy when using encrypted email services.

Understanding the Privacy Layers

ProtonMail provides client-side encryption for message contents using OpenPGP. When you send an email to another ProtonMail user, the message is encrypted before leaving your device and can only be decrypted by the recipient. However, the following metadata remains accessible to ProtonMail’s servers and potentially to external observers:

A VPN encrypts your entire internet connection and routes it through an intermediate server, masking your real IP address and preventing your ISP from seeing which websites or services you access. When you connect to ProtonMail through a VPN, your actual IP address is hidden from ProtonMail’s servers and from any network observers between you and ProtonMail’s infrastructure.

The combination addresses different threat models. ProtonMail protects the confidentiality of your message contents. A VPN protects your network-level metadata and location privacy. Together, they provide defense-in-depth against different classes of surveillance and tracking.

Network Configuration Methods

There are several approaches to routing ProtonMail traffic through a VPN, ranging from full-system VPN protection to application-specific routing.

Full-System VPN

The simplest approach enables VPN protection for all network traffic on your device. This guarantees that ProtonMail connections automatically benefit from IP masking without additional configuration:

# Verify VPN connection status using WireGuard
sudo wg show

# Check current public IP
curl -s https://api.ipify.org

# Test ProtonMail accessibility through VPN tunnel
curl -I https://mail.protonmail.com

WireGuard configuration for privacy-focused users typically specifies a provider that maintains a strict no-logging policy. The configuration file should specify DNS servers that respect privacy, such as those operated by privacy-conscious organizations.

Split Tunneling for ProtonMail

For users who want VPN protection only for specific applications, split tunneling provides granular control. This approach is useful when you need to maintain direct connectivity for latency-sensitive applications while routing sensitive traffic through the VPN:

# WireGuard split tunnel configuration
[Interface]
PrivateKey = <your-private-key>
Address = 10.0.0.2/32
DNS = 10.0.0.1

[Peer]
PublicKey = <vpn-server-public-key>
AllowedIPs = 185.243.115.84/32  # ProtonMail server IP
Endpoint = vpn.example.com:51820
PersistentKeepalive = 25

This configuration routes only traffic to ProtonMail’s servers through the VPN tunnel while allowing other traffic to take a direct path. You can obtain ProtonMail’s server IP addresses through DNS lookups or their official documentation.

DNS Configuration

DNS requests can leak information about your browsing behavior even when using a VPN. Configure your system to use privacy-respecting DNS servers to prevent DNS queries from revealing your ProtonMail access:

# macOS DNS configuration via scutil
sudo scutil --set LocalDNSConfig <<EOF
{
  State : /Network/Global/IPv4
  PrimaryService : <your-primary-service-id>
  ServerAddresses : { "10.0.0.1", "10.0.0.2" }
}
EOF

# Linux systemd-resolved configuration
sudo tee /etc/systemd/resolved.conf.d/privacy.conf <<EOF
[Resolve]
DNS=10.0.0.1
DNSOverTLS=opportunistic
EOF

Automating VPN Connections

For developers who want programmatic control over VPN connectivity, automation scripts ensure consistent protection without manual intervention.

Connection Manager Script

This bash script manages VPN connections with automatic reconnection and connection verification:

#!/bin/bash
# vpn-manager.sh - Automated VPN connection manager

VPN_INTERFACE="wg0"
PROTONMAIL_HOSTS=(
    "185.243.115.84"
    "185.243.115.85"
    "185.243.115.86"
)

verify_vpn_connection() {
    local current_ip=$(curl -s --max-time 5 https://api.ipify.org)
    local vpn_gateway=$(sudo wg show $VPN_INTERFACE 2>/dev/null | \
        grep "endpoint:" | awk '{print $2}')

    if [ -z "$vpn_gateway" ]; then
        echo "[ERROR] VPN not connected"
        return 1
    fi

    echo "[INFO] Connected via VPN gateway: $vpn_gateway"
    return 0
}

connect_vpn() {
    echo "[INFO] Connecting to VPN..."
    sudo wg-quick up wg-protonmail

    sleep 2
    if verify_vpn_connection; then
        echo "[SUCCESS] VPN connection established"
        return 0
    else
        echo "[ERROR] VPN connection failed"
        return 1
    fi
}

monitor_connection() {
    while true; do
        if ! verify_vpn_connection; then
            echo "[WARNING] Connection lost, reconnecting..."
            sudo wg-quick down $VPN_INTERFACE
            sleep 1
            connect_vpn
        fi
        sleep 30
    done
}

case "$1" in
    connect)
        connect_vpn
        ;;
    monitor)
        monitor_connection
        ;;
    status)
        verify_vpn_connection
        ;;
esac

systemd Service for Linux

Deploy the VPN manager as a systemd service for automatic startup and background monitoring:

# /etc/systemd/system/vpn-monitor.service
[Unit]
Description=VPN Connection Monitor for Privacy
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User=yourusername
ExecStart=/home/yourusername/scripts/vpn-manager.sh monitor
Restart=always
RestartSec=10

[Install]
WantedBy=multi-user.target

Enable the service with:

sudo systemctl enable vpn-monitor.service
sudo systemctl start vpn-monitor.service

Advanced Configuration: VPN Kill Switch

A kill switch prevents data leakage if the VPN connection drops unexpectedly. This is critical for maintaining privacy during network interruptions.

iptables Kill Switch Rules

#!/bin/bash
# vpn-killswitch.sh - Implement VPN kill switch using iptables

# Flush existing rules
iptables -F
iptables -X

# Default policy: drop everything
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# Allow loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow VPN tunnel (WireGuard on port 51820)
iptables -A OUTPUT -p udp --dport 51820 -j ACCEPT

# Allow ProtonMail connections only through VPN
# Replace with actual ProtonMail server IPs
iptables -A OUTPUT -d 185.243.115.84/32 -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -d 185.243.115.85/32 -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -d 185.243.115.86/32 -p tcp --dport 443 -j ACCEPT

# Log dropped packets for debugging
iptables -A OUTPUT -j LOG --log-prefix "DROP: "

This configuration ensures that if the VPN connection fails, all network traffic is blocked rather than leaking through the default internet connection. Test the kill switch thoroughly before relying on it in production.

Security Considerations

Combining ProtonMail with a VPN strengthens your privacy posture but does not make you completely anonymous. Consider these additional measures:

For developers integrating these tools, automate connection verification in your applications rather than relying on manual checks. The scripts and configurations above provide a foundation for building reliable, privacy-preserving workflows.

Built by theluckystrike — More at zovo.one

Explore Our Developer Guides

© 2026 theluckystrike Developer Guides